MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
SHA3-384 hash: 3873a67f6cdded06ceb18c5fcce3a7b1db6eee6eeda479413f91d88f71e93764f2f9704cf6b46e1c08ed05da00bc7226
SHA1 hash: a51f002e800d652c14b2de10a63bbb80d276a33b
MD5 hash: 66e3c71bcd364eb5cf19cb820683ef0c
humanhash: wolfram-whiskey-equal-minnesota
File name:mixfive_20211216-221155
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:94'872 bytes
First seen:2021-12-17 09:14:26 UTC
Last seen:2021-12-17 10:58:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 1536:C/T2X/jN2vxZz0DTHUpouMJbKxE+1COGa5Cq1IpBN+mzFGFDGBXTgpMu:CbG7N2kDTHUpouMJbKPCOHPKpjZcFiBm
Threatray 8'252 similar samples on MalwareBazaar
TLSH T1FF93E060A764D467D4F2423029769B3B9FFAD82522B49F4703102F2C7D63BD2E61E762
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter benkow_
Tags:exe GuLoader RedLineStealer signed

Code Signing Certificate

Organisation:HOOSIERS
Issuer:HOOSIERS
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-16T20:40:48Z
Valid to:2022-12-16T20:40:48Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 615a16ae963f927807d331acbc53376a766ea5dd3b6c976eb920b62f562afd5b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214755/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.9912.14674.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2360/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61bc55426daa353fa3b773fa/reports/3c52bebb-69a7-4180-a303-854a029c8fdf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/66bfc06d-6aea-451d-82e4-de4e85510b97
Result
Threat name:
GuLoader RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908973
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected GuLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 09:28:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0
RedLineStealer
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RedLineStealer
ab2261ddf24d2524a3ffe99044fac988f6178be9bc78d28cd5db289c414c3a4f
RedLineStealer
ace7e59fa80a108d4f3fd0a56a99f03d17e56ec2c756092aa65b910352f59921
RedLineStealer
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
RedLineStealer
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
RedLineStealer
+ 8'242 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline botnet:private_1 discovery downloader infostealer spyware stealer suricata
Link:
https://tria.ge/reports/211217-k739qsebcq/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
RedLine
RedLine Payload
suricata: ET MALWARE Generic .bin download from Dotted Quad
Malware Config
C2 Extraction:
194.26.229.202:18758
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/736813e8-36ed-4bb7-9c78-6e5ec5be9269/
SH256 hash:
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
MD5 hash:
66e3c71bcd364eb5cf19cb820683ef0c
SHA1 hash:
a51f002e800d652c14b2de10a63bbb80d276a33b
Link:
https://www.unpac.me/results/736813e8-36ed-4bb7-9c78-6e5ec5be9269/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
Cape
Cape
https://www.capesandbox.com/analysis/214755/

Comments