MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4504edc238585aa073245edcae6a65a84d5d067ec58edfd56324d9b4c1e610a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments 1

SHA256 hash:	4504edc238585aa073245edcae6a65a84d5d067ec58edfd56324d9b4c1e610a3
SHA3-384 hash:	446c852976d93a0d29fcd765ee27c404f28f5c2c9ac65796fb8209b26d888c373726c2a408f6762e3f14d86935de35f5
SHA1 hash:	2f9b5899b011e9f1ce2d8b7e9191356bf7735659
MD5 hash:	148fab089c36dcbd7cc58e0bdba881e4
humanhash:	white-tennis-cold-sad
File name:	148fab089c36dcbd7cc58e0bdba881e4
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	120'040 bytes
First seen:	2021-09-14 22:21:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	1536:NteNrEbYfZZg3cIKY1NApXjbuROdHnhuyq/d/+FdbknEeG6qTaoigkeP:PeV581NAp/jHnYyOd/CkEzUeP
Threatray	1'650 similar samples on MalwareBazaar
TLSH	T1B7C33A7523DC8B29EBFE1E75B070110047F4E18B5502EB5B9DC27CEB5E36B825A642E2
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://bit.ly/3g2uusq

Verdict:

Malicious activity

Analysis date:

2021-09-03 09:04:39 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a7273efb-dc2c-450c-8358-2603c8e95fff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/187928/

Detection(s):

Win.Packed.Bulz-9883367-0

Win.Packed.Generickdz-9885340-0

Win.Packed.Bulz-9888336-0

Win.Packed.Bulz-9891195-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/61751262a9d585e6d5370e53/reports/97178ec7-bc2e-4151-97dc-4aaa1a1244d7/overview

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b9ee191-6e7d-420d-8e28-4fb5d8865bf3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/850996

Signature

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4504edc238585aa073245edcae6a65a84d5d067ec58edfd56324d9b4c1e610a3/

Threat name:

ByteCode-MSIL.Trojan.RelineStealer

Status:

Malicious

First seen:

2021-09-03 19:50:03 UTC

AV detection:

31 of 45 (68.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iuco3qrylbnka4zel3ok42tfvbgv2bt6ywhn7vldetm3jqpgccrq._file

Verdict:

malicious

RedLineStealer

11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41

RedLineStealer

1d8d875f0e1da3d678c0074a063d9d06d1c097e0ca986579f76b0df2c64ce93d

RedLineStealer

211c5e542a39bd580d591ee281d719abc67a1b9313e5eecaa904d41dc2cb9d45

RedLineStealer

2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e

RedLineStealer

3dbe8ea1016c5cb64f67f85894ea4a82c99f4b3658f12ae021d29fa5399939b0

RedLineStealer

5d124c343ca289f13081d3b447859ef55da2562c3ae650e984995f68c26b1a97

RedLineStealer

7c78dc5ccbdff7e949fed9b04fcfd5a3b312f0fe950441094d77e8bdbf393491

RedLineStealer

7d6bc9c488ef81546e89c929a34e3d067ff083599c80edad38987fd0771cfe4a

RedLineStealer

e95005fd5b5d80158be2c72eb1a7491674394cd2b2f48c243d930467f1b93372

RedLineStealer

+ 1'640 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@easyragu

Link:

https://tria.ge/reports/210914-198j8sbdcn/

Malware Config

C2 Extraction:

45.12.212.223:18670

Unpacked files

SH256 hash:

4504edc238585aa073245edcae6a65a84d5d067ec58edfd56324d9b4c1e610a3

MD5 hash:

148fab089c36dcbd7cc58e0bdba881e4

SHA1 hash:

2f9b5899b011e9f1ce2d8b7e9191356bf7735659

Link:

https://www.unpac.me/results/fcc5ddae-c658-4be4-bb76-f174f07fd554/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/4504edc238585aa073245edcae6a65a84d5d067ec58edfd56324d9b4c1e610a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)