MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a6b43ea576a6d1ba813e58f7d16d3ec1e8adaf685ee4a8e511156710493c307. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	4a6b43ea576a6d1ba813e58f7d16d3ec1e8adaf685ee4a8e511156710493c307
SHA3-384 hash:	31cf77c0a262f947f1ca7de67076939712130638183df3e9df315d5d30284b78f041b73cf7a3e3a87f842a115f3f5d94
SHA1 hash:	9708eb016b72a1f1885e9ba3b17497818693983f
MD5 hash:	cbead029fd52e62ee0796059bd1eb978
humanhash:	seventeen-maryland-blossom-don
File name:	4A6B43EA576A6D1BA813E58F7D16D3EC1E8ADAF685EE4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'348'080 bytes
First seen:	2022-05-31 06:21:15 UTC
Last seen:	2022-05-31 06:31:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep	49152:2ig0RwmMsVMxAc565g6qvIYauPu8rbPYNdWRptFE:2CROsixH653CICuwbPmdWRpLE
TLSH	T18FB5F17A341A81A2F04E2E37F415B88EA3341E59144CACBE1E7CBE2F44F56C5992E47D
TrID	50.0% (.EXE) Generic Win/DOS Executable (2002/3) 49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0ccb4c8c2f0e4cc (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer signed

Code Signing Certificate

Organisation:	www.tableausoftware.com
Issuer:	DigiCert TLS RSA SHA256 2020 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-03-08T00:00:00Z
Valid to:	2023-03-08T23:59:59Z
Serial number:	07b9d5ba76a71054d1504cae8520d3b7
Thumbprint Algorithm:	SHA256
Thumbprint:	9dbbb5d9db21c1fc0736b7429e71ab48c59c5a0c3e5be5e37baaf0866c38e19b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RedLineStealer C2:
188.34.180.137:38299

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.34.180.137:38299	https://threatfox.abuse.ch/ioc/643557/

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4A6B43EA576A6D1BA813E58F7D16D3EC1E8ADAF685EE4.exe

Verdict:

Malicious activity

Analysis date:

2022-05-31 06:23:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c426d462-f219-4ff4-b90d-83a3a37248f1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275595/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48999351.18411.18104.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed wacatac

Link:

https://www.filescan.io/uploads/6295b40c3223462f89ed40b3/reports/435c1a75-ce24-4f6b-924b-03295b86d4f1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/455b1219-9e1b-4fad-901c-07e231aa3402

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003963

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a6b43ea576a6d1ba813e58f7d16d3ec1e8adaf685ee4a8e511156710493c307/

Threat name:

Win32.Trojan.Gencbl

Status:

Suspicious

First seen:

2022-04-18 17:54:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jjvuh2sxnjwrxkat4whx2fwt5qpivwxwqxxevdsrcflhcbetymdq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220531-g4w5gacfbl/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

99de29602e632e752ad5568284309888b126cfe708c119b8dcea1edb2f42863e

MD5 hash:

5d38c3d9bf90281995860d5a7193d878

SHA1 hash:

fe99ad4430635d87e482b77be48782ae6af9bda5

Link:

https://www.unpac.me/results/a8f9ed88-d0f9-4ffb-a515-533f0dd120c3/

SH256 hash:

5c88d5a217586f8f314fa13ce2da10511aec56465196197c10754568f35a4749

MD5 hash:

2229fcc9c5d20b0b175e61b87bb93c4a

SHA1 hash:

e033937518ad54c5cb872f84e929319a364df5e2

Link:

https://www.unpac.me/results/a8f9ed88-d0f9-4ffb-a515-533f0dd120c3/

SH256 hash:

4a6b43ea576a6d1ba813e58f7d16d3ec1e8adaf685ee4a8e511156710493c307

MD5 hash:

cbead029fd52e62ee0796059bd1eb978

SHA1 hash:

9708eb016b72a1f1885e9ba3b17497818693983f

Link:

https://www.unpac.me/results/a8f9ed88-d0f9-4ffb-a515-533f0dd120c3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/4a6b43ea576a6d1ba813e58f7d16d3ec1e8adaf685ee4a8e511156710493c307

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275595/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample