MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89
SHA3-384 hash:	4e68ba2b0e9c5af7f95fbc18b302bedf70dc0873ad84558873c5cada130dfe975b6904a8faf3108bddb9e2bc93d5c94c
SHA1 hash:	d0ce92ac0bab80e68b80d0ebd4b1e20c18565469
MD5 hash:	2d4e15eb87da57d317231e8c2ce2dfd0
humanhash:	burger-oregon-mockingbird-comet
File name:	virussign.com_2d4e15eb87da57d317231e8c2ce2dfd0
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'512'041 bytes
First seen:	2022-07-15 14:34:39 UTC
Last seen:	2024-07-24 22:42:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	726a22f55cf9e91b15fd25cd9f82556f (17 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep	24576:n93jaYPY0pzxxBMbYxOHKxWwBK3hSa/oz8dIEm1PLAz8RI6l3RuQ553131:n93r1aAF8dIEm1PRl3L
TLSH	T16EC509135ACB1E75DDD23BB4A1CB633AA734FD30CA2A9B7FB608C43559532C4681A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	KdssSupport
Tags:	exe RedLineStealer

KdssSupport

Uploaded with API

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/289668/

Detection(s):

Win.Keylogger.Fragtor-9954829-0

Win.Trojan.Fragtor-9954833-0

Win.Trojan.Fragtor-9954838-0

Win.Trojan.Redlinestealer-9955168-0

Win.Trojan.Fragtor-9955199-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/25373/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug overlay packed spyeye

Link:

https://www.filescan.io/uploads/62d17b348dab2096b99ee95b/reports/0ccd9979-1fba-4002-8ec6-acad314240cd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a1b46ecc-f922-4de1-a9d9-bcce1924ddaa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-05 21:35:33 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5snils4yamhlddwi2ibf7aemmit4fhlx23ojycibwgu6bixddkeq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/220715-rx3nsacdcp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

45.155.204.124:23180

Unpacked files

SH256 hash:

439720746b106741df669e5cd2c7099fecb9c8a69da74802972a66217015d71a

MD5 hash:

7deec2fc2597515f1b5c91485b2a7116

SHA1 hash:

8b7edcaf54a871587560d0d24d20b55255c25e6d

Link:

https://www.unpac.me/results/ae899588-ce01-4825-9a34-dff3df39f95a/

SH256 hash:

ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89

MD5 hash:

2d4e15eb87da57d317231e8c2ce2dfd0

SHA1 hash:

d0ce92ac0bab80e68b80d0ebd4b1e20c18565469

Link:

https://www.unpac.me/results/ae899588-ce01-4825-9a34-dff3df39f95a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe ec9a85cb98030eb18ec8d2025f808c6227c29d77d6dc9c0901b1a9e0a2e31a89

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/289668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample