MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a
SHA3-384 hash: 1a5b1e35abcc9b9563a2f4c49adfc26444f9e892e25e34a20be8b02be43304c91f84ede998cd2eea637a73ece3cd74bb
SHA1 hash: 94bf623a7b86ca53947eb04f3b8066f260ce0fce
MD5 hash: 46e6dd5eba1795c54fad7d9e5a4e034b
humanhash: music-king-uranus-fourteen
File name:46e6dd5eba1795c54fad7d9e5a4e034b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'480 bytes
First seen:2021-10-03 01:06:06 UTC
Last seen:2021-10-03 01:52:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 848a7504f9e97d3a5e7cf95079b638a5 (9 x RedLineStealer, 4 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 6144:ovs4BGUCG0GMLPy+pUM9oTj2QLhLnTK1jxB2hQ9VQMEeeoGyK125JEC:o06LWGMPp31QF3wjxMm922el14Z
Threatray 6'747 similar samples on MalwareBazaar
TLSH T11174BE20B7E0C034F9B752B445B583B9AC397EB19B3841CF92E52AE956346D8DC3178B
File icon (PE):PE icon
dhash icon e8e8c8e8aa66a489 (4 x RaccoonStealer, 3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
108.62.12.248:40746

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
108.62.12.248:40746 https://threatfox.abuse.ch/ioc/229868/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
46e6dd5eba1795c54fad7d9e5a4e034b.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 01:08:26 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/fc2cadb7-a4fa-4b19-9650-c83fe7129d07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194253/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader42.62977.23688.4366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c2e8b98a6280f39324f89/reports/ac8ea65c-2208-469b-8173-25054edf0d52/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a384d63-da7f-470a-9d12-c55bad18e832
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863301
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a/
Threat name:
Win32.Backdoor.Tofsee
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 19:50:48 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjat6h74nbbgwuwmuqarmagctuxphxxt32vjb7bwiy2xxooyrcna._file
Verdict:
malicious
Similar samples:
12c9b1ea69415b3838752d939f17cec00f9ad7179cc512b54549ea5a18695086
RedLineStealer
1e3746c25c1f5dad5546f843f7f60f8a3e2acacacf735842b8d9d283813f7268
RedLineStealer
30f7ee8a29ede05b2e17552a843022215e95b6e66c707e49546fe7f6d1ebd404
RedLineStealer
368a59033bc9effc4ca64d325c7d3c20e45b7f49deb138d7d532335037f81223
RedLineStealer
a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
RedLineStealer
ac907c58399649af9014f1bda35513f6de3527f699a7e927d17127136df440c3
RedLineStealer
dbf8b13861ad9ae9876d690e9ec5c2853ece7305ac1dc30a403736e9d76f32e5
RedLineStealer
ea2754f1c3e10c8a4ab5307e4dce20d9ef63a0ce688ba7b68dc431e944f43cc4
RedLineStealer
f1a569c0cacca1b3440f4cc2f22898a032c52c92245d9059be57e336510fdb5e
RedLineStealer
f1a5fa05cf56545d866bf1caea4cfb7cd409fcbc6792892658f6fdc32679e08b
RedLineStealer
+ 6'737 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211003-bgna6afaar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
108.62.12.248:40746
Unpacked files
SH256 hash:
c5dbf09f1e70da6996a65ded84381716b33b53aeb8969f6bcea181581a986b9d
MD5 hash:
83c3047bf812ef63a7edeb3fc8de709d
SHA1 hash:
e5791c79510cb00e1ec5e65b71a34e062ef91310
Link:
https://www.unpac.me/results/ff960f50-92ac-48a7-b0c6-6b8852eeab7a/
SH256 hash:
7e6b332d35f1177072a2b19597a5c175694f32be29d734a52ec058e2b5a692c0
MD5 hash:
d0a71f22f93f29396c52b60db0579278
SHA1 hash:
aab084c636725705ff22e59bdfd8adffdb189d8c
Link:
https://www.unpac.me/results/ff960f50-92ac-48a7-b0c6-6b8852eeab7a/
SH256 hash:
16dee3d7eb2b3d266270fca572da39ece99fd73b7fbfd3102997771389703909
MD5 hash:
ccebea6bc2c6acc42fcd697f96b2adb1
SHA1 hash:
70f97aaaf5e4e3bacc36ea202cdaad464fa07ac7
Link:
https://www.unpac.me/results/ff960f50-92ac-48a7-b0c6-6b8852eeab7a/
SH256 hash:
4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a
MD5 hash:
46e6dd5eba1795c54fad7d9e5a4e034b
SHA1 hash:
94bf623a7b86ca53947eb04f3b8066f260ce0fce
Link:
https://www.unpac.me/results/ff960f50-92ac-48a7-b0c6-6b8852eeab7a/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a413f1ffc68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4a413f1ffc68426b52cca4011600c29d2ef3def3deaa90fc3646357bb9d8889a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644572/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194253/

Comments