MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04925bf3c85303a846bedce6766addc4908e7277bb2e2007d77176cfa16c336d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments 1

SHA256 hash:	04925bf3c85303a846bedce6766addc4908e7277bb2e2007d77176cfa16c336d
SHA3-384 hash:	c900db831bcf00a7aeef39f8e1b5a66ed141a12fee952e9d23e215df6195506260821f2ccf8e2bfef49ca35bbb41f3ff
SHA1 hash:	c8a6ab19fd02ebd01afb0acadf1b2a3d542df356
MD5 hash:	49b769f67fe09869c271a0c8115e32d0
humanhash:	autumn-sink-oven-mirror
File name:	49b769f67fe09869c271a0c8115e32d0
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	416'256 bytes
First seen:	2021-10-16 22:35:10 UTC
Last seen:	2021-10-17 00:05:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	578dc7dab5389346cbcc286cae0d11e3 (9 x RedLineStealer, 3 x RaccoonStealer, 1 x CryptBot)
ssdeep	12288:hN+rnEo0tWvMYNsTO8Qjd++VKXB12Zm3kkm:hNynCYvMY2OuAKXB1mJ
TLSH	T1DC949D10A660C039F5F352F48DFA9369A52E7EE16B2490CB53D51AEE97356E0EC3130B
File icon (PE):
dhash icon	e8e8e8e8aa62a499 (21 x RaccoonStealer, 11 x ArkeiStealer, 4 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

345

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

49b769f67fe09869c271a0c8115e32d0

Verdict:

Malicious activity

Analysis date:

2021-10-16 22:37:02 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/1a8fa764-e44d-40e5-8b6f-e4e034e0d2aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/197917/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.12734.20250.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

Sending an HTTP GET request to an infection source

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Query of malicious DNS domain

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/92384ac1-eeb7-40fd-9f32-ed66fb854033

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871669

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/04925bf3c85303a846bedce6766addc4908e7277bb2e2007d77176cfa16c336d/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-10-16 22:36:05 UTC

AV detection:

9 of 28 (32.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=asjfx46ikmb2qrv63tthm2w5ysii44txxmxcab6xof3m7ilmgnwq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalp discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211016-2h8xcsdafn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:24645

Unpacked files

SH256 hash:

d0dbf751b1fb26f0038b9d1dbf4c1570700caa86105137765affdb2a5b47377f

MD5 hash:

4566ccc221d5dd28ff929f890e29f330

SHA1 hash:

d977e7512300b1b690987a30e01bc36a57b94e33

Link:

https://www.unpac.me/results/b9fa3d1d-50c4-4f53-a55a-93a6dde937a4/

SH256 hash:

280a5db13cfab8ecb7c48847a54013643fee4569bda90cf2be0d0e0691554987

MD5 hash:

5d99af9e8ad58efdb5ac96da956f8d72

SHA1 hash:

5d5ca6b9b826c14372089c161aa6b76ec13c5e28

Link:

https://www.unpac.me/results/b9fa3d1d-50c4-4f53-a55a-93a6dde937a4/

SH256 hash:

ccd3d649ef9470b9ec0dace8576016808fa65b8700c1bd04b197d76b133fdac3

MD5 hash:

1610f3e5b7cd1048658eace9ce8ff7cd

SHA1 hash:

03355c015ba1e50bd8d2242510a128d73c13f4ae

Link:

https://www.unpac.me/results/b9fa3d1d-50c4-4f53-a55a-93a6dde937a4/

SH256 hash:

04925bf3c85303a846bedce6766addc4908e7277bb2e2007d77176cfa16c336d

MD5 hash:

49b769f67fe09869c271a0c8115e32d0

SHA1 hash:

c8a6ab19fd02ebd01afb0acadf1b2a3d542df356

Link:

https://www.unpac.me/results/b9fa3d1d-50c4-4f53-a55a-93a6dde937a4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/04925bf3c853/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04925bf3c85303a846bedce6766addc4908e7277bb2e2007d77176cfa16c336d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.