MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 211f4f9df67b0227766e2f3928604a5d05558b68c5ce97776df5e2380ccda8a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	211f4f9df67b0227766e2f3928604a5d05558b68c5ce97776df5e2380ccda8a9
SHA3-384 hash:	beb75f6259a6e56381e85e1709f220e89d14531f0be83a7bb5c418f38223b4b937d4acb5241a4cac6cb9652db1b9818b
SHA1 hash:	824a926474a880541b030be56f5309834c121283
MD5 hash:	061bd3f10953e86da839c4bf47c1867d
humanhash:	fillet-fruit-hamper-mango
File name:	file4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	245'760 bytes
First seen:	2021-11-26 13:53:15 UTC
Last seen:	2021-11-26 15:58:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:O2WT27p9oHctBLUHpR06i8hk5wrpdr91TDLS0RU+cZW/Wh2GjEOmDK:YEp2HABLUHT+ckyh1W0R4Zx2LI
Threatray	2'498 similar samples on MalwareBazaar
TLSH	T14834AE0463F84E13E1AADF7C18A202128B72FA73DA52D75F4DC8B0AD18567C85F5876B
Reporter	0x746f6d6669
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.242.111.44:37939	https://threatfox.abuse.ch/ioc/254926/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file4.exe

Verdict:

Malicious activity

Analysis date:

2021-11-26 13:58:39 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/8ebc592b-9756-4084-9cb9-878366c150ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.Trojan.GVC.genEldorado.9622.18591.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

DNS request

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Changing a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61a0e704b71ceed41531a6a0/reports/139460f9-d57e-410d-a464-bc161128e1b6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb648163-1108-47c7-88a1-fa524053e654

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/896761

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/211f4f9df67b0227766e2f3928604a5d05558b68c5ce97776df5e2380ccda8a9/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2021-11-26 13:54:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eepu7hpwpmbco5tof44sqycklucvlc3iyxhjo53n6xrdqdgnvcuq._file

Verdict:

malicious

RedLineStealer

1f32c94f55bcefb65e8f03108025a8439afa500ae6a5bcba56e762c168e96e67

RedLineStealer

2f475f00571b3b739cff8c945ec60c76506e99048550b0e7a5632a1c9cbcccb5

RedLineStealer

4970975b3596048497e4cd865a66e68b017afddc392ce8de6d1b071846908295

RedLineStealer

56b5c8eac3ee5f3d8da478b56ef2262f37f877d6a626596dbb6e1a9aec217cc5

RedLineStealer

60daa3e62cd9bf9377fd9a69ca78dfac4a84b0026e38912b690891be85d90edc

RedLineStealer

+ 2'488 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mixinstall infostealer spyware

Link:

https://tria.ge/reports/211126-q7j4rafhh9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

195.242.111.44:37939

Unpacked files

SH256 hash:

a13f62587c83eaef5bb421567cae5f91de0bef9082ee05b0341a2eeda24e6643

MD5 hash:

c253e1ae926c8d5cd4ec1f42d82dbba7

SHA1 hash:

b31a25ce6a17bd13ba754e7a834313811ba90599

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

SH256 hash:

2c07a1f8bce4ceed0c69bc3dd48bfd784a6148e5961d70462a51b052e30783ab

MD5 hash:

8b7c4c9035ff31bc8d48b23568faa0d2

SHA1 hash:

89530ee71042fdb9609575a905fd38b5492f71ff

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

SH256 hash:

8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be

MD5 hash:

4abff34e351e4e95514aecb515e8aea3

SHA1 hash:

742702e8c78e7cf19f19e56a6cdb2d1811759710

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

SH256 hash:

979a716d0a2eb950e9ba9855f31c77cf1faa44e42ccd37fb741a2e3ba862e3be

MD5 hash:

a8d441c59ca9d63cf2083a23762c6478

SHA1 hash:

4ce494d60704707dd03934979dced46d3a9a8f64

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

SH256 hash:

383f1a498063f7ec5727893f2a878809559624d5edea619d824fca4da7b3408f

MD5 hash:

becc752e933a03d66dd5e7508687f14e

SHA1 hash:

034d3bc4be88246b3bce6ad7cd5278aae81ab5af

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

SH256 hash:

211f4f9df67b0227766e2f3928604a5d05558b68c5ce97776df5e2380ccda8a9

MD5 hash:

061bd3f10953e86da839c4bf47c1867d

SHA1 hash:

824a926474a880541b030be56f5309834c121283

Link:

https://www.unpac.me/results/834af184-cfcc-410a-922c-f89ef86c3559/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/211f4f9df67b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/211f4f9df67b0227766e2f3928604a5d05558b68c5ce97776df5e2380ccda8a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample