MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ab5fd5fa205ebe4511fc65a7ec85529b67a45b0cbdc2c18008901e747dca7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ab5fd5fa205ebe4511fc65a7ec85529b67a45b0cbdc2c18008901e747dca7a
SHA3-384 hash: 87f0a5a9bc34f0a0d4f273d965c7bfbc475be486528347ffb5191b560a2ee406b0b53e60ca8c9ba6c6505e764879c568
SHA1 hash: 8824b9c3efcdad992bbae5631eafee5eaef7b5f1
MD5 hash: c66cbf8b3a2acf348b733aa5a0edcefd
humanhash: georgia-fruit-pluto-salami
File name:c66cbf8b3a2acf348b733aa5a0edcefd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'123'776 bytes
First seen:2022-03-26 13:31:11 UTC
Last seen:2024-07-24 13:50:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:o6G/sBRt12xyX1OXNymsveLxgfNR/EPm1BCwFh2afm:vQXN3svx1R/E03v
Threatray 267 similar samples on MalwareBazaar
TLSH T123A502E6F2EAB26EC1D612B010F0B5020CF0CD0A915BF7EF69B79495741A1746B1AB4F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
140.82.12.244:60352

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
140.82.12.244:60352 https://threatfox.abuse.ch/ioc/454257/

Intelligence

File Origin
# of uploads :
3
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258038/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.27249.3519.4252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Adding an access-denied ACE
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Unauthorized injection to a recently created process
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a window
Blocking the User Account Control
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623f15de1f204239483202ab/reports/1bb344c7-5951-470c-ae27-0477c760937e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e028a4c-da2c-4113-bdca-18b1a87d2836
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965086
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to hide user accounts
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597567 Sample: loQp9z2mQi.exe Startdate: 26/03/2022 Architecture: WINDOWS Score: 100 47 api.ip.sb 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected UAC Bypass using CMSTP 2->53 55 7 other signatures 2->55 9 loQp9z2mQi.exe 3 3 2->9         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\loQp9z2mQi.exe.log, ASCII 9->45 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->59 61 Adds a directory exclusion to Windows Defender 9->61 13 loQp9z2mQi.exe 9->13         started        16 powershell.exe 24 9->16         started        18 powershell.exe 25 9->18         started        20 powershell.exe 9->20         started        signatures6 process7 signatures8 63 Writes to foreign memory regions 13->63 65 Allocates memory in foreign processes 13->65 67 Adds a directory exclusion to Windows Defender 13->67 69 Injects a PE file into a foreign processes 13->69 22 BackgroundTransferHost.exe 13->22         started        25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        35 2 other processes 13->35 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        process9 signatures10 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->57 37 loQp9z2mQi.exe 22->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 35->43         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48ab5fd5fa205ebe4511fc65a7ec85529b67a45b0cbdc2c18008901e747dca7a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 02:36:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcvv7vp2ebpl4rir7rs2p3efkknwpjc3bs64fqmabcib45d5zj5a._file
Verdict:
malicious
Similar samples:
3c92fcb34225d860ef707c297e04808c0a6806cf1fed48c88e634ead940f49c5
RedLineStealer
4ba70a201f9aeed927954ccf79ebba102df5f50c437c278636b1905b3f71058f
RedLineStealer
67a6bcb12b0266f41f7b9645845eb788d83ba56edd8221a8c053f6a5aa413347
RedLineStealer
772586d97b16f582bd8a54e92a411cd75abc13cd6cd277013e9417528eb8c1da
RedLineStealer
840a9e479aa3d6d4afd80b0464448bd756d6bf0624a27ffdf33620c84760b59b
RedLineStealer
+ 257 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:diablo discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220326-qs2egshhaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
RedLine
RedLine Payload
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
140.82.12.244:60352
Unpacked files
SH256 hash:
e06e8e458e7ff3aeb501750aa895a5ad9c33c2b2c2fb758351d6c39f9064d564
MD5 hash:
cb2f40b4bccad1f95d6d0690de338540
SHA1 hash:
ff43784873467ba89ce8e18051144e91f37d033a
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
f136816128e047df465b41c0e040135368000dde3be91dffc4b2016b6d9c089c
MD5 hash:
466b612161d1181a091d53e18c1f11cb
SHA1 hash:
e83544c206bc9ebd1152e96e6d1d72db6f7b98c1
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
287425ab94addb5e9bac4cf02690c2e843a7745fe5e9d4b5d3c106451b79c8ad
MD5 hash:
0d9f0f27113e9aa4247be45956de4b56
SHA1 hash:
caf02610dc2937b6f23e7a3ecff43aa30f9bf51b
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
7aacf46881c873c792157c97ef63e6a359792fc146a4b26f6c8c44ff7658277e
MD5 hash:
fca053871832911b299a831db77559d6
SHA1 hash:
ffdf06c17acdfc2c1424a9e5464d300fef73d4b0
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
a58912b5627465682510676b04b5b142c6df37bca2cf574bdb605f310b5f429b
MD5 hash:
0aeff1d3705ea79067c24d1fbc8bf1bd
SHA1 hash:
d3b610d9b7501924cea1b2c5b2b9b66745a6cab6
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
e1c8a49dc4a31b061118c63b95193aa7e55c4a0a028b710536b8bbfea25a86bf
MD5 hash:
333f179e25e415ecfddbae6908e81414
SHA1 hash:
f6826af72f3c8b47969dfa60bf59ad9d0c8ab476
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
dceddb67630125d386bfb8f0510dfd070073453c70c9fa0093f667278c3c0c61
MD5 hash:
e9e0aaf099cbd3db1aabb7fa2c549eb9
SHA1 hash:
ce6c0b9a718cc10c4b2bd77eb2e4eaebe5af38b8
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
SH256 hash:
48ab5fd5fa205ebe4511fc65a7ec85529b67a45b0cbdc2c18008901e747dca7a
MD5 hash:
c66cbf8b3a2acf348b733aa5a0edcefd
SHA1 hash:
8824b9c3efcdad992bbae5631eafee5eaef7b5f1
Link:
https://www.unpac.me/results/8f9bde26-5dd8-4951-9b3b-e512d6301312/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48ab5fd5fa205ebe4511fc65a7ec85529b67a45b0cbdc2c18008901e747dca7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258038/

Comments