MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a01a5822312ccdb8f88379341c1d590f2c986fa239fd96088cc154c52013132. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	4a01a5822312ccdb8f88379341c1d590f2c986fa239fd96088cc154c52013132
SHA3-384 hash:	8e78922b33466c91c5598740faa9160bcd2960ccc2d5620f1a943e1e5218a06886d44713985e3eef34725523fe7f8320
SHA1 hash:	10237d311f32881af5983898e3daaa82c0c54afb
MD5 hash:	5ecd2d86bd166f369d3098b20ea03f71
humanhash:	florida-iowa-fanta-fourteen
File name:	Run.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	280'456 bytes
First seen:	2021-07-29 23:24:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:7hzunPd/j9ImWtyI1SJrCGC2gFrHx46LjlGH3WysJWX1:7hzsVro9+rbC2yx9WF
Threatray	874 similar samples on MalwareBazaar
TLSH	T19454C04F6385195EDFB80D36E1E71BFA1B308CA4A52ED703E26476990D71BCA3E01687
dhash icon	970f79e3c5030343 (1 x RedLineStealer)
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Run.exe

Verdict:

Malicious activity

Analysis date:

2021-07-29 23:24:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/24c2cf1f-a0ac-4e13-ae08-3eabe9d0f3f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/175153/

Detection(s):

Win.Packed.Generickdz-9879553-0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0ac285a-beb4-4e75-a989-97637de17e7c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824185

Signature

.NET source code contains very large array initializations

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a01a5822312ccdb8f88379341c1d590f2c986fa239fd96088cc154c52013132/

Threat name:

ByteCode-MSIL.Spyware.RedLine

Status:

Malicious

First seen:

2021-07-29 23:25:05 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jia2lardclgnxd4ig6judqovsdzmtbx2eop5syeizqkuyuqbgeza._file

Verdict:

malicious

RedLineStealer

474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c

RedLineStealer

71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862

RedLineStealer

72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89

RedLineStealer

8fecef53dc18d3f8ee830493bbdeacfe47ff1792409bea8e89dfed00276f5331

RedLineStealer

a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe

RedLineStealer

a77affc8aade0e41bacc74406c6db70c087971dad3f5acb73eaa0531ecb0135f

RedLineStealer

d4318bfc9c962824b9254a8eecaa7f30c5e6cc3a209a6d8ef84395aeab2403b7

RedLineStealer

+ 864 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:major discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210729-f3xfegvyw6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

91.121.146.23:9519

Unpacked files

SH256 hash:

a006771ac465eeebbfcc43f85e8af0a459b154035bb5ab31051a20eb6f5e1319

MD5 hash:

c375474efabce8f5c2200ba0d0c53966

SHA1 hash:

7bba63b00f3499d14190e44cd7b304bc208aff57

Link:

https://www.unpac.me/results/74590129-5f07-45e9-b997-bb5e757fbd84/

SH256 hash:

4c11c0f2bc8b4862c741c059b1b76faf41fd0abb85b2c60858fa8cbd57b1841f

MD5 hash:

ea5e5b1ae149d472f5842098250d4469

SHA1 hash:

0b8df39bab57ef5bea90b6af50a3b7c652408251

Link:

https://www.unpac.me/results/74590129-5f07-45e9-b997-bb5e757fbd84/

SH256 hash:

4a01a5822312ccdb8f88379341c1d590f2c986fa239fd96088cc154c52013132

MD5 hash:

5ecd2d86bd166f369d3098b20ea03f71

SHA1 hash:

10237d311f32881af5983898e3daaa82c0c54afb

Link:

https://www.unpac.me/results/74590129-5f07-45e9-b997-bb5e757fbd84/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4a01a5822312ccdb8f88379341c1d590f2c986fa239fd96088cc154c52013132

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample