MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32
SHA3-384 hash: efdeabe64c0069d65fd575e21ff4ca696c250a6dbd16e6b629699f936c460a4b77f456fe9aff9f8433ea0300e38b0593
SHA1 hash: 42c0675c4c7d6a97fec1903fbe9102530b9ce8aa
MD5 hash: 58feda62a87bee1a1c8c0ac24029682e
humanhash: lemon-batman-eleven-ink
File name:58feda62a87bee1a1c8c0ac24029682e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:478'448 bytes
First seen:2022-03-08 17:40:24 UTC
Last seen:2022-03-08 19:55:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:aTRu5SrP7i6WzVuP5KKZC8Gd80K/CuM8iJNCzMkMT6n/ViUN6WAkfbZyS4kFbapS:+rta8l1DijCr5Vi/jkfbZLMet3JY7C
Threatray 822 similar samples on MalwareBazaar
TLSH T184A49E6E66908E40D2481D3AD0A7C56487F2BF4133F3E7ADDA7702B31E537A48D452EA
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:Phantasies
Issuer:Phantasies
Algorithm:sha1WithRSAEncryption
Valid from:2022-02-21T21:00:00Z
Valid to:2032-02-29T21:00:00Z
Serial number: 6fc8afe5962e24b64a02055d7f596946
Thumbprint Algorithm:SHA256
Thumbprint: 949ca5c7870d393aac9454e316b79ba9c5554836a57d19afed60fa8f58a8213e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248408/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.26327.21069.26615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed replace.exe
Link:
https://www.filescan.io/uploads/62279acf0cd58dbd926882e5/reports/cf9caf7b-bb0b-47ce-be2a-262a9f4b2bce/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef8bb249-b1cc-4d27-a258-e3a4d3496ba9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952896
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 20:55:03 UTC
File Type:
PE (.Net Exe)
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhg7uylcwsgdezlgk7nkh6n2psidpdcjamlaotj3x5gbhxgntuza._file
Verdict:
malicious
Similar samples:
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
RedLineStealer
7779169da530f116334075286fc3cc44bff652d6031b48f4a2e4f63f35c349cd
RedLineStealer
7d1359fe0f873e03ccb58b534f660d0e4b92d049ce953e7b5a584acf97b8499a
RedLineStealer
83a0838ce422cf0354914df7efde5aeadb19cbc84ee315725de96237df2a36aa
RedLineStealer
9c126bfde9969c0d34230993dc33d233ac66eec831fd35204d4b7faf1f7af990
RedLineStealer
c4c8179ac2a2be1697ef244e5c8c4e70dd311b0f4a350c6fe1f05ddd69afc1f3
RedLineStealer
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
RedLineStealer
+ 812 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:vip logs infostealer
Link:
https://tria.ge/reports/220308-v9ez2ahgh2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
fyopavitar.xyz:80
Unpacked files
SH256 hash:
ab360ae10b60f140d3629564e97d9355b157c744160dbf9f246fba83c90db555
MD5 hash:
cf9bc7ecf5644a346a274793d1d6201b
SHA1 hash:
852159d0e7de8237ef630387adda798cbfde8206
Link:
https://www.unpac.me/results/bc7900aa-d331-4d93-abed-c3f973f1109f/
SH256 hash:
49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32
MD5 hash:
58feda62a87bee1a1c8c0ac24029682e
SHA1 hash:
42c0675c4c7d6a97fec1903fbe9102530b9ce8aa
Link:
https://www.unpac.me/results/bc7900aa-d331-4d93-abed-c3f973f1109f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 49cdfa6162b48c32656657daa3f9ba7c90378c490316074d3bbf4c13dccd9d32

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084456/
Cape
Cape
https://www.capesandbox.com/analysis/248408/

Comments


Avatar
zbet commented on 2022-03-08 17:40:26 UTC

url : hxxp://file-coin-coin-10.com/files/6274_1646166763_1942.exe