MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6331c91a2d000a52fdc46b32dcc7417141bac3e4f04eaf5d8459e176d93d13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea6331c91a2d000a52fdc46b32dcc7417141bac3e4f04eaf5d8459e176d93d13
SHA3-384 hash: 73e4ea0c5397d0a07ee46803d207a0e1bb8030d478932f29d14fb6b345c2d0dd4d5257bcf4910bf6b6c6510425e2637d
SHA1 hash: 511a6b5630c83d9d8f2345609ca060cfd4891096
MD5 hash: 01db6ba8346e38e35f81418c54ce716d
humanhash: four-item-romeo-timing
File name:01db6ba8346e38e35f81418c54ce716d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:417'280 bytes
First seen:2022-02-07 11:11:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 12288:gwbu3YatYbL/W0dK/lGRgOUqmq9kR6lhKXvlmSFtdVl/lnX0J:gwa3/SrDK/cRgOnmq9g6GmSFtflE
Threatray 4'441 similar samples on MalwareBazaar
TLSH T19C94231D27CBB257D29DBBB264B1FB4F1B9CF18334C19B405B84B66FF8089247A0511A
Reporter abuse_ch
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.206.227.107:11552 https://threatfox.abuse.ch/ioc/382080/

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/234755/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/620100de21f8bc1303094d7d/reports/aa244367-3c07-4777-8029-1ec8731d313a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8be98255-b14c-4531-9032-6d9b36434676
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/935142
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea6331c91a2d000a52fdc46b32dcc7417141bac3e4f04eaf5d8459e176d93d13/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 11:12:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jrtdsi2fuaauux5yrvtfxghifyudowd4tye5l25qrm6c5wzhujq._file
Verdict:
malicious
Similar samples:
0713ce27fefb110cda3075fae74229170582c19758c2ecb7f85e0c0b8c694e0c
RedLineStealer
38d7f6ca3ffbc8d43801262e57a5fb6008d2daacba848e7a11e66b2a7aa19fb8
RedLineStealer
6d4d37a376e64141c38cef33902b47f1c2c491925cee6e7c8397fdae229ae57b
RedLineStealer
e0ae1a565fe7f5951aa98cc3465200e0576932e6bd62f4e562f369016c63dabe
RedLineStealer
e592d4874e782f1857f2c0b5c02671ef7f704943791fa3236e60ce1d4916b843
RedLineStealer
+ 4'431 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-nawp6sbchr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0d15c8e85097ae4f25cce2bddd8f7b5bb796c3ccab79d3b9bbd4ccee8f902b66
MD5 hash:
b205aa78411047e9a2115ae08014e26f
SHA1 hash:
91aed2645e9d9a627a42586e80e317f750b4608b
Link:
https://www.unpac.me/results/d12125c6-619c-4232-afde-79bdc862986e/
SH256 hash:
ea6331c91a2d000a52fdc46b32dcc7417141bac3e4f04eaf5d8459e176d93d13
MD5 hash:
01db6ba8346e38e35f81418c54ce716d
SHA1 hash:
511a6b5630c83d9d8f2345609ca060cfd4891096
Link:
https://www.unpac.me/results/d12125c6-619c-4232-afde-79bdc862986e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ea6331c91a2d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/234755/

Comments