MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147
SHA3-384 hash: 309d950c4f3ed49f17159480e55b952958406872033ae4fa89b4f93e210cd82d30d4ba9ecd05b4e721d63e17ebf0fb3c
SHA1 hash: 0e3d88e7f327cc93379e5f48030a82699686c598
MD5 hash: e26503d96d3b7a03b14464af925b6803
humanhash: alaska-missouri-bacon-indigo
File name:e26503d96d3b7a03b14464af925b6803.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:197'120 bytes
First seen:2021-08-19 09:00:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:ZKOJ8I3xIYOOOOOIOOOOGOYOOOO+OOOnIYOOOOOIOOOOGOYOOOOOOOOOOOIYUUYP:ZKOJ8I3gT
Threatray 1'285 similar samples on MalwareBazaar
TLSH T1B5141FA1F2C980C5E027197349BB9DB2156B6E38D479C41E354CBF3A67F3342406AE9E
dhash icon a2b28a8aaa989a80 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e26503d96d3b7a03b14464af925b6803.exe
Verdict:
No threats detected
Analysis date:
2021-08-19 09:01:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b943577-06d5-4279-a808-b7148c46eca5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180613/
Detection(s):
SecuriteInfo.com.StaticAI-SuspiciousPE.6333.24603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Sending a UDP request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending an HTTP GET request
Creating a process from a recently created file
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a53a007b-8a9c-4599-9c96-6c99741eb67c
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835654
Signature
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Keywords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected MSILLoadEncryptedAssembly
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468085 Sample: nO4rGTVCcN.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Yara detected Ficker Stealer 2->47 49 Yara detected RedLine Stealer 2->49 51 5 other signatures 2->51 9 nO4rGTVCcN.exe 2 2->9         started        process3 process4 11 mshta.exe 22 9->11         started        dnsIp5 31 ngbs.co.uk 95.216.202.81, 443, 49678, 49679 HETZNER-ASDE Germany 11->31 33 www.ngbs.co.uk 11->33 61 Obfuscated command line found 11->61 15 powershell.exe 14 20 11->15         started        signatures6 process7 dnsIp8 35 www.ngbs.co.uk 15->35 37 ngbs.co.uk 15->37 39 Creates an undocumented autostart registry key 15->39 41 Writes to foreign memory regions 15->41 43 Injects a PE file into a foreign processes 15->43 19 aspnet_compiler.exe 15 32 15->19         started        23 conhost.exe 15->23         started        signatures9 process10 dnsIp11 27 talueratas.xyz 93.189.40.76, 49684, 49687, 49688 NTCOM-ASRU Russian Federation 19->27 29 api.ip.sb 19->29 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->53 55 Performs DNS queries to domains with low reputation 19->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->57 59 2 other signatures 19->59 25 conhost.exe 19->25         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147/
Verdict:
malicious
Similar samples:
3239f1e24443e92f85337dd2c578b6d51f2d22a77719e39cc55fbf63886835e4
RedLineStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RedLineStealer
51d2635f22730bda39c675471c27488968ec29cdab13cf86ab060888f94e9d99
RedLineStealer
a3dcc6671290b07cb0b9f3fb57b347043d0e295628de1f378883114146842d4e
RedLineStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RedLineStealer
b2c5577e8c882eee0be28cb16350b7aa48c3052d410d421da4a9620a8c86807d
RedLineStealer
bfcb8e1f198cdd9a25aa8266c1e39c496434b3afc8fe2e2d3ed40e1cf32eb932
RedLineStealer
c5e602590822d247a053912dd281aacb3882548c6baece1fc23058862fde58a3
RedLineStealer
e95767ddcb06f45cdec003a051cb78f551313c70555600d94ec7676fc785c874
RedLineStealer
ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf
RedLineStealer
+ 1'275 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:4 infostealer spyware
Link:
https://tria.ge/reports/210819-7vgrzcgj1a/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Blocklisted process makes network request
RedLine
RedLine Payload
Malware Config
C2 Extraction:
talueratas.xyz:80
Dropper Extraction:
https://www.ngbs.co.uk/curseOneTower.txt
Unpacked files
SH256 hash:
004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147
MD5 hash:
e26503d96d3b7a03b14464af925b6803
SHA1 hash:
0e3d88e7f327cc93379e5f48030a82699686c598
Link:
https://www.unpac.me/results/920012b7-4e7e-46e5-adc0-da9e569f9984/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1544447/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180613/

Comments