MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11dcce3189c31270e3d0d4c8cbf004cc8530d470d1803db171a6ad07e6efa714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	11dcce3189c31270e3d0d4c8cbf004cc8530d470d1803db171a6ad07e6efa714
SHA3-384 hash:	802b25d6ef08fea5d8a8dd657459f7536981001c3ef982d9b83967a643dab9821e8c9e6e70baf1cec4c2f507aeafd6e6
SHA1 hash:	844fd5b9c26faf4f2f5bbcde729712406df053e1
MD5 hash:	4b5e854a39c62c5032d46f59966e3ebb
humanhash:	bravo-tennis-social-sink
File name:	4b5e854a39c62c5032d46f59966e3ebb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'409'856 bytes
First seen:	2022-08-11 07:15:27 UTC
Last seen:	2022-08-11 07:54:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2687c790f1c14308333c6316f93d8a8b (1 x RedLineStealer)
ssdeep	98304:UCyCsGrVl8t4AFOLtTOSPDlb7N0GwU6zb3R+RuUBlQLOmZx8rxu/k:UCpsGrb8tZULTb7N0I6zb3R+RlBYOmZU
Threatray	4'072 similar samples on MalwareBazaar
TLSH	T16A16022B33206659D091C53BF4331BB573F298024A41E4F9A3F79EC955BC4E79A327A2
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8e9a9c52620e1e63 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
167.235.233.35:16621

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
167.235.233.35:16621	https://threatfox.abuse.ch/ioc/842482/

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

4b5e854a39c62c5032d46f59966e3ebb.exe

Verdict:

Malicious activity

Analysis date:

2022-08-11 07:16:55 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/9c30fc58-9c61-4fc0-8546-864761f8024c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/297886/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.20801.9251.5309.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28646/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/62f4ad2dc8022caa1ab97609/reports/ce12a67f-41fe-49ba-b4f7-9e7d79fed9d3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47e9708b-6fbb-4993-b90d-0ecbf10f1fa5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1049739

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Snort IDS alert for network traffic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11dcce3189c31270e3d0d4c8cbf004cc8530d470d1803db171a6ad07e6efa714/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-08-05 13:58:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=chom4mmjymjhby6q2temx4aezsctbvdq2gad3mlru2wqpzxpu4ka._file

Verdict:

malicious

RedLineStealer

34211e5c3790f76a96eb915fc89ec3fd9c179c2138404ba994387dc5903f575c

RedLineStealer

4e53778b6d2025b040ac38edf07dd9c31cae71628c231b227a7256c12a788cfc

RedLineStealer

9ae91a523fe3c480636debd2056a553d2e3d9415ebc067172032f562efeb4c5b

RedLineStealer

cb669b48124cb5fa6b643aada9e773454d0db48e614cc54b45ecc319444b308d

RedLineStealer

e2baec713e48b74764d044346e7170179b4b99f8e0d8692ccfda231002239b2f

RedLineStealer

+ 4'062 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:kofeww infostealer spyware

Link:

https://tria.ge/reports/220811-h3sw4accem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

167.235.233.35:16621

Unpacked files

SH256 hash:

0fa804a75e8aae689d82167150463d2aa06d86b091eb0a5e5f3c4224437b75ac

MD5 hash:

2ba3a7e9fd23042428dc890c9d12b82c

SHA1 hash:

f5ebecc196a74865261703d6e339303662305c6a

Link:

https://www.unpac.me/results/6c0f122f-fd22-4665-a1d5-8d8d5f27fbd5/

SH256 hash:

6407debf617849b1efde63b73825aff8dc002262f932dfd5e98810e4636ab17a

MD5 hash:

1023be2342234fd7cbd8ad116b6bfcac

SHA1 hash:

62c536b5ceef75e4795783d5d247c660cd36adac

Link:

https://www.unpac.me/results/6c0f122f-fd22-4665-a1d5-8d8d5f27fbd5/

SH256 hash:

11dcce3189c31270e3d0d4c8cbf004cc8530d470d1803db171a6ad07e6efa714

MD5 hash:

4b5e854a39c62c5032d46f59966e3ebb

SHA1 hash:

844fd5b9c26faf4f2f5bbcde729712406df053e1

Link:

https://www.unpac.me/results/6c0f122f-fd22-4665-a1d5-8d8d5f27fbd5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/11dcce3189c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11dcce3189c31270e3d0d4c8cbf004cc8530d470d1803db171a6ad07e6efa714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/297886/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample