MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98
SHA3-384 hash: 3870ea879f253584a3f1c6acc2342780e6a956a5163696251c69a3f205cc954df7dd2e86eb08b2406852427ef469f007
SHA1 hash: ad9c2196c729a88d41fd3cb7bcf1c4d4d9c2a3d9
MD5 hash: 4754d13ac1f9c498223f4ba0e757f2bb
humanhash: mike-hamper-delta-kitten
File name:4754d13ac1f9c498223f4ba0e757f2bb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:419'328 bytes
First seen:2022-01-19 17:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b599c41ba6f3d2fcbb28babbce596599 (10 x RedLineStealer, 3 x RaccoonStealer, 1 x OnlyLogger)
ssdeep 6144:1xNQZxcYaaE1RF7MoU2mJ54koWuxGfXWhRp9pmaDf:T+ZxcYaaEJol2mJekoWuyXWn17
Threatray 4'419 similar samples on MalwareBazaar
TLSH T12A94F131B590D431D08625B2C819DFA56AFDB8351A319A8333A43B6E7F713C0A6B635F
File icon (PE):PE icon
dhash icon fcfcb4b4b4d4d9c1 (24 x RedLineStealer, 10 x Smoke Loader, 4 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.111:1355 https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4754d13ac1f9c498223f4ba0e757f2bb.exe
Verdict:
Malicious activity
Analysis date:
2022-01-20 04:35:07 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/53e78728-7ac4-4683-a2a1-f17b96c73f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220734/
Detection(s):
Win.Trojan.Generic-9935605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4767/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e84e9ed32385db6309bd98/reports/e5e206fc-ddcc-49e7-bd38-63518e588d15/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae1ff749-a156-4dbb-81d5-ef4b320cde7e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923715
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 17:47:10 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 43 (46.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvf2d7y55wgo5vundl3jurrva3vhx7smslknpaec5zobcedxvwma._file
Verdict:
malicious
Similar samples:
560f614418ca04cf5caa6eb9c04f36572fa28fa12aa94a1ed0178305e457a40f
RedLineStealer
8baa0639d8b45406032ae8463871c902c5c1d19e4f3f4c0b561cc7d1a18f3a95
RedLineStealer
ac2d71860246343e73f2005e2d2904b03c5b66f68a0f9a5f00f2cde327998d84
RedLineStealer
b0671c01ba85943cc2f01a7442341520d0068fb89c402828f0ae280fab9f8785
RedLineStealer
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
RedLineStealer
def1c6c0f612e6c8f33b57ff702fa14c8c36ca1fad55a00bd2f18789401c236d
RedLineStealer
+ 4'409 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220119-wcvvnacaf8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
53550ff7f5f4415af3921403ceb61516ed96de9977b3bddeb98e2806fa0c51d3
MD5 hash:
bffe2ad5060544e3f91895046563058e
SHA1 hash:
9aef75c0ba7544f75ed8de564119e00f27b6c296
Link:
https://www.unpac.me/results/63e4175b-95a0-4bce-928e-ca83129c011c/
SH256 hash:
3007bd9c3d3738268faa22379b815987f1f36c716620b27a460561a8c3b4b416
MD5 hash:
5ac2f4bce675ade1eb5ff3366018b0d0
SHA1 hash:
40b2fbc94f331ba0aabb1f05b077f486eff29b00
Link:
https://www.unpac.me/results/63e4175b-95a0-4bce-928e-ca83129c011c/
SH256 hash:
36a82f6715d2738bf62a8725b62f56e63fee90618abb687ac5ed851b868d7aad
MD5 hash:
2bd5e432ae6aa0b4ef5876e64b450b57
SHA1 hash:
1cb7938d62b42d1ebbde31ec582a01be27fcd864
Link:
https://www.unpac.me/results/63e4175b-95a0-4bce-928e-ca83129c011c/
SH256 hash:
0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98
MD5 hash:
4754d13ac1f9c498223f4ba0e757f2bb
SHA1 hash:
ad9c2196c729a88d41fd3cb7bcf1c4d4d9c2a3d9
Link:
https://www.unpac.me/results/63e4175b-95a0-4bce-928e-ca83129c011c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0d4ba1ff1ded/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1849426/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220734/

Comments