MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae
SHA3-384 hash:	463e5d61f316635ce1e089c761aa3d9eff400df8dd66e21de0fd1da5ef66fd8b4bf9da1d71cba1078e5c95bb6fdc21a0
SHA1 hash:	d0be6f51368c1e1547d0880763074c8ed9eec864
MD5 hash:	0e566d062e12ca080b984309712bf0fe
humanhash:	neptune-twelve-kilo-vermont
File name:	eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'998'976 bytes
First seen:	2022-03-19 18:56:10 UTC
Last seen:	2022-03-19 20:54:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	522c2b7934d672997a3a4448dfe9c305 (1 x RedLineStealer)
ssdeep	24576:tm98SKigyX1H7CIURcWRYn8DitMbmVCCcfqTvDRqLvAzYydy+vkxI5aJn96rp2Sz:G0k12xRcWyOmfTvDRhzxvkmmniwSa+
TLSH	T1C6953309DA8D5A08D5A2B23A81B78E357973B139536D0FA111ADB23CAFF3B771C52C11
File icon (PE):
dhash icon	72ecd6dadadad2ce (2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.87.109.41:4608

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.87.109.41:4608	https://threatfox.abuse.ch/ioc/423023/

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253005/

Detection(s):

SecuriteInfo.com.Artemis0E566D062E12.24079.11187.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62362783b94fb38cb4b07df2/reports/aa50ea6f-fabf-4fdc-b586-2017f32a2ed8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2d05835b-9d02-40a1-afd0-fc818afc7ff2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960159

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-19 18:57:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=53j5yo6y7yagir7l2yz43dhabi4ps3dj6boxuyq4quxpfrcrskxa._file

Verdict:

suspicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220319-xlyhksgccm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

4d49dd5a368e630e43768c87f09c156d7f7061d3f8993396149e0686dcffe290

MD5 hash:

c36964aa31a1d01dce9fea8091804654

SHA1 hash:

dc7742563b19b2c94afd5bf64b27cbc185b79986

Link:

https://www.unpac.me/results/f8a6fb16-bff7-4ca4-ba51-dd1696a5fa09/

SH256 hash:

eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae

MD5 hash:

0e566d062e12ca080b984309712bf0fe

SHA1 hash:

d0be6f51368c1e1547d0880763074c8ed9eec864

Link:

https://www.unpac.me/results/f8a6fb16-bff7-4ca4-ba51-dd1696a5fa09/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/eed3dc3bd8fe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/253005/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample