MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
SHA3-384 hash: 74190bf9afca4ce23b453ec8902b8c715990d5e28b04377a882f1847b34684d54233fea06c1953d7ed90c0ab6fb3eedd
SHA1 hash: aee0095eda93e3f1ecaf816e77e9031b8a20fd4d
MD5 hash: e4f8f0a91c597b50889f5cc55394efd0
humanhash: single-indigo-three-cat
File name:e4f8f0a91c597b50889f5cc55394efd0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'352 bytes
First seen:2023-07-23 18:20:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ce2e56297aa247080650722507bc95b (5 x RedLineStealer, 1 x Amadey)
ssdeep 6144:R20gvpJjSqh3wn5PCLFGJ5MiFPLCcMRyOB6Bwnvh:U08PjS2Ep3lFlMRPQBcvh
Threatray 174 similar samples on MalwareBazaar
TLSH T1E674E02136D1D072D0A786315530C2A16F7FB9A26B7985CB33A81B3E5E703C19F7A396
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0d5c0d2d5d2dd (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
149.202.8.114:26642

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e4f8f0a91c597b50889f5cc55394efd0.exe
Verdict:
Malicious activity
Analysis date:
2023-07-23 18:20:34 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/9b5ed189-5bb9-4859-ac8b-e47bd4fecf3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430078/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.16770.3820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a651a236-fa07-4088-b4ef-326a881acff0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277922
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277922 Sample: Bcy39r6FZO.exe Startdate: 23/07/2023 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 8 other signatures 2->93 9 Bcy39r6FZO.exe 15 7 2->9         started        14 AppLaunch.exe 2->14         started        16 MTA1.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 69 149.202.8.114, 26642, 49697, 49702 OVHFR France 9->69 71 transfer.sh 144.76.136.153, 443, 49698, 49699 HETZNER-ASDE Germany 9->71 59 C:\Users\user\AppData\Local\Temp\cl.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\Bcy39r6FZO.exe.log, ASCII 9->63 dropped 105 Detected unpacking (changes PE section rights) 9->105 107 Detected unpacking (overwrites its own PE header) 9->107 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->109 111 2 other signatures 9->111 20 cl.exe 1 9->20         started        23 cc.exe 14 68 9->23         started        file5 signatures6 process7 dnsIp8 95 Writes to foreign memory regions 20->95 97 Allocates memory in foreign processes 20->97 99 Injects a PE file into a foreign processes 20->99 27 AppLaunch.exe 2 28 20->27         started        32 WerFault.exe 24 9 20->32         started        34 conhost.exe 20->34         started        67 127.0.0.1 unknown unknown 23->67 57 C:\Users\user\AppData\...\DownloadMetadata, PDP-11 23->57 dropped 101 Machine Learning detection for dropped file 23->101 103 Tries to harvest and steal browser information (history, passwords, etc) 23->103 36 chrome.exe 23->36         started        file9 signatures10 process11 dnsIp12 73 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 27->73 75 185.159.129.168, 80 ITOS-ASRU Russian Federation 27->75 79 4 other IPs or domains 27->79 65 C:\ProgramData\...\MTA1.exe, PE32 27->65 dropped 113 Suspicious powershell command line found 27->113 115 Creates an autostart registry key pointing to binary in C:\Windows 27->115 117 Uses schtasks.exe or at.exe to add and modify task schedules 27->117 119 Adds a directory exclusion to Windows Defender 27->119 38 powershell.exe 27->38         started        40 schtasks.exe 27->40         started        42 powershell.exe 27->42         started        44 schtasks.exe 27->44         started        77 192.168.2.1 unknown unknown 36->77 46 chrome.exe 36->46         started        file13 signatures14 process15 dnsIp16 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        53 conhost.exe 42->53         started        55 conhost.exe 44->55         started        81 www.google.com 172.217.168.4, 443, 49717, 49718 GOOGLEUS United States 46->81 83 play.google.com 172.217.168.46, 443, 49726, 49727 GOOGLEUS United States 46->83 85 5 other IPs or domains 46->85 process17
