MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1
SHA3-384 hash:	51cef15a61b83bb428eb4f6c1e20cd709bf01c171a2a0db25c6fcf1af2eec530a0d9574a76fbbfa3bbc991a450c57df6
SHA1 hash:	9a7c7c98b3c28b0996a9a94507a26097ec88e60c
MD5 hash:	4df2d9326d7d8373accccb02e3624f7d
humanhash:	eleven-mango-monkey-ink
File name:	4df2d9326d7d8373accccb02e3624f7d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	277'112 bytes
First seen:	2023-02-25 22:10:31 UTC
Last seen:	2023-02-25 23:28:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	41a04f6766430316d963ac644ea1367e (3 x RedLineStealer)
ssdeep	6144:1qQooMlHvgquykhtEFEi4utY7oo9eSQ0ZjtQ5Rx:KoMlYlyEtEFER8YU6RQ0ZjtQx
Threatray	1'734 similar samples on MalwareBazaar
TLSH	T135443C107ACCA87BFD87D53414B19F62E8A5D6AA1F0F528053F8419EAFF4D7062A4387
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.15.157.128:4137

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

68d16674b4b6ff00b7c4c93c2f829a8f.exe

Verdict:

Malicious activity

Analysis date:

2023-02-22 11:13:04 UTC

Tags:

trojan loader smoke rat redline

Link:

https://app.any.run/tasks/3609e792-e818-401e-85dc-5f6a81975a64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/369735/

Detection(s):

SecuriteInfo.com.Variant.Ser.Zusy.4056.6092.6086.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed redline zusy

Link:

https://www.filescan.io/uploads/63fa8777589e1e4c5bd8fa4e/reports/36c98321-2ff9-4b8e-96a5-f672576438b8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c975bac9-d8f8-46e8-a795-93aa4a5d3c27

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1182412

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-02-22 15:08:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 39 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=52bdogbwlrywk5cpvqgeybkldphx3rltb5nly7g5td2kj6zmk3yq._file

Verdict:

malicious

RedLineStealer

2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee

RedLineStealer

32551f9124a359edf3435979372676a4c5bbaeb0423cc3ec53d382abb39d850f

RedLineStealer

6f3417e1976e3f931cbbe41b23478eb25cde5f408b07918150cc0d0a72999e3c

RedLineStealer

b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7

RedLineStealer

c3459cba29b38190411467d23a91f8e6577c5d3241bbe59858282b1c4a41d3bf

RedLineStealer

dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0

RedLineStealer

f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77

RedLineStealer

+ 1'724 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:shev3 infostealer spyware

Link:

https://tria.ge/reports/230225-13xjdsee3v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

45.15.157.128:4137

Unpacked files

SH256 hash:

4b04d24a9c5d180ee69f0435022fccff4f06bba9a9e6df06bf2c3bd4f561219f

MD5 hash:

de7fa947acfcfd74297df3d6e9912b0c

SHA1 hash:

3c61b69371cf4e9bf03a53e5206bdbe73bf00b11

Detections:

redline

Link:

https://www.unpac.me/results/9f7182cb-8c42-4e30-8a8d-e90f24c8e35d/

SH256 hash:

ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1

MD5 hash:

4df2d9326d7d8373accccb02e3624f7d

SHA1 hash:

9a7c7c98b3c28b0996a9a94507a26097ec88e60c

Link:

https://www.unpac.me/results/9f7182cb-8c42-4e30-8a8d-e90f24c8e35d/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee823718365c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee823718365c7165744fac0c4c054b1bcf7dc5730f5abc7cdd98f4a4fb2c56f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Redline_Hunter Create hunting rule
Author:	Potato
Description:	Unpacked RedLine Hunter

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Win32_Trojan_RedLineStealer Create hunting rule
Author:	Netskope Threat Labs
Description:	Identifies RedLine Stealer samples
Reference:	deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369735/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample