MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98
SHA3-384 hash: 27997f79691351e4adbdee6274280f206aaabfda2018ddd1049e112dc20633c8d8b7a0f7fc966337a9e2f3bca0ecfa65
SHA1 hash: a78db92a67595aa862cb562f653e57a1a771b35d
MD5 hash: 738ecb95470694f49d33d12701e78c14
humanhash: tennis-wyoming-cat-xray
File name:738ecb95470694f49d33d12701e78c14
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:312'320 bytes
First seen:2022-06-09 17:18:54 UTC
Last seen:2022-06-09 17:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44ec2137b6f78ac2ba6e32a9efc0f4b1 (1 x Amadey, 1 x RedLineStealer)
ssdeep 6144:qVvo+t4XtpqL2oLk16Q2JeAXPdv8Tel5mBX4QUEan:l+SX/4FLQYtFETZXUd
Threatray 6'342 similar samples on MalwareBazaar
TLSH T12064F15037F1C833D4A285304971D7222D377852A675FC8E3FA8176D6E71282A6BE36B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
738ecb95470694f49d33d12701e78c14
Verdict:
Malicious activity
Analysis date:
2022-06-09 17:24:30 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5394d2e7-c494-4dee-98e1-9e95a26295ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278446/
Detection(s):
SecuriteInfo.com.Ransom.Win32.StopCrypt.PBU.MTB.8310.22077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware packed ransomware
Link:
https://www.filescan.io/uploads/62a22bc48e867832d9ec4b33/reports/6c659c18-bb65-44bc-bc28-55e51dfc5b00/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e8c1061-a02a-4144-83da-95e167cd7e10
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010230
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 17:19:08 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igmnoy37b7oryicnwka5fz6jlc5f32yr3mnnikylqfyvehs6rkma._file
Verdict:
malicious
Similar samples:
121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387
RedLineStealer
39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4
RedLineStealer
ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a
RedLineStealer
b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0
RedLineStealer
beea56a23dafd425aa57b3b05cd4d44c7615633292b20fb9bb22e08469fa6634
RedLineStealer
c404cc3a18e98ff81b63518df694118ecdec9948ce72f511cc828f93af5c4e7e
RedLineStealer
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
RedLineStealer
+ 6'332 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lyla2 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220609-vvtvmsefg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
185.215.113.201:21921
Unpacked files
SH256 hash:
f78ee6050322de3ea675fa81ab5d4f7ea0d1c92a2723cc3918fefbc170e67bed
MD5 hash:
fffb705283baf6c8c34533edc512f03c
SHA1 hash:
ed76ab37f40c043d1b3a5d92df8ff23dd662a7f5
Link:
https://www.unpac.me/results/118b246d-c7f9-49cd-8503-9d8b36450394/
SH256 hash:
9af23fa714b3a3011ff70f4b630cb1f538eab75de42e911fb6c5483757438e72
MD5 hash:
ef52cb6eba55c7ff5424efd7deb3916e
SHA1 hash:
dd5adf710f3de184823ddbe9568eb6c35324ed59
Link:
https://www.unpac.me/results/118b246d-c7f9-49cd-8503-9d8b36450394/
SH256 hash:
e5c0b3a94437fac397ff0592da8f17d26ff6661f77998cfc704898b5c5310ea9
MD5 hash:
6bf03e71a9b0b7d86021340f9c8ceebc
SHA1 hash:
01c52aef94e5c9d2062615379dee703a4f114536
Link:
https://www.unpac.me/results/118b246d-c7f9-49cd-8503-9d8b36450394/
SH256 hash:
4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98
MD5 hash:
738ecb95470694f49d33d12701e78c14
SHA1 hash:
a78db92a67595aa862cb562f653e57a1a771b35d
Link:
https://www.unpac.me/results/118b246d-c7f9-49cd-8503-9d8b36450394/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4198d7637f0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4198d7637f0fdd1c204db281d2e7c958ba5deb11db1ad42b0b8171521e5e8a98

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2231827/
Cape
Cape
https://www.capesandbox.com/analysis/278446/

Comments


Avatar
zbet commented on 2022-06-09 17:19:16 UTC

url : hxxp://astargroup.com/6/data64_4.exe