MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db
SHA3-384 hash: 301107946b146282b7421f3190a4a6cf3f3d17f2da8d4f24d29708b19e17f50bd83c153056cfc09aa0f2f1d9905add00
SHA1 hash: eec32e5fd47bbbda289c88d66d8f98acd0473ef2
MD5 hash: c7e4802420ad7ba68c721469774a699a
humanhash: pasta-stairway-louisiana-mango
File name:c7e4802420ad7ba68c721469774a699a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:227'840 bytes
First seen:2021-09-25 08:42:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47bd1659724c857851ce24d0b21faf34 (4 x RedLineStealer, 1 x Formbook, 1 x RaccoonStealer)
ssdeep 6144:nsZry0Xk5DXWvP5W2lLZCZ6T8xEG4QKNoFK:nsZrdXk5ivP42RZCZ6T8xEGOoFK
Threatray 2'482 similar samples on MalwareBazaar
TLSH T1EB24DF217EAD9032E2E385B58B74D7921A7FB9633F70474F2644069ADF31790BA26313
File icon (PE):PE icon
dhash icon 480c1c4c4f590914 (3 x RedLineStealer, 1 x CoinMiner, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.15:6043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1e5e863988147a745d2b29faa257389.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 07:52:33 UTC
Tags:
trojan loader opendir evasion stealer rat redline
Link:
https://app.any.run/tasks/e0e0b1d0-67d2-47a5-89f3-707f1506f204

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191391/
Detection(s):
Win.Packed.Fragtor-9896091-0
Create hunting rule

Win.Ransomware.Generic-9896092-0
Create hunting rule

Win.Packed.Generic-9896260-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1aa44f12-c0ab-482a-9af9-c91c98009361
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/857849
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db/
Threat name:
Win32.Trojan.RaccoonStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 23:46:49 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ggakc3by6e6tsmmwyappodcbv3673bhv5wluvyn6ol6va2ichnq._file
Verdict:
malicious
Similar samples:
005884a0e29bcb302c961b8ea0867286b35633906d0d951ea3218301b90d1ae5
RedLineStealer
111d1312a6f53b62202bc1901a200fecf7ad434853036279fe73287f8877897a
RedLineStealer
1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e
RedLineStealer
1808800289beb117a06ae896db97593232c531d6489ccb9c811fcbc5e3fd50d9
RedLineStealer
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
RedLineStealer
555dd78ae57d3a34f8c9bf6a4c896dbc765454ab6eaa12c84ea9631301c97be1
RedLineStealer
69f19a117d771e3ebf24c8eea7e328c3897d314bd996bce89077c246f8263aa2
RedLineStealer
71f8415c24040b573b4852f93ba4df25f83f2a57c536ca9b19011b6ceb9c4528
RedLineStealer
862f175e35e5afb0468f7c073346599588d9798521ffd2e2423c88f39aab787e
RedLineStealer
b838906bb7a74ab26f67213e5e9f80fa251c0b443b7ea61cf20ce850d7ed9ad3
RedLineStealer
+ 2'472 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix24.09 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210925-kl25jsagbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
218719d39c9032feaf90c26e8be7ff32d1bddc67e570d5a509dc1fcf5a32bd81
MD5 hash:
93ea2a9e233dc6a232dcdbb46d62b633
SHA1 hash:
bf7be74fe38f4e545209a649ef09b5ec7ee33368
Link:
https://www.unpac.me/results/0aaead60-2b23-4bc2-8502-108e8189ff9c/
SH256 hash:
fae1b1a71ecfa9734579e48f60c1af84eaaa737e1ba3d6637e9ba93ff9849db8
MD5 hash:
50dc13fd0f15adfd627e1ddfe433ccc0
SHA1 hash:
40e55e92477ef06c37fae2ee2bbe6c02e39276d4
Link:
https://www.unpac.me/results/0aaead60-2b23-4bc2-8502-108e8189ff9c/
SH256 hash:
fdffc940d6fa970a734bfaeca497cdd3f527006739f2f881e3dd6bdd3db8c62c
MD5 hash:
07cd7141c5ebb7f17c9d81ccbc14b81e
SHA1 hash:
1568aa76366c82882c9a389543af34a5c6053d2e
Link:
https://www.unpac.me/results/0aaead60-2b23-4bc2-8502-108e8189ff9c/
SH256 hash:
e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db
MD5 hash:
c7e4802420ad7ba68c721469774a699a
SHA1 hash:
eec32e5fd47bbbda289c88d66d8f98acd0473ef2
Link:
https://www.unpac.me/results/0aaead60-2b23-4bc2-8502-108e8189ff9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e98c050b61c789e9c98cb600f7b8620d77efec27af6cba570df397ea834811db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1638129/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191391/

Comments