MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5ecdd5eaebd3def354edf4ffa4a130c702fc129cdfb352cff21041c92872f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments 1

SHA256 hash:	f5ecdd5eaebd3def354edf4ffa4a130c702fc129cdfb352cff21041c92872f49
SHA3-384 hash:	7c0aa76dd16ea3b60d2bd83954225e9599fee7919cbe6669ae762b22ca3e15c54ae8add9704ab59b211da8e938c72517
SHA1 hash:	0e28c1f2459def28ee7ff0d335c7fdc9a1b0b911
MD5 hash:	91ce686d4cf23d43203f4db6c0f5d25c
humanhash:	hawaii-fillet-neptune-quebec
File name:	91ce686d4cf23d43203f4db6c0f5d25c
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	247'296 bytes
First seen:	2021-11-17 11:36:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	79ff4954c9c3b349f13286a4d023397c (4 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	6144:3UoK14qXJVuDBqhyxlWeTWWRBrZCBR5JPQQ:3UZ4qKcki8WWHrZM7
Threatray	3'039 similar samples on MalwareBazaar
TLSH	T1E434E01077B29837E5E35A746AB5BFB11A37BCB26674C18A2354075E2E713E06DB0323
File icon (PE):
dhash icon	fcfcb4d4d4dcd8c0 (14 x RedLineStealer, 11 x RaccoonStealer, 3 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Packed.Generic-9908949-0

Win.Dropper.Fragtor-9909325-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6194e9642695a62af9f21c61/reports/d36df4b3-87df-4596-8d88-b1a5d349e750/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/096c2494-d625-4960-9a32-3e814c4d1788

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/891097

Signature

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f5ecdd5eaebd3def354edf4ffa4a130c702fc129cdfb352cff21041c92872f49/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-11-17 11:38:14 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6xwn2xvoxu666nko35h7usqtbryc7qjjzx5tklh7eecbzeuhf5eq._file

Verdict:

malicious

RedLineStealer

0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220

RedLineStealer

121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

RedLineStealer

24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52

RedLineStealer

9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875

RedLineStealer

b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab

RedLineStealer

b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4

RedLineStealer

bdae4240709c06d733b9d67851a9d5f159102d145ab7f57ab689358a196916bf

RedLineStealer

cc2bef9329a741ecf4c4b92d6af68a78a7de8165b4876d598998abc6dd1a7903

RedLineStealer

+ 3'029 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:superstar infostealer

Link:

https://tria.ge/reports/211117-nqnz9shbgk/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:36224

Unpacked files

SH256 hash:

95d1284b38956fb6a9e76c630acce1c37e41177cb6363df6759b31c139f25227

MD5 hash:

85f83ca85cab60c704c1b3d52cbd276d

SHA1 hash:

f3c0408a8bbf38acf5a04c287d9e148d12f341a3

Link:

https://www.unpac.me/results/72e0f144-d042-4273-ad08-34ff921f4db8/

SH256 hash:

eb58744cfd98d6f6c157ed563904b39c05b4a5393894692cbd1be6298d9d2086

MD5 hash:

93ed16d365e472e03681a21e6b053782

SHA1 hash:

cc4be427791cf175a23154a83c0dbf497b280e43

Link:

https://www.unpac.me/results/72e0f144-d042-4273-ad08-34ff921f4db8/

SH256 hash:

530ee932b7e415222c31080326f026a79280df76ab363ca38802a15497f8ce51

MD5 hash:

3c95728f3f0dd3b1511554febac68c1a

SHA1 hash:

c0a34aa26369e0a9ce99c72df75f1141142e430e

Link:

https://www.unpac.me/results/72e0f144-d042-4273-ad08-34ff921f4db8/

SH256 hash:

f5ecdd5eaebd3def354edf4ffa4a130c702fc129cdfb352cff21041c92872f49

MD5 hash:

91ce686d4cf23d43203f4db6c0f5d25c

SHA1 hash:

0e28c1f2459def28ee7ff0d335c7fdc9a1b0b911

Link:

https://www.unpac.me/results/72e0f144-d042-4273-ad08-34ff921f4db8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5ecdd5eaebd3def354edf4ffa4a130c702fc129cdfb352cff21041c92872f49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.