MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb1fc46e8940fa7c36a9f0307613fb58cd82ede90e93f8fc501d88739517394a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 7 File information Comments

SHA256 hash:	eb1fc46e8940fa7c36a9f0307613fb58cd82ede90e93f8fc501d88739517394a
SHA3-384 hash:	a1407e2e2eb1c0df6e2a7a4dc2196d8c8d2e13b14a9a91ffcc33c6596f062db82c1389a615711bb91f81dd1f1720c4dd
SHA1 hash:	8b39540e3b246cd6d815a8a622720c1858d07bc2
MD5 hash:	4759de2a40d7d8220cf7470499dd7689
humanhash:	bakerloo-network-spring-five
File name:	4759de2a40d7d8220cf7470499dd7689.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	470'256 bytes
First seen:	2022-06-25 16:36:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	6144:tsE2zv9+c5iuAX0ZrY9JK6KS53KXyHUgExhlNvA+PeLGLaqS9NMiGGy6CqJQrryz:6QghZrY+6v5xHUfxxpC4aDUGy6Lsu
Threatray	7'848 similar samples on MalwareBazaar
TLSH	T183A49D2BF2914F45C6951C7AA897C0944BD29B4A23B3E71EDE67016B2F633E04C16FE1
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Anglicise
Issuer:	Anglicise
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-06-15T21:00:00Z
Valid to:	2032-06-22T21:00:00Z
Serial number:	5e438ea640bcd7bf464e11f287d6b5ac
Thumbprint Algorithm:	SHA256
Thumbprint:	68b777f016d73a49fdb34e0777fd5d3f6700eb0b718209104a042cc3087b30d9
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
216.218.133.119:53219

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
216.218.133.119:53219	https://threatfox.abuse.ch/ioc/728270/

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/283263/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Creating a file in the %temp% directory

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Sending a custom TCP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cerbu packed

Link:

https://www.filescan.io/uploads/62b739eb666084d7254dae46/reports/99ce6be8-9ad6-4551-9ccd-d2410a243286/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c74cc1b-5a81-478f-b403-b968edef9dc7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1019794

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eb1fc46e8940fa7c36a9f0307613fb58cd82ede90e93f8fc501d88739517394a/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-06-24 15:21:38 UTC

File Type:

PE (.Net Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5mp4i3ujid5hynvj6ayhme73ldgyf3pjb2j7r7cqdwehhfixhffa._file

Verdict:

malicious

RedLineStealer

4490fb2f92041ef1652aa683759460168ccddc6c729067a8c40855bccff010ac

RedLineStealer

6329380d049a1006574b29113c573e42a68cb017ed28e6d885a7ccd459a691b2

RedLineStealer

ad597a0fd61b58ce729ade161c683bc6bc97774219df430489a95b92126f1427

RedLineStealer

e26fe6535f9ec57538d49515fdf98b1a925fa26dd28040a96a5bc1c94a691975

RedLineStealer

fe3d7939166e8e6ae965d66d98f6ee5583e535b575ba194aef038c6c1ea15ae4

RedLineStealer

+ 7'838 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:k0623c discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220625-t4shhaehg8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

216.218.133.119:53219

Unpacked files

SH256 hash:

dea06043f24d74804a5acd7996e7e7ae8b98bfc4ca2c1825d8ee3975dc8b274a

MD5 hash:

04c4e9245f1ed8b270ee0e0792d2b87d

SHA1 hash:

f28e50f8d2df3489245c02024009c5f12967d18d

Link:

https://www.unpac.me/results/c5e0e72d-2519-43c9-a7da-e359aad2ba1c/

SH256 hash:

eb1fc46e8940fa7c36a9f0307613fb58cd82ede90e93f8fc501d88739517394a

MD5 hash:

4759de2a40d7d8220cf7470499dd7689

SHA1 hash:

8b39540e3b246cd6d815a8a622720c1858d07bc2

Link:

https://www.unpac.me/results/c5e0e72d-2519-43c9-a7da-e359aad2ba1c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eb1fc46e8940fa7c36a9f0307613fb58cd82ede90e93f8fc501d88739517394a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/283263/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample