MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e
SHA3-384 hash: 4d121dac3b0826fb16c4b033108a80941e22559ec109001d91b59bc6ebdf5d36804f2b1fbd8a487296b99c94f74dfd1f
SHA1 hash: ccfcae1b80168a20f24c6b69092ae7d297dafcf8
MD5 hash: 4cb1bd6c9c4ae855db0f42acde4deb64
humanhash: florida-mexico-spaghetti-montana
File name:4cb1bd6c9c4ae855db0f42acde4deb64
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:485'968 bytes
First seen:2021-12-08 05:22:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b52113c8ee5e48709f9698367a9cbf6f (1 x RedLineStealer)
ssdeep 6144:SznwwwVeujkN+kSfbQf14XZEs3ZCbgfBr8ELlZzCNGqJAXhDcmnIaps6SFMIznoH:zeVskSfbQt42spZBr8ErHPnthoMIz8QE
Threatray 304 similar samples on MalwareBazaar
TLSH T102A4D1A17D320883D43B8BBDC421A78A88B8D05E711725BF71A876242C1E9DD9F4F57E
File icon (PE):PE icon
dhash icon f09cb8e0a086f070 (1 x ArkeiStealer, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Logitech F-906 GAME Center Edition 2021
Issuer:Logitech F-906 GAME Center Edition 2021
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-06T10:36:26Z
Valid to:2031-12-07T10:36:26Z
Serial number: 3fe4a004e7b65599401db38603b89033
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0585640f9a9bbd01b02105962547b51026ef0cfb17176f420f9e03df1433da5e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4cb1bd6c9c4ae855db0f42acde4deb64
Verdict:
Suspicious activity
Analysis date:
2021-12-08 05:26:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/175b603b-defe-4c78-b7fd-62233996a9db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212341/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1283/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61b04139fa72c81b5b112333/reports/0f15e0a0-c8ec-4e41-ac40-709847d7bc23/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/631cb1de-2208-47ef-9533-4219dbad38cc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903629
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 05:23:11 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0d397ba8d82603972ec469c7f8f99688143597bab496a0686f6fef08b85e0b2e
RedLineStealer
146de084ff60046edb599a6f8ae1503aa2a7f39c550807e9af069c2e8c9ea34c
RedLineStealer
358c7a01868df7d423f3927b34289141148729063cf995afeafdb343752d6d12
RedLineStealer
5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0
RedLineStealer
646b7c888c54221556f191a77f9b3fc4a0c577d6dce5c32aba5c784cb1053f2c
RedLineStealer
cbc599190564686ce0a3b1f77fc2064664fbf2d5df6568975a41a32659216e00
RedLineStealer
f75bda07c2fc02d23c291e0894bdc72923fc6e0f6959e65a3922cb09ef1f1fda
RedLineStealer
f8daaa065a27508babcd8e898c3f1eda824531105cdcf07ceceee2fda53d5a5f
RedLineStealer
+ 294 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/211208-f25s6afgbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
RedLine
RedLine Payload
Unpacked files
SH256 hash:
229db1870cbd4a30c1b0fb846c9500588f410ecde5e86db311d06cad48ef1bfd
MD5 hash:
c933ef4eedf56a0ec176f7815d2d99d3
SHA1 hash:
93397e27ddcd9c126302b3bdd44a4a68132320f0
Link:
https://www.unpac.me/results/3e8ad6ad-9201-42f1-be43-3f4221340558/
SH256 hash:
46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e
MD5 hash:
4cb1bd6c9c4ae855db0f42acde4deb64
SHA1 hash:
ccfcae1b80168a20f24c6b69092ae7d297dafcf8
Link:
https://www.unpac.me/results/3e8ad6ad-9201-42f1-be43-3f4221340558/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 46ac20a6cb7d8111b8ca8e96d5c377833f3d7c663d48912c17584c7f5d3ca12e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/212341/
  
URLhaus
https://urlhaus.abuse.ch/url/1864900/

Comments


Avatar
zbet commented on 2021-12-08 05:22:39 UTC

url : hxxp://unicupload.top/install3.exe