MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046cd8b525c82f4db3b39d9a3f1b4f7dbad48dee24af3739c81e219ab56640db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 046cd8b525c82f4db3b39d9a3f1b4f7dbad48dee24af3739c81e219ab56640db
SHA3-384 hash: 53fbc580dddb24c87a76bdd8bb04575c62cfe59e1269b23dc41efa12510480a4680f43103025c3d6fb7c1dec35581f44
SHA1 hash: b86cf34c56a92b14acb59c4280e144b64a9d4c7e
MD5 hash: c25b44fac10fef4f7a400548810f4335
humanhash: mike-bakerloo-mexico-charlie
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:521'216 bytes
First seen:2022-09-09 15:11:41 UTC
Last seen:2022-09-09 18:40:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49080033381428e3a131ff5659276d1a (4 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:o9WaQa6g2K0Gds+ALpMAm/tSeG5+ry4WBGh+sI:C3Qa6g2K0GKpc/45+rgGVI
Threatray 2'955 similar samples on MalwareBazaar
TLSH T114B4BF05B9A3C0B3C5635A72946D835E653A7A141F2249EBAFC46DB86FB03C12870F77
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc425378894_652131702?hash=euHOx83GUGKCO00wcMp26m1sFQ7DEa8OUx0NwPosaIg&dl=GQZDKMZXHA4DSNA:1662736140:Xq53MvFcWBfLEomI2RdUMfa6rPyybxivsn9JqvutPt8&api=1&no_preview=1#ruzki

Intelligence

File Origin
# of uploads :
3
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-09-09 15:12:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7acf9331-1462-4428-b29e-52204adb0d18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309010/
Detection(s):
SecuriteInfo.com.Variant.Lazy.241855.11504.11438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37220/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/631b57d4d06d9bc4c7b0dbc8/reports/e591b944-81d9-4f62-af45-f24454734628/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f67e80e3-4378-47cb-8724-4a5cc8d860e6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1067857
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 700389 Sample: file.exe Startdate: 09/09/2022 Architecture: WINDOWS Score: 68 20 Yara detected RedLine Stealer 2->20 22 Machine Learning detection for sample 2->22 6 file.exe 1 2->6         started        process3 signatures4 24 Contains functionality to inject code into remote processes 6->24 26 Writes to foreign memory regions 6->26 28 Allocates memory in foreign processes 6->28 30 Injects a PE file into a foreign processes 6->30 9 WerFault.exe 23 9 6->9         started        12 AppLaunch.exe 2 6->12         started        14 conhost.exe 6->14         started        16 WerFault.exe 6->16         started        process5 file6 18 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->18 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/046cd8b525c82f4db3b39d9a3f1b4f7dbad48dee24af3739c81e219ab56640db/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 15:12:08 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arwnrnjfzaxu3m5ttwnd6g2ppw5njdpoesxtoooidyqzvnlgidnq._file
Verdict:
malicious
Similar samples:
21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
RedLineStealer
28d31d9b315dbab65ae09fe4c7678551e24503d1ae6b4771f4a075ecbe04f5b7
RedLineStealer
2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b
RedLineStealer
464dcd506637588f1640550f411af1a56a1d9784e61e43e9bcf247b3243211e8
RedLineStealer
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
RedLineStealer
a292516f372faa805520fe555f7b63ef08a9317bb04697b58c356a6bb12908f2
RedLineStealer
a7489fc37d4f0070ba0d94570784d7ca5b1a46b8ea4ffff1fc4a613c2cda77e7
RedLineStealer
c320085e741b027c1010c8d3c9aed59ede68dfe42d9d81795f2fe93053a58e80
RedLineStealer
e2cde06324619e2e4d6506fd8d3d41272c6484705ee9f68ed30d87cd0751dd30
RedLineStealer
+ 2'945 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220909-sk6eksccbj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
40d5aa38010752baf649dc51810f45b5f3af612c16f914d356bed36b82597ad6
MD5 hash:
4993e58837db2919a7cb4b90dbc3299c
SHA1 hash:
43139c2e26cc0de2ab77767ffec59667706f244f
Link:
https://www.unpac.me/results/5edac674-ff13-4733-90d4-b5bf8daa5ea5/
SH256 hash:
20296d782edad926776201f143929c1c16ae9e86bc8b36c25036531582c43912
MD5 hash:
c06a3c5aa6fcdb37209d2a349d870b07
SHA1 hash:
23530a4a4dc879961b34525499c11b933009b142
Link:
https://www.unpac.me/results/5edac674-ff13-4733-90d4-b5bf8daa5ea5/
SH256 hash:
046cd8b525c82f4db3b39d9a3f1b4f7dbad48dee24af3739c81e219ab56640db
MD5 hash:
c25b44fac10fef4f7a400548810f4335
SHA1 hash:
b86cf34c56a92b14acb59c4280e144b64a9d4c7e
Link:
https://www.unpac.me/results/5edac674-ff13-4733-90d4-b5bf8daa5ea5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/046cd8b525c82f4db3b39d9a3f1b4f7dbad48dee24af3739c81e219ab56640db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/309010/

Comments