MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
SHA3-384 hash: 0d1ae2c8454963be9f9cb768806d7662d69caf26941eb60a3b3936fc2f9905a1d50d4c6dca339f7623e209eced97cd68
SHA1 hash: 28b0ed4319f85f1642d9cc2c190338f7a0e54051
MD5 hash: 2236ecffd5af7b52947799bdeb4cfbdf
humanhash: stream-kitten-ceiling-ten
File name:2236ecffd5af7b52947799bdeb4cfbdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:470'904 bytes
First seen:2023-10-06 14:12:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 06ede52fcc31e4900f4f1a7060fce645 (10 x RedLineStealer, 6 x Stealc, 5 x Amadey)
ssdeep 12288:8f+8DPjjb/OdWazzs4kiUwRRlRFluG6vhXX:8f+8Xj4zJRRlI3X
Threatray 203 similar samples on MalwareBazaar
TLSH T14DA44A0331D64CE6F0D185B50ABCDEBB0DFEAC05AA15828B73FE2E2D96A07C9552D153
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11321.21412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/652015f09b16696e9f93d1f3/reports/4bab4fab-74be-482d-883f-09c00d1c223c/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/736438f1-5c55-41d5-b78b-979633d5da65
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321002
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 13:50:08 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zkhdn7psowxr6zlxiywtdmqlr4ihp6nhsfkrmymwix2ehpl7trq._file
Verdict:
malicious
Similar samples:
4465e8c20f4e65e979521f058a3dfbeaa1e7d886589ff031957153c0a57a4860
RedLineStealer
514a65194f2b3277eb8c0f66338e00d01484c96c58f486f73c761ac0e3a67e01
RedLineStealer
5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef
RedLineStealer
70655332d3dbe7662fd0f0035989cba7aae059b53df195c92d5234c01ead643d
RedLineStealer
71e73af70babbb741fe9fca03a2d1b62c4ee75d8fd096ef35ce8a6bf8e22fc59
RedLineStealer
ae2f8d58e78cfe8df09b337a75f79795aab3f565776be32e35cc8ee2d747599f
RedLineStealer
c13ef6f741861e02f505fcd7dd8e5f770c5e0b70167e65c6fa14b59067a3e2cb
RedLineStealer
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
RedLineStealer
fa64fc23f57fc9e269b754c3cb56013061379793054fcf18cfd91f238ccd7bec
RedLineStealer
ff606d2b2815f58f2b5aea9653995de2ce548b8227ed9d0d9d7f2ed51a510a99
RedLineStealer
+ 193 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:frant infostealer
Link:
https://tria.ge/reports/231006-rjed2aef58/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
81cba4a3887b1b32dac54b2872641ce273ce728c8d0dbd8f89dd59504359a3e4
MD5 hash:
e394a67b4cc60338df57a6cee5848101
SHA1 hash:
16ec2a17b34bf0bcb8985b2eda308e9ba82fdd92
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0792b735-f395-431a-a223-0508e910a2f1/
Parent samples :
935a5c9f60c6ce6ca29d5c953930830817aa12e66d66ee1fd53f4aadfc8d78e2
ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2
SH256 hash:
ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3
MD5 hash:
2236ecffd5af7b52947799bdeb4cfbdf
SHA1 hash:
28b0ed4319f85f1642d9cc2c190338f7a0e54051
Link:
https://www.unpac.me/results/0792b735-f395-431a-a223-0508e910a2f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee5471b7ef93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee5471b7ef93ad78fb2bba31698d905c7883bfcd3c8aa8b30cb22fa21debfce3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments