MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa
SHA3-384 hash:	b92fdc6318ca7ed225696861a8adb6a44bcf80a465e49481e305f7da8761bb6e8d48008810c8fef33ebeb08e433f2f4f
SHA1 hash:	ad7f86e7b12db7d4a0eb2ff864777c3aadd7c9c0
MD5 hash:	648fc5de0cb766748a4b3c8b85ffbba4
humanhash:	ack-robert-quiet-indigo
File name:	4779988F265D9FCDC5CE077D8E9E409B9B53C12218F31.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	392'106 bytes
First seen:	2024-01-20 17:20:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0ae9e38912ff6bd742a1b9e5c003576a (10 x DCRat, 7 x RedLineStealer, 4 x AsyncRAT)
ssdeep	6144:ziubWrNSOetO6cprlQAOWizGLIoSdqmb0Q7NZah923+BIdSu3:eubsNSOetfARQAPyGUYmb04ZWg3+BLS
TLSH	T18B84E103BAC185B2D46324331A266F51E57DBD301F658ADBD3C449ADEE321D0A732BA7
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	cc64b4b06464cccc (2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.75.209.145:443

Intelligence

File Origin

# of uploads :

# of downloads :

384

Origin country :

Vendor Threat Intelligence

Detection:

MetaStealer

Link:

https://www.capesandbox.com/analysis/471883/

Detection(s):

Win.Dropper.njRAT-9986242-0

Win.Dropper.Nanocore-9986456-0

Win.Malware.Bladabindi-10008357-0

Win.Packed.Bladabindi-10017056-0

Win.Malware.Zenpak-10017873-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm fingerprint installer lolbin njrat overlay packed setupapi sfx shdocvw shell32

Link:

https://www.filescan.io/uploads/65ac00ff68f6c896b6d3d34b/reports/f92465e4-9a99-4aee-a223-59bf58ed0890/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

WeeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ffcef516-5b63-4d54-aa49-0fcbc7ddd95e

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-11-21 00:42:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 38 (81.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i54zrdzglwp43rooa56y5hsatonvhqjcddzrgzgxt7q3j3jcjt5a._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:6077866846 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/240120-vwzghsdfam/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

https://pastebin.com/raw/NgsUAPya

Unpacked files

SH256 hash:

7400c251ea9a157e5a99cebe1c68043b7b72ccea1a2218d0fea621132ab21f91

MD5 hash:

cc42b696f06d4a695fc0e5b3664b8f4e

SHA1 hash:

b8496398cf85966c5965dc02a06b20d0b615154c

Detections:

redline

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/509913af-b3d9-41e7-b13a-9be0ba5ddb34/

Parent samples :

b0ced9f723960ba2689be522dcae0d65e42252fa830fa27ca90effd46820d856
20f5112314033bc2cd42337ef85390363777bbfb22eab40d7fa934ce34bf71cf
4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa

SH256 hash:

0c13814659ecbaac5c8ab219b55f103fa167bbd6fb5f0a01e1c3ac107a9ea3bf

MD5 hash:

370777a674f35598cb7c7d22f803e417

SHA1 hash:

72df232b6a9b41406dae59cff06236d2e6d2176b

Link:

https://www.unpac.me/results/509913af-b3d9-41e7-b13a-9be0ba5ddb34/

SH256 hash:

078e1c5ff3f387368335c1df15328e6092c6794b0fbd2ca1d742e5333e5746ae

MD5 hash:

b0185c881233f27eb52283cd1eb3d3b2

SHA1 hash:

e97f4a4f046b5308912a65cafbd96b7e7ed71ea8

Link:

https://www.unpac.me/results/509913af-b3d9-41e7-b13a-9be0ba5ddb34/

SH256 hash:

4779988f265d9fcdc5ce077d8e9e409b9b53c12218f31364d79fe1b4ed224cfa

MD5 hash:

648fc5de0cb766748a4b3c8b85ffbba4

SHA1 hash:

ad7f86e7b12db7d4a0eb2ff864777c3aadd7c9c0

Link:

https://www.unpac.me/results/509913af-b3d9-41e7-b13a-9be0ba5ddb34/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4779988f265d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_b1f6f662 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/471883/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample