MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
SHA3-384 hash: dd4a6db61c8c049f93fd5630dd1001c03566520ad60bbf8cdca4193a3581bf43653a066f9944f5fc5363d215959b4146
SHA1 hash: 402dfef6fd5828bb448fbd092c796f109012b35f
MD5 hash: d1301a840a1eecfe0187553ff124afb3
humanhash: september-avocado-four-bravo
File name:eb05e3acd443e4138a6f57216d47e1572b363e03a285f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'766'668 bytes
First seen:2023-05-02 21:35:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/SGqKoKic6QL3E2vVsjECUAQT45deRV9Rr:sBuZrEU3yKIy029s4C1eH9J
Threatray 178 similar samples on MalwareBazaar
TLSH T13F85CF3FF268A13EC56E1B3245739220997BBA61B81A8C1E07FC344DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.7.171:81

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eb05e3acd443e4138a6f57216d47e1572b363e03a285f.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-02 21:37:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/926a4306-2bd0-42b2-ba8e-98a97739e69b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386163/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.26901.22460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82253/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64518243a020199dc647b354/reports/b1b3ebc1-887d-4064-9281-7668e7dbb534/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1254054
Link:
https://www.hybrid-analysis.com/sample/eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bace0fad-a812-480e-ae52-0dd3b2c5b31c
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1225006
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-02 21:36:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mc6hlguipsbhctpk4qw2r7bk4vtmpqdukc7xmdysbf6o7xwsbda._file
Verdict:
unknown
Similar samples:
345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
RedLineStealer
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
RedLineStealer
af7d9d69a2dfbcedc5d2e94cdb681a8ac5356131486129a4ba505a3dc6f2411e
RedLineStealer
b715f22a9e37049d09b06c26ca899c4be3c6c21386f70d6d357b3bd481ee1794
RedLineStealer
ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
RedLineStealer
cbe9dedc91d7a886adf9f3f8a3b01d525279fd935616f10a5eb08f64882f0654
RedLineStealer
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
RedLineStealer
+ 168 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230502-1fwnksed7t/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/3bf5d292-8d18-4c7c-9999-2e92fff44af0/
SH256 hash:
23cbb13a6bf16c00a80589b2fe56d9b08c59d000ad5f301326d23f98152fd11a
MD5 hash:
6a75234b28e5c25022c5ce73e7a865d8
SHA1 hash:
f50ec5d10c7ebcb43296a971d91ee23654d66b1f
Link:
https://www.unpac.me/results/3bf5d292-8d18-4c7c-9999-2e92fff44af0/
SH256 hash:
eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
MD5 hash:
d1301a840a1eecfe0187553ff124afb3
SHA1 hash:
402dfef6fd5828bb448fbd092c796f109012b35f
Link:
https://www.unpac.me/results/3bf5d292-8d18-4c7c-9999-2e92fff44af0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386163/

Comments