MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868
SHA3-384 hash: 8c132d1f1661609a6133461c41e0703d085ef7cdb2d615ee50347fbc1aa0d5a7029d5a9a961736313f8d1dff94727a75
SHA1 hash: d5dccc75df605cb0b66758cabeda9e55120317ab
MD5 hash: 7d5f4cb3d346f17467fc695de98c41e2
humanhash: foxtrot-magazine-may-solar
File name:7d5f4cb3d346f17467fc695de98c41e2
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:306'176 bytes
First seen:2021-11-19 09:43:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9127c363bcea23d1bd962e71624f505 (5 x RedLineStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:k+owYvClkDXvqb+0ZUrPNMVTflvGiW7+uN9Oyk8GBgxIOq:RoFvCl0vqbXZUDgsiLuNEydfq
Threatray 4'023 similar samples on MalwareBazaar
TLSH T15754F0227FF08031E5E3E531A4B147E19A3FB9736935818E77641A3E6DB06C08AB6753
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.168.100:38784 https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d5f4cb3d346f17467fc695de98c41e2
Verdict:
Malicious activity
Analysis date:
2021-11-19 09:54:15 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6cb87a58-18cc-48c0-abda-7d899898dbc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/619771e54912a8c920a39575/reports/37c005d5-ca4b-4b96-a8a6-16f7da1eedc9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9c48788-564b-4f15-8105-3c1c4fd266a8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/892572
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 09:44:05 UTC
AV detection:
22 of 44 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52c7dfqt6d3vnxnfp3wpbavjjzigddi5el4s5u54pxc24tmz3bua._file
Verdict:
malicious
Similar samples:
067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557
RedLineStealer
136b09653c55e04d3c4162c116bebb52dc337d62cdd69e2f0977fbc17e69dfd0
RedLineStealer
14392ce90022b570351972c94bfd451cce4f69e7d731de4fc21a275899b081ec
RedLineStealer
2f5ea90c14a9eff6482a7c7c020b9a65faebf7a98af718a1e3c9a3b2356eb509
RedLineStealer
46bfd4ef142643e91a9c9e5d92d90b52100da882786e97c1502f1cc2a6ea9103
RedLineStealer
6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe
RedLineStealer
c325d98c7689964cadb138bf351b863372ee464a350f3d1fc11fe0906c8a1cb4
RedLineStealer
ed786315c90cafc4e4b6fe237cebec8a8bd038b6203da8477d19ec8bbb9a09e4
RedLineStealer
+ 4'013 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1811 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211119-lqgvvadac7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.216.168.100:38784
Unpacked files
SH256 hash:
32b581b32370d39e23c3ef09ee343ef0dd3c5b2a5a852da36d0ac5d4a943225c
MD5 hash:
230c4cbe02163550b3f7b0cf55697860
SHA1 hash:
9a14616eb3c594456c48bb19818f04c2f2ec4d2c
Link:
https://www.unpac.me/results/97a2cb8c-6024-4c42-b07e-8b1735a553fb/
SH256 hash:
6198042db49e0403f6c5dd514a596e186cd9780c35e80294bc727b509bf3f3d1
MD5 hash:
102658510d05e463f0afa0ecd5f3c8b5
SHA1 hash:
31b925feff6274124d2eb1ce5605d1ec321db045
Link:
https://www.unpac.me/results/97a2cb8c-6024-4c42-b07e-8b1735a553fb/
SH256 hash:
e018fa29d90b5a715e7a955653f100f7afbdcb769eb9b9b0c0edae7b3918c18e
MD5 hash:
e87a3962ebb62e016297a657ee915839
SHA1 hash:
2503638b069da53f45f5b9fcda325ee55a2b2406
Link:
https://www.unpac.me/results/97a2cb8c-6024-4c42-b07e-8b1735a553fb/
SH256 hash:
ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868
MD5 hash:
7d5f4cb3d346f17467fc695de98c41e2
SHA1 hash:
d5dccc75df605cb0b66758cabeda9e55120317ab
Link:
https://www.unpac.me/results/97a2cb8c-6024-4c42-b07e-8b1735a553fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ee85f19613f0f756dda57eecf082a94e50618d1d22f92ed3bc7dc5ae4d99d868

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1800537/
Cape
Cape
https://www.capesandbox.com/analysis/207576/

Comments


Avatar
zbet commented on 2021-11-19 09:43:26 UTC

url : hxxp://154.16.148.95/myblog/posts/sefile2.exe