MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
SHA3-384 hash: 2d10c249925f376de546db0ad9409e86c022d483a7a05b5fc68b9a3f92c99669b6f16524e56d7afe3c8c692d800990dd
SHA1 hash: f42105d23c169e4e0078166ef337e1bc5113ada2
MD5 hash: ea5544ac85f018a31087e04f1ab50718
humanhash: high-venus-triple-pennsylvania
File name:4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:918'528 bytes
First seen:2025-02-07 14:05:13 UTC
Last seen:2025-02-07 14:40:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:t1q4E6mfJiLl9LWcbQkpClSCFCGCxj1opLtc0+jcnloECEvR58JEAeJOj2WB6:hEkD5pClDFAjOL207nPt7dDwqWB
TLSH T1D115F150B256DC46E4A757B02879E7F013619ECED021D30B6AEA7EBFB873342241674B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 79e4e4ccccc4c4c0 (11 x Formbook, 9 x RedLineStealer, 3 x AgentTesla)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
Verdict:
Malicious activity
Analysis date:
2025-02-07 15:02:39 UTC
Tags:
netreactor redline
Link:
https://app.any.run/tasks/fabaaf52-4fd1-4b6f-808d-2238b787016d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3175.11535.24968.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a613e6dbfc8aaee8cd79b5
Tags:
redline agensla micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c97ba91-dcc7-4922-98d6-e9d9724b6911
Result
Threat name:
PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1609267
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1609267 Sample: YUhmJtkU42.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 11 other signatures 2->57 7 YUhmJtkU42.exe 7 2->7         started        11 zCYDPGbtBCon.exe 5 2->11         started        process3 file4 41 C:\Users\user\AppData\...\zCYDPGbtBCon.exe, PE32 7->41 dropped 43 C:\Users\...\zCYDPGbtBCon.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmpC18C.tmp, XML 7->45 dropped 47 C:\Users\user\AppData\...\YUhmJtkU42.exe.log, ASCII 7->47 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 YUhmJtkU42.exe 2 7->18         started        27 2 other processes 7->27 65 Antivirus detection for dropped file 11->65 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 schtasks.exe 11->21         started        23 zCYDPGbtBCon.exe 11->23         started        25 zCYDPGbtBCon.exe 11->25         started        29 2 other processes 11->29 signatures5 process6 dnsIp7 71 Loading BitLocker PowerShell Module 13->71 31 conhost.exe 13->31         started        33 WmiPrvSE.exe 13->33         started        35 conhost.exe 16->35         started        49 87.120.120.22, 1912, 49782, 49827 UNACS-AS-BG8000BurgasBG Bulgaria 18->49 37 conhost.exe 21->37         started        39 conhost.exe 27->39         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-02-06 17:15:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2l6o5bilj5rmjfseqgp6ijkufvftki3yhjzpzk3lzfr6hku5fpq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:bot discovery execution infostealer
Link:
https://tria.ge/reports/250207-rd746atlby/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
87.120.120.22:1912
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c09ea303-25da-4dda-b564-4d106f0aa10c
Unpacked files
SH256 hash:
7a0129bf5ef6d3531d6b491a8eac81133a3ea398c1480c544d4b1a0bcc7aed74
MD5 hash:
bc2697ee5c82c5ed6e64e6ed9de5ff41
SHA1 hash:
1d76627e02fee61c1a6d2c29d92396bf55ba6bbc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/52f6f64f-0b43-4c9e-b3b0-14301f36922d/
SH256 hash:
168b6065d141a70c80f8c09204fd7252eb104de2e450599fc5896c1439322f6e
MD5 hash:
96858749c6f54f23560dc6a5aef2c32b
SHA1 hash:
861a04be243f05efe28e6d5dd5409ed56ff64476
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/52f6f64f-0b43-4c9e-b3b0-14301f36922d/
Parent samples :
6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
ea2305b81698e84ea423f196cbea17b3eddc98c57d5f53342f5ba82fb5ea3856
8515cd8f15f1b16373993dfb77427a0fe071abb0384f9bfe55f14adc4ff5d30a
cbae135ce99b7218f36189a750bca0868612e0c2ba0ab5fed90a32bc123d989d
87c6bd3556e570f5c0acb04c5286da5b222d6f4e2105827ccde74e4123ee55aa
67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53
9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
31a2ec31c4722d3011b75595c76e677aba7e5bc164c667d709943893ebea4f97
31dd67c25cb99830d6df7e63abee058598eed026076acd4a659fed12fd8647ef
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
SH256 hash:
2e8a7dd6d7faf24ddd19852ad25c2da3c8b8301f32ec841cd54284015412f07f
MD5 hash:
ae7d38c71e91d9bd06ef0d5e4153e5d1
SHA1 hash:
c54746e1e70454fea705ab15ea704073e2779044
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/52f6f64f-0b43-4c9e-b3b0-14301f36922d/
Parent samples :
6439c8e94bd2398ad15bd8cbf86a9ca9528cecf77506357e894a359880282724
27ba4999fcfef817e77c5a6ce9a47ad6215b4354fd9dab300ba841d74b294bc9
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
d69d30a1dfb0f5b9a548223a918083ca73ea89a8f104bdc2288cbbd4668da059
SH256 hash:
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f
MD5 hash:
ea5544ac85f018a31087e04f1ab50718
SHA1 hash:
f42105d23c169e4e0078166ef337e1bc5113ada2
Link:
https://www.unpac.me/results/52f6f64f-0b43-4c9e-b3b0-14301f36922d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments