MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a0b2b7745ce98e33f250ec2563916f007721933ec42e878b7c598b147ad2ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments 1

SHA256 hash:	4a0b2b7745ce98e33f250ec2563916f007721933ec42e878b7c598b147ad2ea1
SHA3-384 hash:	efd6e4730e6f845c777b412b38c4fcf097f4d3518480386e801dda73d159f71a98cf67d894bc08170fa0ad84272a82b9
SHA1 hash:	b625eb1d63018d93451816f61ffaf1faed6fe07b
MD5 hash:	d7b64bfbaaddbd173a083f6c96d435fc
humanhash:	victor-hotel-idaho-emma
File name:	d7b64bfbaaddbd173a083f6c96d435fc
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	399'360 bytes
First seen:	2022-06-16 03:17:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	39a5e63add263fb8a93124d0be6cfbe2 (4 x RedLineStealer, 3 x Loki, 2 x Amadey)
ssdeep	6144:vUkBs/R078g4bXxpfVTQTx75isRtKLRjhVvWiY3LztoMc6:vUpC78g4bhpp85isR0L9WiYbz66
Threatray	3'969 similar samples on MalwareBazaar
TLSH	T16D84CF00BA90C035F5F702F859B6936CB93EBAA19B2451CF52D566FE56346E0EC3231B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	d0f0c0cccc98e0e0 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/280456/

Detection(s):

Win.Packed.Generic-9952003-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21551/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62aaa0ec916056ae17130fb4/reports/d68357a4-c0d5-487f-81df-841c93840fae/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a1d50664-44ed-423a-a0c1-f2851b2c653a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1014223

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a0b2b7745ce98e33f250ec2563916f007721933ec42e878b7c598b147ad2ea1/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-16 03:16:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jifsw52fz2mogpzfb3bfmoiw6adxegjt5rboq6fxywmlcr5nf2qq._file

Verdict:

malicious

RedLineStealer

1e77b0464f3b1b239528812813d29e2d12b171b5fab3ece2cc7cc247ac2f759c

RedLineStealer

3087e3054e0534094992e6a789f638aa4c817f32d44d198a16f35cca0f9e8382

RedLineStealer

5d6bf47e5512cbad6edef0cdac28b005431fdf0538835fb21e5af9871b637a46

RedLineStealer

837ffb4801d47f374913ffd47e6ed9830a4bc2377d7a33b5b14007075d04ac0d

RedLineStealer

c5307fda2a00ea681c9f87411c3537f88ebca19fe7c23edc22e8d6cab3af8309

RedLineStealer

fb1b2d99803d89ecbbc788e37a4759fb57e67a98773c349a22f36cb7972f3c63

RedLineStealer

+ 3'959 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:meta discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220616-dtldfacdc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.245:23196

Unpacked files

SH256 hash:

08e75a9e3df8d212c34049ae749e270b7f2c2d922e7ddfbc4197813b963954b3

MD5 hash:

e8c9e9cc0036bc649232bc0e9634e6f7

SHA1 hash:

88f6b3d385ecdd2419367ab6511cfd612eb179ad

Link:

https://www.unpac.me/results/3efcab70-6c42-4cf5-9fea-a48967e679c4/

SH256 hash:

04dbfc9cb2909469fab0bed698c7e371c916ce9b7a9a9328c57d080925a05e57

MD5 hash:

89ce9c691eaf75639edd700b087dca8f

SHA1 hash:

0610f8d2761ad67f9b64ebd3be202be32ced7116

Link:

https://www.unpac.me/results/3efcab70-6c42-4cf5-9fea-a48967e679c4/

SH256 hash:

8938f212bedfaf8b11511975865a15ba06a9b3b53d2c9aa5c295b70ad79dd6f2

MD5 hash:

041ea344f71a48cd5201fc24ce740a61

SHA1 hash:

0008a3f30efa3d96c6a444f4b8f7e395fc2ea237

Link:

https://www.unpac.me/results/3efcab70-6c42-4cf5-9fea-a48967e679c4/

SH256 hash:

4a0b2b7745ce98e33f250ec2563916f007721933ec42e878b7c598b147ad2ea1

MD5 hash:

d7b64bfbaaddbd173a083f6c96d435fc

SHA1 hash:

b625eb1d63018d93451816f61ffaf1faed6fe07b

Link:

https://www.unpac.me/results/3efcab70-6c42-4cf5-9fea-a48967e679c4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a0b2b7745ce/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a0b2b7745ce98e33f250ec2563916f007721933ec42e878b7c598b147ad2ea1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.