MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d1341c3e8aee59f63bb0338b7132055b09a86927ad0e1192b406d09b004d18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments 1

SHA256 hash:	48d1341c3e8aee59f63bb0338b7132055b09a86927ad0e1192b406d09b004d18
SHA3-384 hash:	f25fa90cd555db4517dc4f26245e7f97d0ef4f6409a6b3b5e716b5f51d122c3765c7ecb5b97de97f805d8f3a0aab5e77
SHA1 hash:	cf4706513c6a62201c4cb91211d372dee66ac31b
MD5 hash:	6820ac8ce24304462c6c80e2314c0117
humanhash:	potato-march-apart-emma
File name:	6820ac8ce24304462c6c80e2314c0117
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	399'360 bytes
First seen:	2022-06-16 07:01:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12a660ec02c5f1f370d2b42a8031f3e8 (3 x RedLineStealer, 2 x Smoke Loader, 1 x GCleaner)
ssdeep	12288:2sM5Dvoya2AXY4X7RfoGZQc+CBth+HEu:+dsbdfo0pDfhd
TLSH	T1C384CF10BA90C034F5F712F459B68368B93E7AA1AB3460CF53E556EE5A746E0EC3131B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	60f0f0c8cc8cd0e0 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/280535/

Detection(s):

Win.Packed.Generic-9952003-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21566/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62aad5a9c07f2e38a14cd3e5/reports/6e3bab08-7c54-43ac-b9b6-3aee331479b7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63441307-395c-4432-9bf8-d6c3c4bfa3a8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1014311

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48d1341c3e8aee59f63bb0338b7132055b09a86927ad0e1192b406d09b004d18/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-16 07:02:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jditihb6rlxft5r3wazyw4jsavnqtkdje6wq4emswqdnbgyajuma._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta infostealer

Link:

https://tria.ge/reports/220616-htsvqsafh5/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/88acd063-529b-419b-89f6-aaaaf5d3a57a/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/88acd063-529b-419b-89f6-aaaaf5d3a57a/

SH256 hash:

8938f212bedfaf8b11511975865a15ba06a9b3b53d2c9aa5c295b70ad79dd6f2

MD5 hash:

041ea344f71a48cd5201fc24ce740a61

SHA1 hash:

0008a3f30efa3d96c6a444f4b8f7e395fc2ea237

Link:

https://www.unpac.me/results/88acd063-529b-419b-89f6-aaaaf5d3a57a/

SH256 hash:

48d1341c3e8aee59f63bb0338b7132055b09a86927ad0e1192b406d09b004d18

MD5 hash:

6820ac8ce24304462c6c80e2314c0117

SHA1 hash:

cf4706513c6a62201c4cb91211d372dee66ac31b

Link:

https://www.unpac.me/results/88acd063-529b-419b-89f6-aaaaf5d3a57a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48d1341c3e8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48d1341c3e8aee59f63bb0338b7132055b09a86927ad0e1192b406d09b004d18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.