MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921
SHA3-384 hash: bed32953b02c57e095a56086f0e7b414a9109fda54cde7b5aa5fd5599646b0fe742dd8b4444e8222a4e73f5c24b54663
SHA1 hash: 0422a45292fde8398a5a3f3f1a228b2d882075b5
MD5 hash: a08fedd1af1461cd057783b833b75c1a
humanhash: hawaii-edward-jupiter-carpet
File name:a08fedd1af1461cd057783b833b75c1a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'073'847 bytes
First seen:2021-08-14 13:51:47 UTC
Last seen:2021-08-14 14:41:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 667e6d0f434d248524103ade13b913e4 (5 x RedLineStealer, 1 x CoinMiner, 1 x RaccoonStealer)
ssdeep 24576:qSLX3jL0oSml1h4rZwFamT0Mr+GoJDgsKFlb9z9:REoNsIamT0bGcgvxx
TLSH T1F435EF85E383F77AC06CF2347711921459E9ACE3C62348C73B84F74ABAE925476E2671
dhash icon d0949692929694d0 (1 x RedLineStealer, 1 x 1xxbot)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a08fedd1af1461cd057783b833b75c1a
Verdict:
Malicious activity
Analysis date:
2021-08-14 13:54:17 UTC
Tags:
autoit trojan rat redline stealer
Link:
https://app.any.run/tasks/bc2b7e09-97d6-455a-a3cd-e1cd9e67ddea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179240/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37389678.23207.12016.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.21296.11120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/733bcf38-d42b-4517-bf06-be35d4607f3e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/832903
Signature
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465331 Sample: 6Sz0oowku3 Startdate: 14/08/2021 Architecture: WINDOWS Score: 76 57 Multi AV Scanner detection for submitted file 2->57 59 Sigma detected: Drops script at startup location 2->59 9 6Sz0oowku3.exe 7 2->9         started        11 wscript.exe 2->11         started        14 pHWBEogcsR.exe.com 2->14         started        process3 dnsIp4 17 cmd.exe 1 9->17         started        20 dllhost.exe 9->20         started        65 Creates processes via WMI 11->65 47 GjRKywIJjtMTKKgWHMJNvwsK.GjRKywIJjtMTKKgWHMJNvwsK 14->47 signatures5 process6 signatures7 49 Submitted sample is a known malware sample 17->49 51 Obfuscated command line found 17->51 53 Uses ping.exe to sleep 17->53 55 Uses ping.exe to check the status of other devices and networks 17->55 22 cmd.exe 3 17->22         started        25 conhost.exe 17->25         started        process8 signatures9 61 Obfuscated command line found 22->61 63 Uses ping.exe to sleep 22->63 27 Sapete.exe.com 22->27         started        30 findstr.exe 1 22->30         started        33 PING.EXE 1 22->33         started        process10 file11 67 Drops PE files with a suspicious file extension 27->67 35 Sapete.exe.com 6 27->35         started        43 C:\Users\user\AppData\...\Sapete.exe.com, Targa 30->43 dropped signatures12 process13 dnsIp14 45 GjRKywIJjtMTKKgWHMJNvwsK.GjRKywIJjtMTKKgWHMJNvwsK 35->45 39 C:\Users\user\AppData\...\pHWBEogcsR.exe.com, PE32 35->39 dropped 41 C:\Users\user\AppData\...\pHWBEogcsR.url, MS 35->41 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 18:48:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jg2fbboxgq4kriog5jgguxr26xzzdvszjd7fkycfqem7sxhsreqq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:tony1008 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210814-1sgxfj65tx/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.188.22.4:45689
Unpacked files
SH256 hash:
efdd78580e52d4deb0637a8b2af65d47a3f301d24d21190ceaf85092e621f5e9
MD5 hash:
6d0f6ca67838b8a35c92db3b464ce9c8
SHA1 hash:
b816f252bc91970d447b23f953012ea029c942b1
Link:
https://www.unpac.me/results/cc9b3cf7-6604-44df-8bac-5eaa8a87eeac/
SH256 hash:
49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921
MD5 hash:
a08fedd1af1461cd057783b833b75c1a
SHA1 hash:
0422a45292fde8398a5a3f3f1a228b2d882075b5
Link:
https://www.unpac.me/results/cc9b3cf7-6604-44df-8bac-5eaa8a87eeac/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/49b45085d734/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 49b45085d73438a8a1c6ea4c6a5e3af5f391d65948fe5560458119f95cf28921

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1533711/
Cape
Cape
https://www.capesandbox.com/analysis/179240/

Comments


Avatar
zbet commented on 2021-08-14 13:51:48 UTC

url : hxxps://activityhike.com/files/tonys1008.exe