MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SHA3-384 hash: aefe7664b07ed6e0ad30b935d380c151e7465653ca185f9cf2a578b8785b1815e571fe6380787b2ab1a61a14ab9fea19
SHA1 hash: 8c47e231142605004748cbff859811029e867ed4
MD5 hash: b3e77be39b11b9bb1aa65694b7e31e30
humanhash: sink-dakota-burger-nine
File name:SecuriteInfo.com.Win32.BotX-gen.24919.2408
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:357'888 bytes
First seen:2022-12-27 06:28:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 770342bbcc7220bf3afa71cf90800857 (13 x Smoke Loader, 8 x RedLineStealer, 5 x Tofsee)
ssdeep 6144:ML7tBSIie1KMLaS9XnhjMH/I+dPP/1bEIVZ1YDZ:MHjie1KMxNdMH/IQdbEIV
Threatray 12'231 similar samples on MalwareBazaar
TLSH T11F74F100F965D4ACE64259744DE9DFE409EEBC316D21DA032FD06ADF2EF02A08526F9D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eaee (119 x Smoke Loader, 44 x Amadey, 41 x Tofsee)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.BotX-gen.24919.2408
Verdict:
Malicious activity
Analysis date:
2022-12-27 06:30:06 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bf196c55-cf58-425e-af3d-8c44cbae6a77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.24919.2408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63aa90af40e878e304204ab9/reports/716f028c-3d0f-4a09-b45b-fa60d13abeaf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c1107e5-c774-4461-8c85-3aa1a9e54fcc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141385
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-12-27 06:24:17 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52oqjwr3q5ykn4yw5yukooj4v2bxonov2o4npnfvnyvxjff7n5nq._file
Verdict:
malicious
Similar samples:
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
RedLineStealer
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
RedLineStealer
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
RedLineStealer
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
RedLineStealer
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
RedLineStealer
baa5c6d54c809d20b8a2b5c2645f7c6d99c627e1a8e2bb844f071fbcb3cee6e3
RedLineStealer
bee3fc4429805572f23814880e79ef898701e425eb3961d6c7f579ef7644203d
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
RedLineStealer
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
RedLineStealer
+ 12'221 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:trud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221227-g8wz9she9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
65f75c671b35cbde3bc6a355f88bf821f74c8a082c9744480a59bbd72defe0c7
MD5 hash:
1904c9b0a20ab75b269c4a8f7d30dacc
SHA1 hash:
c1aecaaf9ff915be2950fcdaa149dc773d349630
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e0e52f89-bede-4338-8049-1cc8ddd42dd9/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
MD5 hash:
078f90abfc1dddd108adcb85761689d0
SHA1 hash:
51a86a74c011e0a6813b0058104f6b21765ed99c
Link:
https://www.unpac.me/results/e0e52f89-bede-4338-8049-1cc8ddd42dd9/
SH256 hash:
a714830b23ef52a2529880c8e9a377e56dde10f7cddc4083a02cb6e6a932abe2
MD5 hash:
6fe9fc0e7c5ad24c8ace861f0e514001
SHA1 hash:
0e9ecc9f6687954e9f6f0b8d331a77d8cf9108ea
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e0e52f89-bede-4338-8049-1cc8ddd42dd9/
Parent samples :
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
MD5 hash:
b3e77be39b11b9bb1aa65694b7e31e30
SHA1 hash:
8c47e231142605004748cbff859811029e867ed4
Link:
https://www.unpac.me/results/e0e52f89-bede-4338-8049-1cc8ddd42dd9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee9d04da3b87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2487537/
  
Delivery method
Distributed via web download

Comments