MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4259c9dfcdac32e6edae7a69bfda89d02b388e38ca5006a66935dd898b9d3fe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	4259c9dfcdac32e6edae7a69bfda89d02b388e38ca5006a66935dd898b9d3fe8
SHA3-384 hash:	78544fbd214150dad81f021b51dfc764e13fad010d6e1ed117e305f61626d3db2bc00e9c77067def80a86ea9fcca6598
SHA1 hash:	7e8499f027090577aab73f85430a3093177dcafd
MD5 hash:	ebdafa655e0b31f588542f05ca6f2cb7
humanhash:	red-juliet-november-sixteen
File name:	CapellineUnhygienic.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	478'432 bytes
First seen:	2022-03-27 20:11:46 UTC
Last seen:	2024-07-24 13:34:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:3v3xqxRmlvA6wUE8A7F/poPvWnsQOexzq/egn8A7+B+go/tDGBbmLPgQ9kwV:BF75RA7F/pI4s2he8m+B/kDGsLoYk8
Threatray	6'027 similar samples on MalwareBazaar
TLSH	T138A49D6A73D88E85D5A918BEE0E6C544C7C2EB592372E74CEA3B01572F473A04C4D3E6
Reporter	adm1n_usa32
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	Sauna
Issuer:	Sauna
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-02-14T21:00:00Z
Valid to:	2032-02-21T21:00:00Z
Serial number:	1802c2fe19b8cbb94fecd61439a4abae
Thumbprint Algorithm:	SHA256
Thumbprint:	39498c395033b74b4179ff88967dcc5f94cd49178fcd518390353fdd9b3d97cf
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

CapellineUnhygienic.exe

Verdict:

Malicious activity

Analysis date:

2022-03-27 20:10:35 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/474201f2-f770-47ec-9b93-ebe701eda0b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/258229/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39132213.9281.8498.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated overlay packed replace.exe

Link:

https://www.filescan.io/uploads/6240c5179253b276b7876c16/reports/6b4b7405-b8a7-4ab6-a605-115b03bd6b8c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4d0620a5-1a8f-4163-b0db-c7a0a691b068

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/965374

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4259c9dfcdac32e6edae7a69bfda89d02b388e38ca5006a66935dd898b9d3fe8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-22 15:07:18 UTC

File Type:

PE (.Net Exe)

AV detection:

35 of 42 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijm4tx6nvqzon3nopju37wuj2avtrdryzjianjtjgxoytc45h7ua._file

Verdict:

malicious

RedLineStealer

5b34de75d10924062f34a47f8fffc461caf4e5fa24c0d3586fa34639c44646bb

RedLineStealer

6b737843eebb48068a3ef0bce32560eb1bb8b1db1ed2cd7018c8742b099ace17

RedLineStealer

7e6b77eacaebc148af0d1c6c670f26ced4a5f735b54a2d84a573c6a3e1c91cc8

RedLineStealer

b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457

RedLineStealer

bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8

RedLineStealer

+ 6'017 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build21.02 infostealer

Link:

https://tria.ge/reports/220327-yytktscdh9/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

risatiumatu.xyz:80

Unpacked files

SH256 hash:

9253b4c0c233b4ee2f51d869ecd3dc384f09c3a7156c03b74f84f9c8e0ea49ac

MD5 hash:

c7ce8661e9cafb5cb2571a211f06eefe

SHA1 hash:

73da1e158804bb26714c44afd8fa5d4ec727e63c

Link:

https://www.unpac.me/results/5c249e0a-a560-439e-968b-5e371ff58973/

SH256 hash:

4259c9dfcdac32e6edae7a69bfda89d02b388e38ca5006a66935dd898b9d3fe8

MD5 hash:

ebdafa655e0b31f588542f05ca6f2cb7

SHA1 hash:

7e8499f027090577aab73f85430a3093177dcafd

Link:

https://www.unpac.me/results/5c249e0a-a560-439e-968b-5e371ff58973/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4259c9dfcdac32e6edae7a69bfda89d02b388e38ca5006a66935dd898b9d3fe8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/474201f2-f770-47ec-9b93-ebe701eda0b0

Cape

https://www.capesandbox.com/analysis/258229/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample