MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90
SHA3-384 hash: 584eb5de6df70cd6c8bab6e4b653ae430ea372597be8ee2c653222abe01fe9389e4772b67f83b8992d0c05afd3814a86
SHA1 hash: 5d240b39fc84faf41b834fae5c1ea49d0b2b711f
MD5 hash: ede7812d29098515836754ed757358e1
humanhash: mirror-nebraska-magnesium-maine
File name:ede7812d29098515836754ed757358e1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:457'728 bytes
First seen:2021-09-30 17:56:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:objDhu9TaMsCO4SoKQVmAuGTAjnlKI9jETnLEqs:W1eTadCO4Sob7uGdwjens
Threatray 68 similar samples on MalwareBazaar
TLSH T1F7A4F156B2E41188CBB245F1C9821746EB71B4321B11A3DB6B7457B32B5B8CA8F7D3E0
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.230.112.47:49799

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.230.112.47:49799 https://threatfox.abuse.ch/ioc/228889/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ede7812d29098515836754ed757358e1.exe
Verdict:
No threats detected
Analysis date:
2021-09-30 18:47:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b131908f-0562-4003-88ff-3241292ca637

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193769/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Stealing user critical data
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4693617c-44ab-46bb-9268-4684ff23b17f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/862174
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494601 Sample: JEFxakY5NB.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 60 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected BatToExe compiled binary 2->30 7 JEFxakY5NB.exe 9 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->22 dropped 10 cmd.exe 3 7->10         started        process5 process6 12 extd.exe 1 10->12         started        15 extd.exe 2 10->15         started        18 extd.exe 2 10->18         started        20 2 other processes 10->20 dnsIp7 32 Multi AV Scanner detection for dropped file 12->32 24 cdn.discordapp.com 162.159.133.233, 443, 49762 CLOUDFLARENETUS United States 15->24 26 162.159.129.233, 443, 49763 CLOUDFLARENETUS United States 18->26 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 17:57:06 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlnwstx4xtxjjxl2xj6nrvyx53gnayrzx64jkvkeb4wvkbvproia._file
Verdict:
malicious
Similar samples:
01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
RedLineStealer
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
RedLineStealer
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
RedLineStealer
65dee75f5d4f0d7e0c1065a689ebe79f67c87a4d3d9654193164128e859a0ddd
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c
RedLineStealer
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
RedLineStealer
+ 58 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer suricata upx
Link:
https://tria.ge/reports/210930-wjkm9sadaq/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Malware Config
C2 Extraction:
37.230.112.47:49799
Unpacked files
SH256 hash:
4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90
MD5 hash:
ede7812d29098515836754ed757358e1
SHA1 hash:
5d240b39fc84faf41b834fae5c1ea49d0b2b711f
Link:
https://www.unpac.me/results/b19d2e01-a4ed-4bdb-b95d-c188cd7919ad/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4adb694efcbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4adb694efcbcee94dd7aba7cd8d717eeccd06239bfb89555440f2d5506af8b90

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644583/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193769/

Comments