MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb
SHA3-384 hash: 06db02557c71ff01e3ca0295845a311f29b4d1307dee1cff9f471eec9a29383888e67a62d534b0ed51849682e5891f38
SHA1 hash: dc3b43cfeb6ba3d97413fa45155feb7df5676a7f
MD5 hash: ee74831e90dea12bd4639e69a530e412
humanhash: saturn-cup-hamper-alanine
File name:ee74831e90dea12bd4639e69a530e412.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:65'024 bytes
First seen:2021-10-02 15:55:39 UTC
Last seen:2021-10-02 17:24:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 768:vNgs4QNwjE/gJVCzCLUz2LdBZoEFvKhWQLXOh3vFn89tjBXvw7FVswKbGtpNqkxW:vv4Fj4g2zGUz2ZBiEI+ne9BeT/4GZf
Threatray 80 similar samples on MalwareBazaar
TLSH T1CF53B577416150BAC5481330F8B51F0B7ABCD6341A80B698F04FA6EAEC1D68D9EF8779
File icon (PE):PE icon
dhash icon 4ccd9252f6661095 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee74831e90dea12bd4639e69a530e412.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 15:58:58 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/15a6d7fe-279d-4595-bb7b-bc02f0ce2c24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194213/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.5090.2279.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c438841c-4aea-407b-be98-a9d13a436e25
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/863221
Signature
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495649 Sample: HaY7IcV34L.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 96 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected RedLine Stealer 2->50 52 Machine Learning detection for sample 2->52 54 2 other signatures 2->54 7 HaY7IcV34L.exe 16 5 2->7         started        12 WinHoster.exe 2 2->12         started        14 WinHoster.exe 2 2->14         started        process3 dnsIp4 36 iplogger.org 88.99.66.31, 443, 49761, 49762 HETZNER-ASDE Germany 7->36 38 oldbeacholdcake.com 172.67.143.244, 443, 49752, 49754 CLOUDFLARENETUS United States 7->38 30 C:\Users\user\AppData\Roaming\7079604.scr, PE32 7->30 dropped 32 C:\Users\user\AppData\Roaming\6442494.scr, PE32 7->32 dropped 60 May check the online IP address of the machine 7->60 62 Drops PE files with a suspicious file extension 7->62 16 6442494.scr 1 4 7->16         started        20 7079604.scr 14 24 7->20         started        file5 signatures6 process7 dnsIp8 28 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->28 dropped 40 Multi AV Scanner detection for dropped file 16->40 42 Machine Learning detection for dropped file 16->42 23 WinHoster.exe 2 16->23         started        34 newbestpewpewcompany.com 172.67.130.64, 443, 49760 CLOUDFLARENETUS United States 20->34 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->44 46 Tries to harvest and steal browser information (history, passwords, etc) 20->46 26 conhost.exe 20->26         started        file9 signatures10 process11 signatures12 56 Multi AV Scanner detection for dropped file 23->56 58 Machine Learning detection for dropped file 23->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 14:31:38 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f2a2c10ccdece91433063d992b2a24a316db4e1f8d2dc8f6c532fe48e0e1946
RedLineStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RedLineStealer
3da8fe1015271b37d118f7e35569efabc9565031c4b23e0f7e6cc5319ffb2087
RedLineStealer
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
RedLineStealer
84233ce927b293c6d092695bef42d0ab5dc55f53b76d0818ae574486bafb7b98
RedLineStealer
a0ef424407ec036182e8c88177b6178d6eaa04f2ec01026016df1660034aadca
RedLineStealer
a550b01785417d0c802740cb128aa26d4415414458b87877b634bed5c2694ad5
RedLineStealer
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
RedLineStealer
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
RedLineStealer
faf12b61374c5f5dff73afa0f1b4084561118358e77ddd44632ba7f40a37ad38
RedLineStealer
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/211002-tdcpcsefbn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
e3e27772822eff57f8e6ee651d0e4dc7d48144aa730ff4e40fb6a8f776d3eb51
MD5 hash:
e6ab0b76fd5748fcbae334f85268c05a
SHA1 hash:
824fde198f34c7448c68b7cc0aacfb305a8350a6
Link:
https://www.unpac.me/results/0ef23896-c888-4711-8285-89ea5ac508da/
SH256 hash:
ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb
MD5 hash:
ee74831e90dea12bd4639e69a530e412
SHA1 hash:
dc3b43cfeb6ba3d97413fa45155feb7df5676a7f
Link:
https://www.unpac.me/results/0ef23896-c888-4711-8285-89ea5ac508da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ee3a537e93bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1650027/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194213/

Comments