MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd
SHA3-384 hash: 2092be79bdffc5fba5051e933c35be4e7b76c67607fd7aa86b6c336ecba4fa696770c58ba64d12cf2103e538cecaee93
SHA1 hash: b02ae0e6f61164523fbe6a0b876157eef188c31d
MD5 hash: 1564a91add56c3494b87db8231a811cf
humanhash: earth-march-equal-double
File name:Reptile_World_Launcher_x64.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'842'880 bytes
First seen:2022-11-14 17:03:40 UTC
Last seen:2022-11-14 18:51:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 781469843ceff2b27db37f92b58beda5 (1 x RedLineStealer)
ssdeep 196608:giIAVEh7UZSz7LI2bc8pmBxwc2krek/qI:MN2Z67nmL5qk/qI
TLSH T16966336721192C41C0CC893A8537BEE571F2465BDF4098B479AEADC72B32DD5EB43E82
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9685337262662e14 (1 x RedLineStealer)
Reporter iamdeadlyz
Tags:exe RedLineStealer ReptileWorld


Avatar
Iamdeadlyz
From reptile-world.net (impersonation of rchronicles.org)
RedLineStealer C&C: 77.73.134.13:3660

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Reptile_World_Launcher_x64.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 17:04:54 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6fd20d58-a9c4-4ee4-a11d-fe35babd99e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333853/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.10997.20614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52389/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/637275037db879aacbce9e52/reports/ccf7cdb5-e8fe-459d-83f1-8ff154e60b8f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/285ebaa6-bfcc-4786-b9de-eec6ce707600
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1113089
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 17:04:19 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilyk5le5ygcf75bd6lprlv7vjyhdwtzentjykjdobpdoompmkh6q._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/221114-vk87ksha3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
RedLine
RedLine payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af251862-2100-40aa-a965-8a83c052a6d2
Unpacked files
SH256 hash:
42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd
MD5 hash:
1564a91add56c3494b87db8231a811cf
SHA1 hash:
b02ae0e6f61164523fbe6a0b876157eef188c31d
Link:
https://www.unpac.me/results/e2cc980d-c34e-4819-8e6b-b0b30a7bac72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip dcddfa4a3c9f52a3d9a4d797112d8cbce8e939d611833f0140338fcbd440a83c

RedLineStealer

Executable exe 42f0aeac9dc1845ff423f2df15d7f54e0e3b4f246cd385246e0bc6e731ec51fd

(this sample)

  
Dropped by
SHA256 dcddfa4a3c9f52a3d9a4d797112d8cbce8e939d611833f0140338fcbd440a83c
  
Dropped by
SHA256 ce6b6abb5fde07f7a967e42e0302f49a9cb9e41f51e8d74a872c577e526036cf
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333853/
  
URLhaus
https://urlhaus.abuse.ch/url/2411534/
  
Dropped by
MD5 2cde445a9aec4dbd1ccf251e7fec4f4b
  
Dropped by
MD5 f968d4ccaecaafadf5ed4a69af7a5f07

Comments