MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004
SHA3-384 hash: ad0eadcda70a2042dd22e703ef994f816b6aeb4a581684434029f8018a680b44aaba2f6b91be537bff35c0f9db2feb22
SHA1 hash: 102901f680f9942d84de54b0caebda5c5754c0f9
MD5 hash: 4bda5c1a8c51ac5276f6ebd7e743579a
humanhash: nuts-washington-montana-gee
File name:4bda5c1a8c51ac5276f6ebd7e743579a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:352'256 bytes
First seen:2021-09-08 05:32:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9325a2124ce99db4bd879a17d27ac59b (3 x RaccoonStealer, 2 x RedLineStealer, 1 x Stop)
ssdeep 6144:Xig/vkyNwPesP/7wgqoJe6tNKVwhXyG4tziz/eiq:R/vkewWsP/WoJe2NKOXMhirei
Threatray 2'099 similar samples on MalwareBazaar
TLSH T1E574AE20B6A4C135F1F711F549BDA3A9E6297EB19B3850CB62C43FEA56342E09C30B57
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4bda5c1a8c51ac5276f6ebd7e743579a.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 05:34:41 UTC
Tags:
installer trojan rat redline stealer
Link:
https://app.any.run/tasks/e61dbee0-3664-4919-b40c-af03b6cfc31a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186163/
Detection(s):
Win.Packed.Generic-9891348-0
Create hunting rule

Win.Packed.Generic-9891355-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Creating a file
Sending a UDP request
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18b7d525-a1ed-48ec-a9a7-180a2dfd0c6c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/847043
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 02:52:51 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdosxb6dbcupvoi77bns72cppqj4lineleqhsqjclyierfteqaca._file
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
RedLineStealer
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
RedLineStealer
56bda973e90839ab80f6328011475ea9b6485961e95aa09429816faaa762f301
RedLineStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RedLineStealer
a5ae0f12308cd01e02c8c75137818f8945f4fba0785f5558c75bff2f20fb7957
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
b16312efaa5c99706690f35e9ca41748c7ac793ff06e9d4f5ece91c960d25ff5
RedLineStealer
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b
RedLineStealer
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
RedLineStealer
+ 2'089 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:uhd_666 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210908-f8wttsdgf8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.119:15548
Unpacked files
SH256 hash:
4cdf0204d8fe341dd9019b5d8d44bfb96bc9d163f2c3eab433be2791777ef942
MD5 hash:
76945308370efbdfb6ce9096cf46b3f8
SHA1 hash:
f9af4fd3bbdd3bfeb37b0a091c2ceef4bfc6b863
Link:
https://www.unpac.me/results/cd1b26f6-9392-4149-acdf-7bf7db9b05d5/
SH256 hash:
1f9a4370bd6cb32e0fbeb470da02e17b83f9ceedb80b3f30a629c1b3cccd16af
MD5 hash:
914c928fca8ef4e85fa07343a02b92d1
SHA1 hash:
f7dce1c904d299d006cf521673d632fdca6983f6
Link:
https://www.unpac.me/results/cd1b26f6-9392-4149-acdf-7bf7db9b05d5/
SH256 hash:
c9d54682e1152600426d748cc42b7735a5e7a9392dac401f85e809ea60811dda
MD5 hash:
1301f25d860d636c36024568c3cfacd7
SHA1 hash:
0cb426e697166b6130fcb09094cc5db92a0066bb
Link:
https://www.unpac.me/results/cd1b26f6-9392-4149-acdf-7bf7db9b05d5/
SH256 hash:
48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004
MD5 hash:
4bda5c1a8c51ac5276f6ebd7e743579a
SHA1 hash:
102901f680f9942d84de54b0caebda5c5754c0f9
Link:
https://www.unpac.me/results/cd1b26f6-9392-4149-acdf-7bf7db9b05d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 48dd2b87c308a8fab91ff85b2fe84f7c13c5a1a459207941225e104896648004

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1591434/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186163/

Comments