MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5
SHA3-384 hash: 8372ecf7aa374a3527299ae6765a96e29b1809961d38becf4f9aac269ef0d66b53adfda9b9997d0eeae74d490b98b282
SHA1 hash: e119ea982571e06ac9690254b103efcb999691e7
MD5 hash: bcdbdc5537d5e526534bde333cec9859
humanhash: early-friend-berlin-autumn
File name:bcdbdc5537d5e526534bde333cec9859.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:404'992 bytes
First seen:2022-01-20 06:52:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140966036910a5f510e2a5a7cba50e06 (14 x RedLineStealer)
ssdeep 6144:bQRLpc2YP6u2pxdgtN5XEe8q9WKjgzoEQlTn:0u2YP5cWP6e/CoHN
Threatray 4'455 similar samples on MalwareBazaar
TLSH T1B684E0327580D433C4865A308466CFA01ABDBC712A6D4643F3AC3B6DAF626F1657A71F
File icon (PE):PE icon
dhash icon fcfcb4b4b4dcd9c1 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.111:1355 https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220905/
Detection(s):
Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4844/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e90696d32385db630d4c5c/reports/c8512b5e-f927-4c04-9427-6eb52ed3f041/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25b5c9f1-6eb4-41e4-b408-6d86d65ca320
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924031
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 06:52:11 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pgyo2bkmt6e2kc2j2qp6wpmqygpw25btsgs4fs3l7tjzi5nxpcq._file
Verdict:
malicious
Similar samples:
02a1be5f6bac2f03f8dc06a3b94f346ab67f18b70703b80d91ca47478f6d8c5f
RedLineStealer
0abb7a8a9e8ae8584f07303c705ae630899b394028e092b72594b3158b4cdc56
RedLineStealer
0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98
RedLineStealer
2e6a515f6f0f4c6afeee0504513de753828975c0a0ee4630ccd4474f0ca8e002
RedLineStealer
560f614418ca04cf5caa6eb9c04f36572fa28fa12aa94a1ed0178305e457a40f
RedLineStealer
68a03036f681dd983cce0963051c546806db97d728baaf14b969432229c3b4f4
RedLineStealer
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
RedLineStealer
c616122ddb20e0572157aad9871b38b1e395187e9a3d6127d2dd17371194527f
RedLineStealer
+ 4'445 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/220120-hm3flagefj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Checks installed software on the system
Reads user/profile data of web browsers
Sets service image path in registry
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
53550ff7f5f4415af3921403ceb61516ed96de9977b3bddeb98e2806fa0c51d3
MD5 hash:
bffe2ad5060544e3f91895046563058e
SHA1 hash:
9aef75c0ba7544f75ed8de564119e00f27b6c296
Link:
https://www.unpac.me/results/5c0dce78-1a7f-4093-a6a0-28007d8d5cdc/
SH256 hash:
7b263dd91a3b5cfd0b23d7278b311554302594ce315d3f3ecce76c50b7dc9996
MD5 hash:
18310af34dea96c7dbfb0e130dce9c4d
SHA1 hash:
58edb207e594c33cf34e773c8fcdf70e4e1dcdb1
Link:
https://www.unpac.me/results/5c0dce78-1a7f-4093-a6a0-28007d8d5cdc/
SH256 hash:
3007bd9c3d3738268faa22379b815987f1f36c716620b27a460561a8c3b4b416
MD5 hash:
5ac2f4bce675ade1eb5ff3366018b0d0
SHA1 hash:
40b2fbc94f331ba0aabb1f05b077f486eff29b00
Link:
https://www.unpac.me/results/5c0dce78-1a7f-4093-a6a0-28007d8d5cdc/
SH256 hash:
ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5
MD5 hash:
bcdbdc5537d5e526534bde333cec9859
SHA1 hash:
e119ea982571e06ac9690254b103efcb999691e7
Link:
https://www.unpac.me/results/5c0dce78-1a7f-4093-a6a0-28007d8d5cdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849426/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220905/

Comments