MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4128a06a7252a60249a20342d927dfd4fa20ab2863fb758be9f4cc294c586b78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4128a06a7252a60249a20342d927dfd4fa20ab2863fb758be9f4cc294c586b78
SHA3-384 hash: ce10d98e5c3b12408ded1160321dbc9cc467bac1314609e485193249b2cd1c5af40be8117f5c4ecf572934fc244d24b4
SHA1 hash: e84cd18c102cdc86aa65a6f64d95e0f7f8e9aa49
MD5 hash: 7d0a8d7d85580fc3a2b9ed4a1c67bd3e
humanhash: coffee-hotel-enemy-zulu
File name:4128A06A7252A60249A20342D927DFD4FA20AB2863FB7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:118'272 bytes
First seen:2022-04-20 18:22:01 UTC
Last seen:2022-04-20 19:18:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:GJmWjvljOaW9MdQ9Q+Qu9qNzIZZIzCb5vCD7vhjnpuHCfQDZxR9r8BIUZ:ULdKaVdEQZu0yXIzC9EDh7puVR+N
Threatray 217 similar samples on MalwareBazaar
TLSH T1E3C3F656B6880B24D55955B9C0EF4A3103E2ADD36733F3893FD8768B1D823B29F81B49
TrID 52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
151.106.7.35:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
151.106.7.35:4444 https://threatfox.abuse.ch/ioc/522101/

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265227/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.29701.24817.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62604f54ffe27d51191a5b6d/reports/fd2c7abb-102b-4a7b-87ee-490427b55949/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/110d0b61-9589-4bd8-bc08-7f3497b50b76
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/979902
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4128a06a7252a60249a20342d927dfd4fa20ab2863fb758be9f4cc294c586b78/
Threat name:
Win32.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 04:36:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ieuka2tskktaesncanbnsj672t5cbkzimp5xlc7j6tgcstcynn4a._file
Verdict:
suspicious
Similar samples:
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
RedLineStealer
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
RedLineStealer
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
RedLineStealer
cfb01d8ae511edfad85ab8534df953192bbe71a866abe46b873b6a1bdbd0d465
RedLineStealer
d1653b5cbbf61f3666ac0c5ac308b75d0d0c5029941ca9efbf37f18b51f9a3a6
RedLineStealer
d486573a12a0a407b7ae295318b59e750fb63cd9de6d46cceb2c173ae0b6b650
RedLineStealer
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
RedLineStealer
f9830090b4f92cddd5fcfc37eb596fb883bfd69ba854153c2e3c7d08e09c5f1e
RedLineStealer
+ 207 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220420-wzwepscag4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
4128a06a7252a60249a20342d927dfd4fa20ab2863fb758be9f4cc294c586b78
MD5 hash:
7d0a8d7d85580fc3a2b9ed4a1c67bd3e
SHA1 hash:
e84cd18c102cdc86aa65a6f64d95e0f7f8e9aa49
Link:
https://www.unpac.me/results/a5b978b0-0c81-4ff1-93fa-eead18a7e797/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4128a06a7252a60249a20342d927dfd4fa20ab2863fb758be9f4cc294c586b78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NETDIC208_NOCEX
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETDIC_208
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265227/

Comments