MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
SHA3-384 hash: 355607ec7a85d8f0acd9f2f6e960df72ce07950de11dae0f14c18813fccc8ebd964e80e0bc9c8faf9e7b825d265f8057
SHA1 hash: 8bbfb00a35b4ca7a0e85384565cc0022930ddaa4
MD5 hash: 300bbb0fc654ceee4f3a0af50a51bf39
humanhash: nebraska-white-comet-orange
File name:300bbb0fc654ceee4f3a0af50a51bf39
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:350'720 bytes
First seen:2022-12-25 01:36:27 UTC
Last seen:2022-12-25 03:29:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ea9f0326cf512ac0eb7dd4bc1a00a19 (18 x RedLineStealer, 17 x Smoke Loader, 2 x TeamBot)
ssdeep 6144:xLkyxB069LcRolbuuJkGfJKVAvaA2QmaMeO5:xIyxn9Q6u+kOPvb9fO5
Threatray 12'052 similar samples on MalwareBazaar
TLSH T15874F10CFAA3C465C5A5BA304915DFE46A6AFC705FA1563F37403F2F2E30ED1952A2A1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eee6 (96 x Smoke Loader, 45 x RedLineStealer, 15 x Amadey)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
300bbb0fc654ceee4f3a0af50a51bf39
Verdict:
Malicious activity
Analysis date:
2022-12-25 01:38:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/9091deff-ca43-4585-966e-10260e1cfb6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.9936.11368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63a7a941898959f356c5c849/reports/30ac9bc3-60c7-41be-ad7c-0c714221d437/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bf3c8f9-a2e4-4c3c-8021-287d6689a378
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140649
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 01:37:09 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ih354agfeaarxzqcvt3m5yfs2y2coklccm3mvhbplwral3r27boa._file
Verdict:
malicious
Similar samples:
283455ddb0a8d49953b746848056b0cc3ca329fdadb93b0ac77aafdeb7e98ffb
RedLineStealer
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
RedLineStealer
3edb9c1cbc84959696a940c97d4387d05ceceda1fdc858954a5aa23127b84454
RedLineStealer
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
62b6f858e363c0fc99260b004d1ce9a5d01162c05d822cc841bea375b8b995dc
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
c193ae4556f2564f1fc6d66cbf1d977f1b3978043711473ae229f2f1fc9ae63b
RedLineStealer
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
RedLineStealer
f622168b67cac524b1294aea29ddb1791909bb5304ec0c20bb94828e62690452
RedLineStealer
+ 12'042 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:shakur discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-b1tmaaeb3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
10d89dc018c4f68c4de429d05553643fe51c13ead82dd5ffe77ca6ce3da0bb04
MD5 hash:
57e2dc37dcb1345f2eb161a54cec3e83
SHA1 hash:
f32b2dc4905b6f0bf9bf28376b58773ca6c79852
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6fe21bdd-6c61-48ed-accd-6096a4eda980/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
ca8b74d4dc1ff0b5876a702b0ac9450854ed7219cf968c94dd02d7713c8489e5
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
46e8f1e77e132152528af8fea7bc9fe5d08df40b4222d6e91f61cfc0866e73e8
0edbf92ba8990787fa99d173c29e093b379f258ad5a4b3804ffeb5b9e3b2d559
a2a4eb343f2232af93c5efd694668f7b643593c8cc312e6ce81d7e90f5a61a5e
e56e9ab8b567b715b48f14a6c2cb425da1aa3b9df482264c37cd4000bdad99bc
SH256 hash:
05eec1edd8275b5826ba33d3a0972036ab3ebf1498b60db3caaf5680adeddef4
MD5 hash:
9502ded7672e6f0355333a2740b54da0
SHA1 hash:
39e1855154819ddf048ebfc7ead1a071392ac0b4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6fe21bdd-6c61-48ed-accd-6096a4eda980/
Parent samples :
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
114bc4570edf3732d88f11383a7fbe4eb8a92417193f9d098ba095a86b5a60aa
SH256 hash:
cd762a88c2abde591ec9d8a08b0d5d294d942a28085c88b47711e3650560a855
MD5 hash:
b32321503e273118774201c42a5b185f
SHA1 hash:
1d08f10d5f775a53a4b6d8f6a5547af1a279a002
Link:
https://www.unpac.me/results/6fe21bdd-6c61-48ed-accd-6096a4eda980/
SH256 hash:
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
MD5 hash:
300bbb0fc654ceee4f3a0af50a51bf39
SHA1 hash:
8bbfb00a35b4ca7a0e85384565cc0022930ddaa4
Link:
https://www.unpac.me/results/6fe21bdd-6c61-48ed-accd-6096a4eda980/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41f7de00c520/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2485583/

Comments


Avatar
zbet commented on 2022-12-25 01:36:30 UTC

url : hxxp://31.41.244.173/most/slova.exe