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 17:56:01 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=il2wt7vz236hkymvhgmsrcvweqo5ras4dkn2fz7sndk7i7dbfwua._file
Verdict:
malicious
Similar samples:
0053d1419ec04041f1603063f4e7c0a6a370025de08a0bb69897cd6c757f1bb0
RedLineStealer
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
3165f664c4c755bd9715a7f004b98f1990a2055aa1ca4ab8ea75bf2d7730dfcc
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
7518f251ed3872355b637119033fd40e900fdfcd2955425f243951f40279bcfd
RedLineStealer
75f9db664373b1e957799e65139d1468c7cc7f39ce171c100b875d886cda0690
RedLineStealer
7ed395afebf774d7e1e0ce47b88445afc2a8b9811c94553f6923ba4496ce9962
RedLineStealer
8a9e291a57a70f07a7d3b0aee7f05b8268a5af104b1bbafa571d8d662fcd66b0
RedLineStealer
e4bb056a390bf88d2e2b2f578b5a4cbb6b4eb9d19a8f7998642bd46585bd99ec
RedLineStealer
e8d7197a7c6ba760b398ebe50fb5ca8770e454fca9da731438eb329b8db56c3d
RedLineStealer
+ 164 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230723-wzbejagc5y/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
149.202.8.114:26642
Unpacked files
SH256 hash:
1161f2aaede4428d7c5ad55c68d14531c7459a2a946e9b946553027db4087b9e
MD5 hash:
5b9e910f14c9664c591d075ccfdda0c3
SHA1 hash:
dbbbe03ec1f8b19d8ae3c39912c7cc07d35c0fe3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/85e59d1d-6596-4eb8-8841-2d41fc0fca96/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
cbb2b3d88f8407ad3533d49d83ee97450a946073cbf9eface7bf8a0aba6a2977
MD5 hash:
1170152a8e1dc3e4b9c38d8146362e81
SHA1 hash:
d1a14beb19d4242e9237c59d5b5d85a3c2c70aa1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/85e59d1d-6596-4eb8-8841-2d41fc0fca96/
Parent samples :
76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
de29dab2172b40d8d48cdc9eb25fde26061d967233458f5868177b50c9e65f4b
07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
01fff06ce60d4c145adad197c4de54435d775e15cefb00ad0329842dafd241ef
71a8ad79ae5c79f96835207df1aa8b717106032e8ad4fc40487e97cb992117a6
d729259da24021bd2ae9efbf7a9951febfc2ce0ffda9222c27c0e28c59198713
e1d8649ed45d3487ed75f3b56fc06e63a409162c528eaf378bff7c294b7e7bfb
SH256 hash:
ae08b6ce7cdd04919c987c48a8e1fd11316e15f8071c063e8060251ba49e092e
MD5 hash:
b9ac7ada76639bf533b86fc0ae86597c
SHA1 hash:
74ce4a5df518a85c44d5d51fd3213fd6da36940d
Link:
https://www.unpac.me/results/85e59d1d-6596-4eb8-8841-2d41fc0fca96/
SH256 hash:
ef904719bce27fd4ef1e3221cb658a1ba93f7fafccc16d6e0ffb00a1bfb399e9
MD5 hash:
3c81ebdb4f2dc1f98485343dfeaedce5
SHA1 hash:
0ce97f6e8d3cdac8b68329d57b4d16873d6ed167
Link:
https://www.unpac.me/results/85e59d1d-6596-4eb8-8841-2d41fc0fca96/
SH256 hash:
42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8
MD5 hash:
e4f8f0a91c597b50889f5cc55394efd0
SHA1 hash:
aee0095eda93e3f1ecaf816e77e9031b8a20fd4d
Link:
https://www.unpac.me/results/85e59d1d-6596-4eb8-8841-2d41fc0fca96/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42f569feb9d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 42f569feb9d6fc7561953999288ab6241dd8825c1a9ba2e7f268d5f47c612da8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2687902/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/430078/
  
URLhaus
https://urlhaus.abuse.ch/url/2688463/

Comments