MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
SHA3-384 hash: 6ae8a7878a27d0d0f84b5def2af8dd1d3e8b65dd8d316d476c97879cdbbc7d6722abe5337c1c658d556fef1c7c401bd4
SHA1 hash: 4384db8526b9a0eb3a5d4ba7c3663d5bf771b407
MD5 hash: 765838fce6098a23f07a04a448faa7c4
humanhash: seventeen-lactose-tennessee-jersey
File name:EE08608492383853C0CF59E355F9721F413D83F18D3E4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'539'202 bytes
First seen:2022-10-24 16:00:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1797ab721d550312b93ab992a1e04176 (32 x RedLineStealer, 7 x ErbiumStealer, 1 x PandaStealer)
ssdeep 24576:M1zaE1YcYeldbgwMaKlI6XuT+tyeOhEiyQU9Lr2PLjSrEkiuWNemQ+l3RuQ5531n:MaGL+Q0QU9Lr2Pw7+l3R
TLSH T1BEC50903AACB0E75DDD23BB4618B533BA734ED30CA2A9B7FF609C53559532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
EE08608492383853C0CF59E355F9721F413D83F18D3E4.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 16:02:39 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/75c88cfd-8cc9-4bc7-875b-0ef69501bf10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323490/
Detection(s):
Win.Dropper.Babar-9966130-0
Create hunting rule

Win.Packed.Babar-9966141-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45061/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84cf4e0b-1663-458d-8256-f10147534561
Result
Threat name:
DarkTortilla, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096721
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkTortilla Crypter
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729359 Sample: EE08608492383853C0CF59E355F... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 99 goback.delivery 2->99 115 Snort IDS alert for network traffic 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 14 other signatures 2->121 11 EE08608492383853C0CF59E355F9721F413D83F18D3E4.exe 1 2->11         started        14 chrome.exe 2->14         started        16 chrome.exe 2->16         started        signatures3 process4 signatures5 167 Contains functionality to inject code into remote processes 11->167 169 Writes to foreign memory regions 11->169 171 Allocates memory in foreign processes 11->171 173 Injects a PE file into a foreign processes 11->173 18 AppLaunch.exe 15 10 11->18         started        23 conhost.exe 11->23         started        process6 dnsIp7 101 62.204.41.141, 24758, 49707 TNNET-ASTNNetOyMainnetworkFI United Kingdom 18->101 103 adigitalshop.com 151.106.122.215, 443, 49708 PLUSSERVER-ASN1DE Germany 18->103 105 3 other IPs or domains 18->105 83 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 18->83 dropped 85 C:\Users\user\AppData\Local\Temp\777.exe, PE32 18->85 dropped 87 C:\Users\user\AppData\Local\...\test.exe, PE32 18->87 dropped 89 2 other malicious files 18->89 dropped 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->125 127 Tries to harvest and steal browser information (history, passwords, etc) 18->127 129 Tries to steal Crypto Currency Wallets 18->129 25 chrome.exe 18->25         started        29 brave.exe 18->29         started        31 test.exe 1 18->31         started        33 2 other processes 18->33 file8 signatures9 process10 dnsIp11 91 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 25->91 dropped 149 Multi AV Scanner detection for dropped file 25->149 151 Detected unpacking (changes PE section rights) 25->151 153 Machine Learning detection for dropped file 25->153 165 3 other signatures 25->165 36 GoogleUpdate.exe 25->36         started        40 powershell.exe 25->40         started        53 2 other processes 25->53 93 C:\Users\user\AppData\Local\Temp\BC0.tmp, PE32+ 29->93 dropped 95 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 29->95 dropped 155 Adds a directory exclusion to Windows Defender 29->155 42 cmd.exe 29->42         started        44 cmd.exe 29->44         started        46 powershell.exe 29->46         started        48 powershell.exe 29->48         started        157 Writes to foreign memory regions 31->157 159 Allocates memory in foreign processes 31->159 161 Injects a PE file into a foreign processes 31->161 50 vbc.exe 31->50         started        55 2 other processes 31->55 97 www.google.com 142.250.185.196, 443, 49713 GOOGLEUS United States 33->97 163 Antivirus detection for dropped file 33->163 file12 signatures13 process14 dnsIp15 107 141.95.93.189, 443, 49715, 49717 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 36->107 109 api.peer2profit.com 172.66.43.60, 443, 49714, 49716 CLOUDFLARENETUS United States 36->109 131 Detected unpacking (changes PE section rights) 36->131 133 Detected unpacking (creates a PE file in dynamic memory) 36->133 135 Detected unpacking (overwrites its own PE header) 36->135 147 2 other signatures 36->147 57 netsh.exe 36->57         started        59 netsh.exe 36->59         started        61 netsh.exe 36->61         started        63 conhost.exe 40->63         started        137 Uses cmd line tools excessively to alter registry or file data 42->137 139 Uses powercfg.exe to modify the power settings 42->139 141 Modifies power options to not sleep / hibernate 42->141 69 9 other processes 42->69 71 5 other processes 44->71 65 conhost.exe 46->65         started        67 conhost.exe 48->67         started        111 t.me 149.154.167.99, 443, 49738 TELEGRAMRU United Kingdom 50->111 113 78.47.204.168, 49752, 80 HETZNER-ASDE Germany 50->113 81 C:\ProgramData\sqlite3.dll, PE32 50->81 dropped 143 Tries to harvest and steal browser information (history, passwords, etc) 50->143 145 DLL side loading technique detected 50->145 73 2 other processes 53->73 file16 signatures17 process18 process19 75 conhost.exe 57->75         started        77 conhost.exe 59->77         started        79 conhost.exe 61->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-30 07:26:00 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yegbbesha4fhqgplhrvl6lsd5at3a7rru7eulbuj5nzaqd4v5fa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer upx
Link:
https://tria.ge/reports/221024-tf7yaahef9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
afb14acdd64ccbd9a754fb073de096a353446e947a19e0ebfab7c3ce4376c09a
MD5 hash:
de3d3eddc317e2d736a36bd111cc2d0e
SHA1 hash:
f52a1620500598ba4363e4f2525174330e5218c0
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bcd232b9-9902-4a3d-9dd7-06e31f3e81ab/
SH256 hash:
ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
MD5 hash:
765838fce6098a23f07a04a448faa7c4
SHA1 hash:
4384db8526b9a0eb3a5d4ba7c3663d5bf771b407
Link:
https://www.unpac.me/results/bcd232b9-9902-4a3d-9dd7-06e31f3e81ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_win_generic
Create hunting rule
Author:_kphi
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323490/

Comments