MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f48935af4c1de3f13ecc8a546459f9da6f1e2954cf8980e08a7a81711ac3529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	2f48935af4c1de3f13ecc8a546459f9da6f1e2954cf8980e08a7a81711ac3529
SHA3-384 hash:	c46115b4a874bd08550bcaa9e09b0442213e9b5625ad06dea4669c13e19c4504fd7a87a9a3218035483bb0ae87953cc4
SHA1 hash:	32a3ed46d6401a6fd022ead4e41ddfba3176b08b
MD5 hash:	1d6336628ddcb3068af4b838c8575f51
humanhash:	lion-moon-alanine-pluto
File name:	IMG_461349.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	519'288 bytes
First seen:	2021-11-16 09:36:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:mePh3nhSozzWEuI1o/HrTKJ8vgyV4v5hWh8+YVnnnI7Rk+bp0bmHqlTbpODz9nE:Dh3VzwQGgyVUTK8+oWebm9Dz9n
Threatray	990 similar samples on MalwareBazaar
TLSH	T17FB47CA1B3A69C74F1265532B870818933627E5E6AA0C53F269D320D3D733D31AF5E4B
File icon (PE):
dhash icon	00a2ae9a8282ba00 (1 x RedLineStealer)
Reporter	milannshrestga
Tags:	exe Redline RedLineStealer Trojen

milannshrestga

discord cdn

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_461349.exe

Verdict:

Malicious activity

Analysis date:

2021-11-16 09:34:42 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/52551f5f-b2e7-4e1c-a819-56c4f9cd27f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/206282/

Detection(s):

SecuriteInfo.com.W32.MSIL_Agent.CAI.genEldorado.3988.29272.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/61937b8643e8f62b66951822/reports/b10280b7-4ce2-46cf-8416-86fc43e675d7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/622d9570-7b37-4f56-9d7f-80b1291b0b40

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/890260

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f48935af4c1de3f13ecc8a546459f9da6f1e2954cf8980e08a7a81711ac3529/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2021-11-16 09:36:06 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4

RedLineStealer

88d819e97e573477222ae60022206e9d16fabeaa10385296f403adcb2edf1bac

RedLineStealer

8d5a44287fea225aaf7aec78fa9591560d448e8813e6c70315496889a8e78fc3

RedLineStealer

a0b3e767f69fa35a2c2c280cc6ede993d6af464bb261352ea371ee9e0aa60d9a

RedLineStealer

a3d16c6ae1302f54732d0abfcbf0eaece47378a72a35e570ee68bd479bc7c851

RedLineStealer

a3e0d1640ad8b3cd669fb283acbda05f77280144414de6b88dae5009c55b5872

RedLineStealer

d4f72d2182411da7606c634ee11876aafb6230f620c36921288c5de1f8d2f795

RedLineStealer

d8ce2e5613b91a46eb15835e6d2aac47a715e2ab55a97163bdf2ed8ac350f7a1

RedLineStealer

+ 980 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mama infostealer spyware

Link:

https://tria.ge/reports/211116-lkxn4sabbm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine Payload

Malware Config

C2 Extraction:

89.105.217.244:57262

Unpacked files

SH256 hash:

02b1454da565edd0889ba818a79a0e529f98950ec84ece03580efd8a3a6587e1

MD5 hash:

3d6fc6e629608b7d215b915e64eae37e

SHA1 hash:

bf7fba5c7ca8d074e1ddc14817cffcb4421eddef

Link:

https://www.unpac.me/results/29db99e5-9c47-41c1-9725-ffc31ceb790e/

SH256 hash:

bd4c4912209802bb457983177d94b220d20dc9775ff973f90bd1c6afd729bc9c

MD5 hash:

8cde05c2cc918a68b075bdb2854c9994

SHA1 hash:

bc3c4e2826370171102ee8b7bd317493cd72c15f

Link:

https://www.unpac.me/results/29db99e5-9c47-41c1-9725-ffc31ceb790e/

SH256 hash:

8286146bcec78bb0ab27804e7e82d616d2f09733745764d054a8d662e3a1ad01

MD5 hash:

4a5690bee43163f6a6773f4cfb511840

SHA1 hash:

4032f1a86b9b56a93f46a2f30c4394fdd23ff4f1

Link:

https://www.unpac.me/results/29db99e5-9c47-41c1-9725-ffc31ceb790e/

SH256 hash:

2f48935af4c1de3f13ecc8a546459f9da6f1e2954cf8980e08a7a81711ac3529

MD5 hash:

1d6336628ddcb3068af4b838c8575f51

SHA1 hash:

32a3ed46d6401a6fd022ead4e41ddfba3176b08b

Link:

https://www.unpac.me/results/29db99e5-9c47-41c1-9725-ffc31ceb790e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f48935af4c1de3f13ecc8a546459f9da6f1e2954cf8980e08a7a81711ac3529

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/52551f5f-b2e7-4e1c-a819-56c4f9cd27f7

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/206282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample