MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec89e6f035a54f607b71d0163b31215daa288768ca09ac9c548e6ebb20e6b718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash:	ec89e6f035a54f607b71d0163b31215daa288768ca09ac9c548e6ebb20e6b718
SHA3-384 hash:	9cd5a8db0ad4dbad70d28a2738ea689afd83f2b4442f6ec74e8654d0742eae32ad62523b1260663b9fc29522f8d4966f
SHA1 hash:	daf49e41997126eb45637dd218cbba124fc9f0a6
MD5 hash:	ffe8c859839fb177d83d9b51242edbba
humanhash:	social-robert-north-iowa
File name:	ec89e6f035a54f607b71d0163b31215daa288768ca09a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	206'000 bytes
First seen:	2021-07-12 14:45:55 UTC
Last seen:	2021-07-12 15:48:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:NISC+JkDbqW7NVIpg7xX3LWyssHXqVIdFv8IwD/I/pAR4uLhMDQv:NISCPb57wpg7R3Km3qkvD+/IhWaQ
Threatray	575 similar samples on MalwareBazaar
TLSH	T107145AA936E48C15E54DA234480541989BB1EE10BE1ACEF264B3F37D0F77799AF2064F
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.153.198.53:57843

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.153.198.53:57843	https://threatfox.abuse.ch/ioc/159777/

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ec89e6f035a54f607b71d0163b31215daa288768ca09a.exe

Verdict:

Malicious activity

Analysis date:

2021-07-12 14:46:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3bddc603-19e4-4a09-afa1-2f85b038f632

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/171146/

Detection(s):

SecuriteInfo.com.generic.ml.3081.8976.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a532bdc0-f0e9-42fd-bc77-410089bccf2f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/814965

Signature

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec89e6f035a54f607b71d0163b31215daa288768ca09ac9c548e6ebb20e6b718/

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2021-07-12 12:29:39 UTC

AV detection:

9 of 29 (31.03%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5se6n4bvuvhwa63r2aldwmjblwvcrb3izie2zhcurzxlwihgw4ma._file

Verdict:

malicious

RedLineStealer

2ff7ffce923329f55bc637371e54822d6ceee9962c807ccc42e3301e0a8a2cae

RedLineStealer

42c48bc8af4b573d98584c21653f30dc4d15688aa25e1e9e02d8390628a0009f

RedLineStealer

43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb

RedLineStealer

5dcc0ea73807e7a626071a33956272addd1dbcdc377866b537dcb059c8fc3976

RedLineStealer

6c529300665e2cfd74a5375533e6b7e9c4cf4eda074c1578683d0094edb6ef94

RedLineStealer

76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

RedLineStealer

8499855ac05ebde1d6709eba64fc1a4615108b06823794173dce5a86db6975fb

RedLineStealer

bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034

RedLineStealer

d22d7ec3a9db9edb88cd373986a8aee46fc90bcb1339b147880301351d5ee522

RedLineStealer

+ 565 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:test discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210712-hbmx2t57ys/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.153.198.53:57843

Unpacked files

SH256 hash:

845507ce2a1c74d6c4e009d43376e2432683543a91d39242ae48955fc8aecc54

MD5 hash:

a223c6743594b442bef678c6c64a510c

SHA1 hash:

bb886db306a26f3fd386dd238a78853a19d329cd

Link:

https://www.unpac.me/results/8c503e54-ef77-4fef-962c-cb549d85961d/

SH256 hash:

798e1daac34a78d32ce3850bc655a711a318523b3facf73e539c393474edd03c

MD5 hash:

ea7f3874b7e2ad880214095f2d6ae646

SHA1 hash:

5e4eed29c3ff7cf99e054622be9545b70344513d

Link:

https://www.unpac.me/results/8c503e54-ef77-4fef-962c-cb549d85961d/

SH256 hash:

ec89e6f035a54f607b71d0163b31215daa288768ca09ac9c548e6ebb20e6b718

MD5 hash:

ffe8c859839fb177d83d9b51242edbba

SHA1 hash:

daf49e41997126eb45637dd218cbba124fc9f0a6

Link:

https://www.unpac.me/results/8c503e54-ef77-4fef-962c-cb549d85961d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec89e6f035a54f607b71d0163b31215daa288768ca09ac9c548e6ebb20e6b718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171146/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample