MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb57afa354c464f74e950d4d08ad672a0e242693dcd4f9ac58b5402d5ed649a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 6 File information Comments

SHA256 hash:	eb57afa354c464f74e950d4d08ad672a0e242693dcd4f9ac58b5402d5ed649a4
SHA3-384 hash:	1ee4e6d1de1f58e5579c59fe65bf1adc150e530433da9a608d58a3539de0fc3c8e913167bb02e5c9a3e737e6d91c59de
SHA1 hash:	92dd72036bb7b51d9e0e3d1784a12bda13dfb75e
MD5 hash:	f228e716ce479fb59bc1d9464fcfde77
humanhash:	princess-kitten-seven-uncle
File name:	92dd72036bb7b51d9e0e3d1784a12bda13dfb75e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	115'928 bytes
First seen:	2021-10-22 19:02:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	1536:Rcvdb0ap1a15LoJ4tRk8lHRtbMuP6dgkvyTFd8jGDLzGEWZNQ:RWd/p1/oRk8pR9Odg0ypOInBQNQ
Threatray	2'223 similar samples on MalwareBazaar
TLSH	T1C3B32B1863DC9B29E2BD0B75B8B0622543F0F0C76822E7DF9FC164DE1E257819915AF2
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
138.124.186.121:45760

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
138.124.186.121:45760	https://threatfox.abuse.ch/ioc/226883/

Intelligence

File Origin

# of uploads :

# of downloads :

412

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/199511/

Detection(s):

Win.Packed.Generickdz-9885340-0

Win.Packed.Bulz-9891195-0

Win.Packed.Filerepmalware-9900630-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

hacktool obfuscated overlay packed stealer

Link:

https://www.filescan.io/uploads/61730ae89a5a1e91c5d010c2/reports/6a5c6b99-7b71-44d3-b03d-a1cc167b121f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e930840-f1dc-4f48-a3ab-a149122f719a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/875412

Signature

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/eb57afa354c464f74e950d4d08ad672a0e242693dcd4f9ac58b5402d5ed649a4/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2021-10-06 23:44:59 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5nl27i2uyrspotuvbvgqrllhfihcijut3tkptlcywvac2xwwjgsa._file

Verdict:

malicious

RedLineStealer

732ba56b4b4044d7356b745db037e41fafe74dd8610e29c5b8c811a18936c09a

RedLineStealer

7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28

RedLineStealer

bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c

RedLineStealer

d183e9e83ebe8b007903366768884e5ddfd40136f2cd436575e9f251a0f92b93

RedLineStealer

ed8513c6110eb76682b8d8f69d3f181e1ee9092478390088d958b572709a44dd

RedLineStealer

+ 2'213 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@l_like_a_sir_l

Link:

https://tria.ge/reports/211022-xqcfxacae8/

Malware Config

C2 Extraction:

138.124.186.121:45760

Unpacked files

SH256 hash:

eb57afa354c464f74e950d4d08ad672a0e242693dcd4f9ac58b5402d5ed649a4

MD5 hash:

f228e716ce479fb59bc1d9464fcfde77

SHA1 hash:

92dd72036bb7b51d9e0e3d1784a12bda13dfb75e

Link:

https://www.unpac.me/results/0c1d8ae9-f995-4d8d-aa3c-6ed060e50ca5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eb57afa354c464f74e950d4d08ad672a0e242693dcd4f9ac58b5402d5ed649a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199511/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample