MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176
SHA3-384 hash: 03c78446275af66adb577d829a97d1bdae086f47ff7f41fa987c59081491b24357ecdc30f0e1da1f3dbafeec68309c37
SHA1 hash: 38fed004966aa3a74a86e95169c782b57cca1afb
MD5 hash: 6df1a68fb199319a6927cff22665c177
humanhash: yellow-september-shade-don
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:383'488 bytes
First seen:2022-10-25 11:11:57 UTC
Last seen:2022-10-25 12:00:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d469ca1d6e996368501cdcdaad61b8dc (12 x RedLineStealer, 4 x Tofsee, 2 x CoinMiner)
ssdeep 6144:ODYqL5XQe3aMvS0djx4D7XsNTqqFFo+sJEVe6xPXXKIFJPXkKJM:ODzNXQsaGRdjWDLsNTq/EVe60IFJvkl
Threatray 11'287 similar samples on MalwareBazaar
TLSH T1D08401207892C836C4A691764865FB441BFBB6B922358A4B371452EE7FB03D36737707
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 2b168c4ae6623233 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://193.106.191.19/MicrosoftKey.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.19:47242 https://threatfox.abuse.ch/ioc/948768/

Intelligence

File Origin
# of uploads :
16
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-25 11:14:16 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4385bbe1-818c-4523-bf51-0003333c1b75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323973/
Detection(s):
Win.Packed.Pwsx-9975723-0
Create hunting rule

Win.Dropper.Tofsee-9975728-0
Create hunting rule

Win.Dropper.Tofsee-9975734-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the system32 subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f59f599c-0f5d-4715-9c10-96242132ba43
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097490
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 12:20:48 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jk4o6azij77huiq4ezk6ftnqcnlzc4k2avpe2p65rsivgjmfof3a._file
Verdict:
malicious
Similar samples:
173a25a0d60c05f2754c42ba56d3d0597fa46de21b483c12729916fd6939b306
RedLineStealer
1b1290ed02b74182f7895c6809048627ff3cfd9b50bf0c250f2a59956a568468
RedLineStealer
670b1670bc457d64c885cbca3aebcf462aae5086707585f610c4fedc8f4ee073
RedLineStealer
8f4afa06546e11c830d7e0b94241b5512ca7063768ab3398d6f1c33038522d04
RedLineStealer
c4206333c1a4d1b2dcb2345a41e8760cb2a861341f756a482d7da77506e29684
RedLineStealer
d49abdd293be63c898f2033106d0d231dd62bbb787e799dcb36472afd837a609
RedLineStealer
f4d8bc07e5b9999acd7d3388bc49d6b903f70a2a21f11d47a24d589d94e81773
RedLineStealer
fd5b0dc1b64cded64c7162177f0dc1a4b5a44b3dab6719639ec9c13b875097ac
RedLineStealer
+ 11'277 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dzkey discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221025-navswacdhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.19:47242
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1b14dc2d-c687-453f-8bf8-fbf891443a8f
Unpacked files
SH256 hash:
d338b3ecde4b305505a8bef05f20ad59280589502d161dae60e24ff0a0c3ff95
MD5 hash:
5de0e6f8a038dea15da5c6590b68f523
SHA1 hash:
ded5194555b7aaed3ee459440a70ef5d5d7b9276
Link:
https://www.unpac.me/results/eb7eef18-64da-4528-8430-59a83c25581b/
SH256 hash:
3e2bfeca4c68fb903e42a0b1b50764121f3314b3f0170645fc5a34300dcda8db
MD5 hash:
697b874c10e9c1fb2b0eb9a7d5b2e36b
SHA1 hash:
bd322997c2b728ae592158179159b1a7382afa9a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/eb7eef18-64da-4528-8430-59a83c25581b/
Parent samples :
d49abdd293be63c898f2033106d0d231dd62bbb787e799dcb36472afd837a609
f4d8bc07e5b9999acd7d3388bc49d6b903f70a2a21f11d47a24d589d94e81773
fd5b0dc1b64cded64c7162177f0dc1a4b5a44b3dab6719639ec9c13b875097ac
1b1290ed02b74182f7895c6809048627ff3cfd9b50bf0c250f2a59956a568468
173a25a0d60c05f2754c42ba56d3d0597fa46de21b483c12729916fd6939b306
4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176
ceaef4650779a6399206a720934a63e94d66e81092f2829fc8f5313199377f50
2ca8638b31cb420f3c021ab4803f4cee8eee38117d68b7561bf82cd8ff0b52c4
6684a5b890f9829d357208e9729692018ceccc59ad48463de4c9662b9b65d2d2
b7a76b08374f798e8b2b64a607531f32e78e104460d18a6c9013240b4606674c
56e6e6ea78c823bb34c56b18b326393ad501520bf3dee661fd5696aaaca3c634
2bed14990c09d87c740233ab3464c878eeecdb42be0cc8e8087f39421a8670c6
719da2d422bae71a1ad5d8b13f08b75ea2911846e93f74cc3b6ad5d5da8387a7
0bfd36ee4ee63be807f6fff93b856f0213c01e0f90bcad14ca9759c20eb4ef40
b18c1d85a7850908af61f6cc565b490f8d49a5836a2fb4b7a0cd80eb4cbe6f9a
b222b4a41de6a1865f8cc919f7e18d16d91f36d2c27c3a4ef115da3b2c0f0516
df8cedccee6ab451fe59b40754dd6c4e06a3ba627069d09de0b9455dc1e8ac2a
006b1f025e75c853f3e776dd579791d6ac479bc25a6f0bbec92af86a149dffd8
8f9d96476e42966d93a4781b4e4c07729ee428e97b98768760287d2d53f2b792
2548534bf822498e6e98939ea5ef4477b6e00667af75625145b0bdc2311a3e65
a0ceacc8550c34dd843ca462ac6bf953a918321359e04ea14a2e50793f56976a
a3404df2f3c45e9d1e18b06d9262209cb66e99f32e75fcad2a9a8e92e0de277c
07c36b41d531e3ed596b4089c93a8ce6bae99040124d5a58bd9343399b97cff5
769e9d663e486c1b7a665d6ce605845e4bac91a60cc4ac2229ec7b2400df11f6
4a2a17ebaf1c0712b4d61c601304468158a64a78c07fd927bea7f15dd7036204
40e04f3f5bf326949df928ac805433f3f4e6cc94d458d704dcebd10330235aff
05bbc7e92c3ab59c16c845809b837d105da141a423284c04e894d2832502e08c
5de7480390c165160be72fe43824dbbddd6c16c605a19391ae37791d68405fb5
cf1ede8cedaf26e5965d0dfc652e14fde966b1bf4bcc77b43985c2b4e3492ef3
84bbb780ebe96f35146095794522d95bc2ee44074ea44bf1f7bfd298b6e8d59a
3b32f3a5125777d31f46d14a7454a4d16530032c561fe21132d584f063cc40bb
dd8b590a5dcf4c2d876fbaefad0d635074d025a958e780a2ac8d936426cc5d41
963ffffae1211b31350afb547a5342bc4b6a44255de5b0cffd068a676cab9e05
8307d57f61a80bb1b6ed3ca3d14bbb7a26a270995f5e2f93be3be2fda483d664
63fbc4d6067594f8a171b3a8525182abe801a81e5b366f85f20bdfdc0c08a0d9
416c7f64a791be0d04a865ff5c084105d16bb3a6b85bc443aa90340ecc8d5611
f5bbb718bf3f63232dfbf34ca84b77ae03a13cb57fe332796fcacb8c6b0d02f3
378f1bc038413ea2d99a59027b44111d068a6573c6eb794f5e8389a07a368ce8
d98048ed24c9ecbff8763930257cc153d97ceec0bebeefe272787234686f9df1
0869ddc9516c552cd4f55a4ea11267a417e41413ccdbf47a9fbb93ca802f44c2
b5ca04623891e8460d4563158dcb9c42165556790a4151d2bdb0faa50bec2cbc
52530b407638e9d2cf4235b1bf17f0e6e1059f1261f7c95a7ba43c8d701587b1
40a7561699b094621f6f3270f34e9826ae28eb5417297baa4b78cf53f3d1e029
374b8e3089b1d9fac52920a56e3294c13c9da3379cac27b23d13498c5f1a09da
755d3de67ff979048f7c0c7ad0a4ba485639e2d1f3dc6d4e87390a4c8bfa2dbe
48c132b5b5af641ca100d6ae118603b4bc0c59b09a398db330c714f2e64398d4
c73885be93d35281164f517c24892776bf5304dff4a256e4c9bd9cd474385be3
87954ea1829acb1c5ac467120a00bc5cd4790c12cc6ef50aba5de7bdc5dd7153
032c8aff5321c0cdaf274cc46d1b2297dcb73e24e49c1eca091af963ecd609c8
c1b045cb4c6304d2d9fc2b9476c3ec51eb5c7427f7ecc4be8649241e385ed772
532d01ea05216de3a51a494c43e69bec7ff8aa8de74c3ca67308429617887873
84ef62dbf08c9ac3346ad69badd6cbe783ab32fe68c2af3a37fbb81a7b5e51bd
ceeef16d35e306d4bb6822a9570453c3960f3dfdb558185c77f5ee58441821e3
68102c6d06f0204caa1c9624ae42223a89ab42f5fbb4164e8ae1fe86c2b9d6d1
b0f5eb0c39d50f81b6a32e5743b778c276a833281fbfb1b7d8a9e02950d52880
80fbdceeba1ae88efe902e8a0d1349d43c3c6e1462af5d7195191f6446c1d60d
f0af7b9539f19aeb7674eb230dad941683c65cd770e5ee3203ca5d9214a2bb26
27a4f43eb1a9cfa1f8dc32ec942f970c1daffd9dfd55d0099eda0d9a16923c71
ad08b0274d44e0740d5a7fe2b1125ed13ca9569c9a35256e360d8a4c81a45ddd
714605ca7ffd745319c1939bbb649038ed72adb8e4e6eb2818e22775dd5357e0
ec06e2c457545dcec33a946514a917800b1df96150a1f89ca57c2f1034d7ae54
3172233a5dd748134389c0f9cd0264f788f6ba8a405f75178316608d2c6421ee
62c74955f1529e499228a1feece1f22be7be4d2739e0aced84c65f919dede351
7ae6e6f5f8106c9e8c3fa90ff7c76d9c86d05f0f80ca1b7bb8dc2f36d3518172
911ecf68a620339872678ffdb5c8401d0f0c2585ebff015bf6ec28a995f98dec
4a203a75fd6315f4bbca6dffba7c208696bb392aaa3378af7b078485d64bfea0
f918a8fd87946794f53c622d6c59cae13cfb0c75738f3af5e782b06b8681609e
e38a776e4c31dea72698325cab023c8a549a28db2988869218d34863b67c7b82
2af69ee37c0cbadbf319590b17ed78da9eab323066dfe01ca1b606a8f2552617
1b5a97d9c984fe0565dc790706333a183ea99de1f52c30f4137bd6504a0cd04e
03922ffa247475b97df145e2c52fd8cb81c7dd1c365a4c114c4bb20b60a7c7f3
1c09599a0836c926f673fe939ed952c450c915c3bb9aed831c37e02e88073876
cb7296e2a1380a3459d874635a0174bf89a14d869cd8322941362e25695ea4f1
caa9458f14985b1d1de68af03f88db426a844dbfb8fa8b1f670e8fe256238049
23e1a029b184306ff6ec614f18b133d285a07be218ac5d811963d0d088bc0825
5f25f83229d7685cf7eec5f9fcce98e5f64c79f9e916327999ee6b5b7b015d8c
18126576630f8017fe12609bd7796745ff43dace52ee2ff24030bbb58ba290ea
e41c6f2ea948ada4071efb5e95e528d5f640714e0c5c14a98e7e7ced0f924a88
SH256 hash:
3ee933b43a2ee77c9f0ade05041cc97c8934c58665e54ae6d8f4bd7689b6962a
MD5 hash:
feff8cd2f3dafbfc3fb4fbe55a610cc0
SHA1 hash:
769a7316a60eadd43df6c18475673955395afc45
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/eb7eef18-64da-4528-8430-59a83c25581b/
Parent samples :
d49abdd293be63c898f2033106d0d231dd62bbb787e799dcb36472afd837a609
1b1290ed02b74182f7895c6809048627ff3cfd9b50bf0c250f2a59956a568468
173a25a0d60c05f2754c42ba56d3d0597fa46de21b483c12729916fd6939b306
4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176
2ca8638b31cb420f3c021ab4803f4cee8eee38117d68b7561bf82cd8ff0b52c4
56e6e6ea78c823bb34c56b18b326393ad501520bf3dee661fd5696aaaca3c634
719da2d422bae71a1ad5d8b13f08b75ea2911846e93f74cc3b6ad5d5da8387a7
006b1f025e75c853f3e776dd579791d6ac479bc25a6f0bbec92af86a149dffd8
8f9d96476e42966d93a4781b4e4c07729ee428e97b98768760287d2d53f2b792
2548534bf822498e6e98939ea5ef4477b6e00667af75625145b0bdc2311a3e65
a0ceacc8550c34dd843ca462ac6bf953a918321359e04ea14a2e50793f56976a
4a2a17ebaf1c0712b4d61c601304468158a64a78c07fd927bea7f15dd7036204
40e04f3f5bf326949df928ac805433f3f4e6cc94d458d704dcebd10330235aff
84bbb780ebe96f35146095794522d95bc2ee44074ea44bf1f7bfd298b6e8d59a
3b32f3a5125777d31f46d14a7454a4d16530032c561fe21132d584f063cc40bb
b5ca04623891e8460d4563158dcb9c42165556790a4151d2bdb0faa50bec2cbc
52530b407638e9d2cf4235b1bf17f0e6e1059f1261f7c95a7ba43c8d701587b1
40a7561699b094621f6f3270f34e9826ae28eb5417297baa4b78cf53f3d1e029
374b8e3089b1d9fac52920a56e3294c13c9da3379cac27b23d13498c5f1a09da
48c132b5b5af641ca100d6ae118603b4bc0c59b09a398db330c714f2e64398d4
c73885be93d35281164f517c24892776bf5304dff4a256e4c9bd9cd474385be3
032c8aff5321c0cdaf274cc46d1b2297dcb73e24e49c1eca091af963ecd609c8
84ef62dbf08c9ac3346ad69badd6cbe783ab32fe68c2af3a37fbb81a7b5e51bd
b0f5eb0c39d50f81b6a32e5743b778c276a833281fbfb1b7d8a9e02950d52880
80fbdceeba1ae88efe902e8a0d1349d43c3c6e1462af5d7195191f6446c1d60d
f0af7b9539f19aeb7674eb230dad941683c65cd770e5ee3203ca5d9214a2bb26
27a4f43eb1a9cfa1f8dc32ec942f970c1daffd9dfd55d0099eda0d9a16923c71
62c74955f1529e499228a1feece1f22be7be4d2739e0aced84c65f919dede351
911ecf68a620339872678ffdb5c8401d0f0c2585ebff015bf6ec28a995f98dec
f918a8fd87946794f53c622d6c59cae13cfb0c75738f3af5e782b06b8681609e
e38a776e4c31dea72698325cab023c8a549a28db2988869218d34863b67c7b82
2af69ee37c0cbadbf319590b17ed78da9eab323066dfe01ca1b606a8f2552617
1c09599a0836c926f673fe939ed952c450c915c3bb9aed831c37e02e88073876
cb7296e2a1380a3459d874635a0174bf89a14d869cd8322941362e25695ea4f1
caa9458f14985b1d1de68af03f88db426a844dbfb8fa8b1f670e8fe256238049
18126576630f8017fe12609bd7796745ff43dace52ee2ff24030bbb58ba290ea
SH256 hash:
4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176
MD5 hash:
6df1a68fb199319a6927cff22665c177
SHA1 hash:
38fed004966aa3a74a86e95169c782b57cca1afb
Link:
https://www.unpac.me/results/eb7eef18-64da-4528-8430-59a83c25581b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/323973/
  
URLhaus
https://urlhaus.abuse.ch/url/2384053/

Comments