MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37
SHA3-384 hash: 66572a8dd61f9148e3ddeec460fac6a2867a0e38929915111f01c65aa7b22b6d6f1fa9da1e4f714ec930a789e6847eea
SHA1 hash: 248d61a69159fa9345efaab613b996fe351ef7d9
MD5 hash: 1b40311882959d78f78ed791776c2916
humanhash: asparagus-fillet-timing-lamp
File name:1b40311882959d78f78ed791776c2916.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:400'896 bytes
First seen:2022-09-03 09:05:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 854d9d7dc9eafeac5c1c13a6bab263b2 (8 x RedLineStealer, 4 x Smoke Loader)
ssdeep 6144:CsoOuSxOBL1Q4rR41WJa9W29c2X8A3DpygFulf:CpjT41Lz9LX8Alyp
TLSH T15F84012339F0D032C197547544B4FBA1667AB4722A31498F37AC2BAE5F306D1A77A327
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.173.38.193:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.173.38.193:80 https://threatfox.abuse.ch/ioc/847480/

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1b40311882959d78f78ed791776c2916.exe
Verdict:
Malicious activity
Analysis date:
2022-09-03 09:05:57 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5abc4a0e-4686-4804-b07b-244143a9ace5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307567/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Win.Malware.Dropperx-9965436-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36481/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/631318fcddf3b35df8a965c9/reports/72f65be5-fe59-411c-8830-3b94f3a61272/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b4af7c8-4c43-484c-a33f-e69bd96cb0b8
Result
Threat name:
AsyncRAT, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1064468
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AsyncRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-03 01:57:31 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5oigwwuirelvpdji6jtao7736zip2w7ffodl3y7k7ow7uofctu3q._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:twick discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220903-k2qrfsfbb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
trustedwicky.com:80
Unpacked files
SH256 hash:
7a16345c6e274828e178caec76d585ddc78b34183a74f84932dc8a0df550e268
MD5 hash:
9b7c1e93a4ee412dc91be4649c0b3d6e
SHA1 hash:
9e10b3453d253ee332d22e3dba3dc7f31d67ef7b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c960d7cd-47b7-4c98-9bbc-db3cc8b74371/
Parent samples :
d86b58b1f89ce520035d9e88ccea2b4970ae7db7346bedd8317f03b4f2050f7e
51ce050ec66597300ff961139dab2abc9cb5348cf275696a39c5886e0b6fc5e5
4a6049e6de1d7de6e6c0d161e5ab6a176a8b1a11a9721f9fd9d63838fef5c74a
fe5834a2aa5f28f0376efeb45429c010a1d6366bf050b7c18fbbb0b4d6b43481
7d03927f45c63053987c30bf6d97a76caebe911f74e43f70ded76f9152c5822a
2db89e88a102f12c5cfb4461367873df2b13b86ac40a0be742cf242934d2a8a4
ea4be78e52fa24922f39ca1b4d8f4f8e7404a23772795f383108a0b0a0222895
eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37
bbee99aaf8f3ca2de2bba1f06f3e28d575eedea2a45c937a15a0bfd0527d7055
febeda5fb81c061a437226e0fda9dcd638a5072c658391005e15872df45b54e5
346901c9261b0370213dffd8fa6fff7059bc18c25bbde946f719d4aa01eb5836
67667646094e5b11c14024e8166a2c5d886e36e239948857efb5a25b28f56fcd
7f6fd9c407a66994d1f6ba421efd3db0d93192697ae121ff60aef42ce55d784b
d54ea4b1eb7deebeeba9c49fbc8d89ba4fd1dab364e763df267c5816eb360001
760ae13e5932d1b7d919c9cfb6f1bfe04ad8ede002c32df88a2f0c9351fec9f8
1669c3d6840415926e728047acf0d65c480f5e0a6d1d29949d132ea7150e17af
f5c997104a3ce96c7331e8301bdfefebeabce8232a168cd8c67243d8d96f893c
9b259ec3a437b5e08ca516b3d53855712c1ca6d90faaf0bebfde16d5e8abef3c
04930e90c4a7907f5ec414e46ebad33472cacd105c7353651e65ee6d2bde62e4
8b2af94f8cae9584369aa02d3dc1550be4297b6c6fdfd959b51ea0563a0ff79d
fd182dfc99b5055afee5c281a511c9b8c5716af9767a9e78e9eec90e0edeb1da
8ab68f303ee17c11fe89c662019d816f1326751f2b3f902ca33c9fccae67c469
dee281401432f47dcfc1150d6427b87c7111885b8747d3ce306d8b91d0184832
7e267701b49da697a35ecde1e2d72b67e38ff0c30d0b5afb9ead0f453e931d62
21c5f77bfbc542e75028606b987e5e6416910e6524c393cf0166dc586a1d00f4
e0b71019ee4946e670a9774bb11800749b83ab9330e966d223d03c43b12b08f6
c7e6f33ef6015f109574556fd649eb1737b7240d7cf75e4b9b10e79f72ff6123
bcae63856b1766f554ffa2b915eaf6ba7c65846ae0d050e7ef752b84249d0b01
022fd79a45c762f316b480cb4c2d5789a37a13888dbf37a3d63dee123d53314e
SH256 hash:
ac91af7e37b45589458be5646d4dea5fde8fc84bdddb1453959e07be0ecebe5e
MD5 hash:
e0808b5ae883e5564b6797de49361aa3
SHA1 hash:
5a23186fa0eca6c0b13acd9513a0b1537051ecef
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c960d7cd-47b7-4c98-9bbc-db3cc8b74371/
Parent samples :
d86b58b1f89ce520035d9e88ccea2b4970ae7db7346bedd8317f03b4f2050f7e
51ce050ec66597300ff961139dab2abc9cb5348cf275696a39c5886e0b6fc5e5
4a6049e6de1d7de6e6c0d161e5ab6a176a8b1a11a9721f9fd9d63838fef5c74a
ea4be78e52fa24922f39ca1b4d8f4f8e7404a23772795f383108a0b0a0222895
eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37
bbee99aaf8f3ca2de2bba1f06f3e28d575eedea2a45c937a15a0bfd0527d7055
346901c9261b0370213dffd8fa6fff7059bc18c25bbde946f719d4aa01eb5836
67667646094e5b11c14024e8166a2c5d886e36e239948857efb5a25b28f56fcd
d54ea4b1eb7deebeeba9c49fbc8d89ba4fd1dab364e763df267c5816eb360001
760ae13e5932d1b7d919c9cfb6f1bfe04ad8ede002c32df88a2f0c9351fec9f8
f5c997104a3ce96c7331e8301bdfefebeabce8232a168cd8c67243d8d96f893c
04930e90c4a7907f5ec414e46ebad33472cacd105c7353651e65ee6d2bde62e4
8b2af94f8cae9584369aa02d3dc1550be4297b6c6fdfd959b51ea0563a0ff79d
fd182dfc99b5055afee5c281a511c9b8c5716af9767a9e78e9eec90e0edeb1da
7e267701b49da697a35ecde1e2d72b67e38ff0c30d0b5afb9ead0f453e931d62
21c5f77bfbc542e75028606b987e5e6416910e6524c393cf0166dc586a1d00f4
e0b71019ee4946e670a9774bb11800749b83ab9330e966d223d03c43b12b08f6
c7e6f33ef6015f109574556fd649eb1737b7240d7cf75e4b9b10e79f72ff6123
bcae63856b1766f554ffa2b915eaf6ba7c65846ae0d050e7ef752b84249d0b01
SH256 hash:
0335b65fc6dcb1a376bd81b19bf6ec054728dad9411b2f78be0ae807fb32f217
MD5 hash:
ccb58db24fb5af8c8788450f8dcbe0e3
SHA1 hash:
1a489d3a9ae0ec20592a674f04c43be307451d0b
Link:
https://www.unpac.me/results/c960d7cd-47b7-4c98-9bbc-db3cc8b74371/
SH256 hash:
eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37
MD5 hash:
1b40311882959d78f78ed791776c2916
SHA1 hash:
248d61a69159fa9345efaab613b996fe351ef7d9
Link:
https://www.unpac.me/results/c960d7cd-47b7-4c98-9bbc-db3cc8b74371/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb906b5a8889/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe eb906b5a888917578d28f266077ffbf650fd5be52b86bde3eafbadfa38a29d37

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2277404/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/307567/

Comments