MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2
SHA3-384 hash: 9270f4195d70c368723249f53718487d85cd5918ac1329495b95468ac39e564912a49388f45a8c3b0ff462f2b1e149e3
SHA1 hash: dd16ef7ad886c16be5fc28a9ea19e389d1ebde20
MD5 hash: f0cdfc42f1c1c0c2d9b518e5cb31c788
humanhash: fruit-sierra-speaker-sink
File name:eab950649609ab0244036d15ab52595a707bf5e7e27b4.dll
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:205'824 bytes
First seen:2022-07-08 08:20:41 UTC
Last seen:2022-07-10 10:53:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3728b01969fadc3f90c364a57a6c06df (1 x RedLineStealer)
ssdeep 3072:enDlob7/Z21F2Q2Ip/F3m3EN7URuR3V/bfVezxBD76wYeVj:eyXk/2QD/F3UEdQc37ixh7
Threatray 11 similar samples on MalwareBazaar
TLSH T1D3144916B65628BDD46FC07483538A62BA317C860B35BEFF12E065353E69BE02B3C754
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.17.0.63:34397

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.17.0.63:34397 https://threatfox.abuse.ch/ioc/817264/

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Badur.6708.16072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24526/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug greyware packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62c7e8f411764e36f821c308/reports/75326458-271d-46a3-a210-8cc0e6f8df03/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3cb8f277-617c-46db-83c8-b20c8316a4f9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1027047
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Powershell adding suspicious path to exclusion list
Suspicious powershell command line found
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 659540 Sample: eab950649609ab0244036d15ab5... Startdate: 08/07/2022 Architecture: WINDOWS Score: 92 82 Antivirus detection for URL or domain 2->82 84 Sigma detected: Powershell adding suspicious path to exclusion list 2->84 86 Yara detected RedLine Stealer 2->86 9 loaddll64.exe 1 2->9         started        process3 signatures4 94 Suspicious powershell command line found 9->94 96 Adds a directory exclusion to Windows Defender 9->96 12 rundll32.exe 9->12         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        19 6 other processes 9->19 process5 signatures6 98 Suspicious powershell command line found 12->98 100 Adds a directory exclusion to Windows Defender 12->100 21 powershell.exe 8 12->21         started        24 powershell.exe 8 12->24         started        32 2 other processes 12->32 35 6 other processes 15->35 26 powershell.exe 17->26         started        37 5 other processes 17->37 28 rundll32.exe 19->28         started        30 powershell.exe 19->30         started        39 6 other processes 19->39 process7 dnsIp8 88 Powershell drops PE file 21->88 41 2 other processes 21->41 43 3 other processes 24->43 47 2 other processes 26->47 90 Suspicious powershell command line found 28->90 92 Adds a directory exclusion to Windows Defender 28->92 49 4 other processes 28->49 52 2 other processes 30->52 72 192.168.2.1 unknown unknown 32->72 54 2 other processes 32->54 56 7 other processes 35->56 58 5 other processes 37->58 60 6 other processes 39->60 signatures9 process10 dnsIp11 74 185.17.0.52, 49756, 49757, 49758 SUPERSERVERSDATACENTERRU Russian Federation 43->74 70 C:\Users\user\AppData\Local\...\msconfig.exe, PE32 43->70 dropped 76 Suspicious powershell command line found 49->76 78 Adds a directory exclusion to Windows Defender 49->78 62 powershell.exe 22 49->62         started        64 conhost.exe 49->64         started        66 conhost.exe 49->66         started        68 3 other processes 49->68 80 Multi AV Scanner detection for dropped file 56->80 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2/
Threat name:
Win64.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 06:51:45 UTC
File Type:
PE+ (Dll)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5k4vazewbgvqeradnuk2wuszljyhx5ph4j5uwgwsnvbq3o56sgra._file
Verdict:
unknown
Similar samples:
15a290552f9cdc38b18e6c0babe7fdd52ff8abfa73ff823220fa994e7f023dc0
RedLineStealer
26cb76e67add724d7771d12ffc701a4806c71dc436ff7d6ed0288e899dfd0d9b
RedLineStealer
6a4ebf513f996bd7198c711bef936a989fea148c235817ea56c1e2afafa927f5
RedLineStealer
a5ffa7adbe927a72bdea5ffd6b16e0814456dc863e6a9836fe92cc128b42378c
RedLineStealer
a94d284a103182e298778742bd01e1522d8bb182e12e8248cee97fe8ef6687b8
RedLineStealer
c261f0485413423ba3ec19f237f3f65edaf79f7fba874ddf46a80bceb7a0f0da
RedLineStealer
ef29e4b32e6de86c5892e2f6d9e1029a49aef283298c81859e95fdc2c049804e
RedLineStealer
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey suricata trojan
Link:
https://tria.ge/reports/220708-j8zr9sbbb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
authymysexy.info/5Lsq3FR/index.php
teamfighttacticstools.info/5Lsq3FR/index.php
nftmatrixed.info/5Lsq3FR/index.php
Unpacked files
SH256 hash:
eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2
MD5 hash:
f0cdfc42f1c1c0c2d9b518e5cb31c788
SHA1 hash:
dd16ef7ad886c16be5fc28a9ea19e389d1ebde20
Link:
https://www.unpac.me/results/58a21ee4-1100-4118-b94c-c11c1603a9b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Emotet
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Emotet
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe eab950649609ab0244036d15ab52595a707bf5e7e27b4b1ad26d430dbbbe91a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2255293/
  
Delivery method
Distributed via web download

Comments