MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4
SHA3-384 hash:	29d4ba8e943ef1d0181c76b812ca8a40ddb6a1741c3b5882a1baeb93d6ad188b71de373b3bc54c2e65bd76df5c112788
SHA1 hash:	60787509e780060884d933e63fc7735feac34355
MD5 hash:	30775311df94dbded4bd30cbed10fff6
humanhash:	quebec-fruit-yankee-cola
File name:	4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'295'416 bytes
First seen:	2022-05-20 06:54:58 UTC
Last seen:	2022-05-20 07:59:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	06a834e3824803366fcfecb5c9777295 (3 x RedLineStealer, 3 x ArkeiStealer, 1 x Gozi)
ssdeep	24576:2LwDqarmeEDl3npnL7p695pLC/hcjECxOnFsYP:8eolfWXjZiGYP
TLSH	T1485502016B704875F5A2377CCFFAD670AB3AB9D8F76060C720C81BA61916389ADB5335
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	82a4ceee8c9aa600 (1 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe exxon-com RedLineStealer signed

Code Signing Certificate

Organisation:	exxon.com
Issuer:	GeoTrust RSA CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-12-30T00:00:00Z
Valid to:	2022-09-02T23:59:59Z
Serial number:	0a2787fbb4627c91611573e323584113
Intelligence:	18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	584818af0f69bbcc595d9302f20fcd54fa96b3f70544506cac7a011f09c0a99b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4

Verdict:

Malicious activity

Analysis date:

2022-05-20 07:45:55 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/bb3a535a-04f3-4c1f-b8f9-8701b05d95a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/272867/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.50300488.20353.19115.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19122/overview

Behaviour

MalwareBazaar

MeasuringTime

CallSleep

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62873b5c6eb3ff3263147765/reports/23eb0202-d159-4a93-bb30-93a273c4907e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb4bb78f-8c35-4c12-83b1-f95216377b8b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998326

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for dropped file

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4/

Threat name:

Win32.Trojan.RelineStealer

Status:

Malicious

First seen:

2022-05-16 23:29:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=isi3wqpqyg2b6f4wja2nw5dvo3xyop45dkmz4k3y6ophpgbid3sa._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:watercloud infostealer spyware suricata

Link:

https://tria.ge/reports/220520-hpsdeahfhr/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

65.21.213.209:32936

Unpacked files

SH256 hash:

98ef8dcb1113bc04d7197d13caf2c994bc5d4c41242e7c62fc7420de2692e6de

MD5 hash:

38d62234f411f56336058ef2c76739bb

SHA1 hash:

26ad952b0106874916d6da1b078d87207711225d

Link:

https://www.unpac.me/results/b385882d-f5fa-487c-bd06-ec99b98f7bae/

SH256 hash:

ac5d3002722e2ba4f48f33ab59aec234537c0fdce2c2318ea5b7cf8ea8ca517f

MD5 hash:

39062d8aa1564beb0d1f0f718fc1f290

SHA1 hash:

01b6aa877cadea9946b2a46803ac84340164c1ae

Link:

https://www.unpac.me/results/b385882d-f5fa-487c-bd06-ec99b98f7bae/

SH256 hash:

f1f4513460f8509bc57d31533e86aa665dbd6c9ecf1d86ff257e38ea01bf606c

MD5 hash:

615d4b44175625b45336537390c41f76

SHA1 hash:

cc3920a55ca197c07e088f1083658ce8fb01ffab

Link:

https://www.unpac.me/results/b385882d-f5fa-487c-bd06-ec99b98f7bae/

SH256 hash:

4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4

MD5 hash:

30775311df94dbded4bd30cbed10fff6

SHA1 hash:

60787509e780060884d933e63fc7735feac34355

Link:

https://www.unpac.me/results/b385882d-f5fa-487c-bd06-ec99b98f7bae/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/272867/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample