MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 21 File information Comments

SHA256 hash:	4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53
SHA3-384 hash:	9f720fe1d653d8ba0089e7e064e4b1f32ba6244d8b735d3f887d531c4466042b741edf3f4488c1d6af65b05428f8f03d
SHA1 hash:	077f6a146080489988113104f6b9985c9e806290
MD5 hash:	9451be6a28dc660c832d444f7cc53a58
humanhash:	fruit-illinois-arkansas-fish
File name:	9451be6a28dc660c832d444f7cc53a58.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	622'080 bytes
First seen:	2025-01-10 01:10:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:4nl1cUoV+I4MVKWE5SXa+1nhCF3pGtBM63blYrw2n5nh8zHB:4nluRgJSt9tD3blYrw8/0HB
TLSH	T101D4DF44A295EA06C06347F51D71E3B823ACAF8D9426E7176EFBBDDB38343812914E43
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	863b292b234d2b96 (7 x RedLineStealer, 3 x AsyncRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.222.57.94:55615

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.222.57.94:55615	https://threatfox.abuse.ch/ioc/1380199/

Intelligence

File Origin

# of uploads :

# of downloads :

532

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

9451be6a28dc660c832d444f7cc53a58.exe

Verdict:

Malicious activity

Analysis date:

2025-01-10 01:12:40 UTC

Tags:

stealer redline evasion netreactor lefthook

Link:

https://app.any.run/tasks/9329f6eb-2fee-4b5f-85f2-28f419295e3d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Jalapeno-10038995-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678074b4ffdcee13ec895a7c

Tags:

infosteal redline

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt obfuscated obfuscated packed packed packer_detected powershell

Link:

https://www.filescan.io/uploads/678073a60e6ff2c75702b891/reports/ae9893e3-6bb8-4c56-8dc3-21cc8cfb787e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a5c10b6-552f-4211-a6d8-f190ccc7279d

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/1587268

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-01-06 12:36:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jltjob76hezzsfjxhipmhlnousnhhklfnsm74j7m3jmrasn6tvjq._file

Verdict:

malicious

Label(s):

redlinestealer

unknown_loader_037

Similar samples:

error

RedLineStealer

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:redline family:sectoprat botnet:cheat discovery execution infostealer rat spyware stealer trojan

Link:

https://tria.ge/reports/250110-bjxydawqdz/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Malware Config

C2 Extraction:

185.222.57.94:55615

Verdict:

Malicious

Tags:

redline Win.Packed.Jalapeno-10038995-0

YARA:

n/a

Link:

https://app.threat.zone/submission/ac2d6eec-8be9-4869-b993-867c9ecfb8a1

Unpacked files

SH256 hash:

168b6065d141a70c80f8c09204fd7252eb104de2e450599fc5896c1439322f6e

MD5 hash:

96858749c6f54f23560dc6a5aef2c32b

SHA1 hash:

861a04be243f05efe28e6d5dd5409ed56ff64476

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/54750d62-4215-4e76-b6a8-9a37633a57bd/

Parent samples :

6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
ea2305b81698e84ea423f196cbea17b3eddc98c57d5f53342f5ba82fb5ea3856
8515cd8f15f1b16373993dfb77427a0fe071abb0384f9bfe55f14adc4ff5d30a
cbae135ce99b7218f36189a750bca0868612e0c2ba0ab5fed90a32bc123d989d
87c6bd3556e570f5c0acb04c5286da5b222d6f4e2105827ccde74e4123ee55aa
67cc97b2f5e9d35039589c92c7f6fda7831af0f259ddf248fb166664e4027b91
24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
c024729558cdf11515cc4024d0f3118d8313a86c68d48846376c55b8ec97c0e4
3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53
9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
31a2ec31c4722d3011b75595c76e677aba7e5bc164c667d709943893ebea4f97
31dd67c25cb99830d6df7e63abee058598eed026076acd4a659fed12fd8647ef
4697e774285a7b1624b2240cff212aa16a59a91bc1d397e55b5e4b1f1d54e95f

SH256 hash:

2da1ded2d6fc001879110ab66819f40cacfa5c529046b684f2b1b884c3bbdfcd

MD5 hash:

f90efc960b3311b3c386bc7e2544a7a8

SHA1 hash:

779913658561cf80336697275f646c23bc0a7530

Detections:

RedLine_a

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/54750d62-4215-4e76-b6a8-9a37633a57bd/

SH256 hash:

549795be8e3cfc6b9c492218731d7d608689d2a96756cf40f0d6faa12c6d729d

MD5 hash:

f6f700f20c872da433082b02c9126f3e

SHA1 hash:

0a41ddbd9b013eeb6ce0872ee3f68936f7b38205

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/54750d62-4215-4e76-b6a8-9a37633a57bd/

SH256 hash:

4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53

MD5 hash:

9451be6a28dc660c832d444f7cc53a58

SHA1 hash:

077f6a146080489988113104f6b9985c9e806290

Link:

https://www.unpac.me/results/54750d62-4215-4e76-b6a8-9a37633a57bd/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ae69707fe39/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ae69707fe39339915373a1ec3adaea49a73a9656c99fe27ecda591049be9d53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021 Create hunting rule
Author:	BlackBerry Threat Research Team
Description:	Detects Unobfuscated RedLine Infostealer Executables (.NET)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_15ee6903 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_4df4bcb6 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f07b3cb4 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f54632eb Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample