MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea51e33db045191976e76dd44df190ee1bb70885ece09a3ea3ec5ddde21d6fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea51e33db045191976e76dd44df190ee1bb70885ece09a3ea3ec5ddde21d6fa9
SHA3-384 hash: 6b2b92009af853d67f297a86731d87c39eb8c5897122e5956efb4e3f675fe2c7253cbb4513d8aa0f0fc77af6f07a16f1
SHA1 hash: a025fe6d00e4793226f2b63ec2bf735685816e0e
MD5 hash: 47fea11d088bc58cd13a1859ef6d4d26
humanhash: mockingbird-vegan-michigan-winner
File name:47fea11d088bc58cd13a1859ef6d4d26.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'187'840 bytes
First seen:2022-10-28 10:15:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9dd8a0feaf4fa9fd20d4d8ea4827100 (17 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 24576:phBxVaYJY1ghfEMr9WYRZhnIPOiZ72M/0Bwxj:7BxMLOlYj
Threatray 824 similar samples on MalwareBazaar
TLSH T1DE456B29FB0725B4DA275371895FEA7B9B147A148032EE7FFF8BDA08B4330123845665
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://195.201.253.169/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://195.201.253.169/ https://threatfox.abuse.ch/ioc/878075/

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
47fea11d088bc58cd13a1859ef6d4d26.exe
Verdict:
Malicious activity
Analysis date:
2022-10-28 10:17:35 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/38b3f9e0-d76e-4ed9-bbc7-19dca19db5cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325488/
Detection(s):
Win.Packed.Babar-9976150-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46322/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/635babe5736e9d884f0d7129/reports/2f54f6b3-5945-4742-98bd-f9ef8f3f0639/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aded538b-b3b7-42ba-9afe-8cb7a7888b9c
Result
Threat name:
Laplas Clipper, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100300
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 732960 Sample: a7sbIsZgQU.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 100 102 clipper.guru 2->102 136 Snort IDS alert for network traffic 2->136 138 Multi AV Scanner detection for domain / URL 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 7 other signatures 2->142 11 a7sbIsZgQU.exe 1 2->11         started        14 svcupdater.exe 2->14         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        signatures3 process4 signatures5 152 Writes to foreign memory regions 11->152 154 Allocates memory in foreign processes 11->154 156 Injects a PE file into a foreign processes 11->156 20 vbc.exe 15 10 11->20         started        25 WerFault.exe 23 9 11->25         started        27 conhost.exe 11->27         started        29 WerFault.exe 11->29         started        158 Machine Learning detection for dropped file 14->158 process6 dnsIp7 108 79.137.192.7, 39946, 49709 PSKSET-ASRU Russian Federation 20->108 110 45.138.74.59, 49710, 80 HOSTGLOBALPLUS-ASRU Russian Federation 20->110 112 gitcdn.link 104.21.234.84, 49711, 49712, 80 CLOUDFLARENETUS United States 20->112 80 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\...\joftInstall.exe, PE32 20->82 dropped 84 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->84 dropped 86 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->86 dropped 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->144 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->146 148 Tries to harvest and steal browser information (history, passwords, etc) 20->148 150 Tries to steal Crypto Currency Wallets 20->150 31 chrome.exe 20->31         started        35 joftInstall.exe 20->35         started        38 brave.exe 20->38         started        40 ofg.exe 20->40         started        88 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->88 dropped file8 signatures9 process10 dnsIp11 90 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 31->90 dropped 118 Antivirus detection for dropped file 31->118 120 Detected unpacking (changes PE section rights) 31->120 122 Machine Learning detection for dropped file 31->122 134 7 other signatures 31->134 42 GoogleUpdate.exe 31->42         started        46 powershell.exe 31->46         started        48 schtasks.exe 31->48         started        50 schtasks.exe 31->50         started        104 t.me 149.154.167.99 TELEGRAMRU United Kingdom 35->104 106 195.201.253.169 HETZNER-ASDE Germany 35->106 92 C:\ProgramData\sqlite3.dll, PE32 35->92 dropped 124 Detected unpacking (overwrites its own PE header) 35->124 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->126 128 Tries to harvest and steal browser information (history, passwords, etc) 35->128 130 Tries to steal Crypto Currency Wallets 35->130 52 cmd.exe 35->52         started        94 C:\Users\user\AppData\...\Letteruser.dll, PE32 38->94 dropped 96 C:\Users\user\AppData\...ntityFramework.dll, PE32 38->96 dropped 98 C:\Users\...ntityFramework.SqlServer.dll, PE32 38->98 dropped 132 Multi AV Scanner detection for dropped file 38->132 100 C:\Users\user\AppData\...\svcupdater.exe, PE32 40->100 dropped 54 cmd.exe 40->54         started        file12 signatures13 process14 dnsIp15 114 api.peer2profit.com 172.66.43.60 CLOUDFLARENETUS United States 42->114 116 162.19.175.139 CENTURYLINK-US-LEGACY-QWESTUS United States 42->116 160 Detected unpacking (changes PE section rights) 42->160 162 Detected unpacking (overwrites its own PE header) 42->162 164 Uses netsh to modify the Windows network and firewall settings 42->164 166 Modifies the windows firewall 42->166 56 netsh.exe 42->56         started        58 netsh.exe 42->58         started        60 netsh.exe 42->60         started        62 conhost.exe 46->62         started        64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        72 2 other processes 52->72 68 conhost.exe 54->68         started        70 schtasks.exe 54->70         started        signatures16 process17 process18 74 conhost.exe 56->74         started        76 conhost.exe 58->76         started        78 conhost.exe 60->78         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea51e33db045191976e76dd44df190ee1bb70885ece09a3ea3ec5ddde21d6fa9/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 12:38:57 UTC
File Type:
PE (Exe)
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ji6gpnqiumrs5xhnxke34mq5yn3ocef5tqjupvd5ro53yq5n6uq._file
Verdict:
malicious
Similar samples:
1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0
RedLineStealer
1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4
RedLineStealer
334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd
RedLineStealer
6c56b6a178c64adef96a65fab45b58a7378b17262420a31addd0ec239e12e7c7
RedLineStealer
6da9ec8ffe3cc51e53b82fc3975ee1b70cb1ac97a58455d4a132576bb82f3095
RedLineStealer
a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553
RedLineStealer
ac4bd1987b6a72732c2590c7a44f63f63bfa7617ef7f86d8975175b67db4fb30
RedLineStealer
aecee48e77885753fef3b48411fd1093f2f3da937ef0dab744530bbf452586ef
RedLineStealer
+ 814 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/221028-masg3sfgcm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies WinLogon for persistence
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
79.137.192.7:39946
https://t.me/slivetalks
https://c.im/@xinibin420
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a9bbf44-7499-4fd5-8c18-061f267fdc16
Unpacked files
SH256 hash:
65c8f932754bd029532af1ed908f5f461c838e4d35b75210a0ab88148418c4fa
MD5 hash:
5b6ef0aef626a7d8153079893b3839d7
SHA1 hash:
ee112f457137fe8a1461ce07a2bc9ec3eb52934d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/80ab06d8-20d9-41b7-8b3f-7cc075972e73/
SH256 hash:
ea51e33db045191976e76dd44df190ee1bb70885ece09a3ea3ec5ddde21d6fa9
MD5 hash:
47fea11d088bc58cd13a1859ef6d4d26
SHA1 hash:
a025fe6d00e4793226f2b63ec2bf735685816e0e
Link:
https://www.unpac.me/results/80ab06d8-20d9-41b7-8b3f-7cc075972e73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea51e33db045191976e76dd44df190ee1bb70885ece09a3ea3ec5ddde21d6fa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325488/

Comments