MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
SHA3-384 hash: af88de973200405ab7968f3fc54696499efc2d995f1707a0b9062d6c29e0ea68b28ac6f9bdd2fb508cf93224dc4493cc
SHA1 hash: 0f557b0b356fc7b5462d252cccd19f93b2cc696a
MD5 hash: e755b7599fc8b631b954d2d80a3246cb
humanhash: river-oven-edward-three
File name:C4Loader.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:129'552 bytes
First seen:2022-11-07 08:36:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8b67e9793f407b21796b58d9b2b1faf (10 x RedLineStealer, 1 x Smoke Loader, 1 x RecordBreaker)
ssdeep 3072:AWrLpduTeRflPTgZv6NV5GqZdPAxusJt6fgMvXM0jJ5Y7eyFNeVmlUOL18c:AUL4YpTV4mAxh6fDyFxL18c
Threatray 2'811 similar samples on MalwareBazaar
TLSH T15FC37B0175C0C472E73769360860DA74DE3DFB701F549EAB7348357A4F782C38A69A6A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C4Loader.exe
Verdict:
No threats detected
Analysis date:
2022-11-07 02:16:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3fbcc2d-65f9-4c9b-a9b4-c338ee6624bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329761/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.3862.31428.16463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes overlay packed zusy
Link:
https://www.filescan.io/uploads/6368c3aff7995a78442bfd11/reports/ee04d3f1-7f27-41dd-a80e-9bda1afa97fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SolidBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/047884a2-d433-4ee0-940c-4e50c62e9739
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1107056
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739720 Sample: C4Loader.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 60 19 Multi AV Scanner detection for submitted file 2->19 7 C4Loader.exe 2->7         started        process3 signatures4 21 Writes to foreign memory regions 7->21 23 Allocates memory in foreign processes 7->23 25 Injects a PE file into a foreign processes 7->25 10 WerFault.exe 19 9 7->10         started        13 vbc.exe 7->13         started        process5 file6 17 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->17 dropped 15 WerFault.exe 23 11 13->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 05:19:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=johehioo5gadstvsqrpkmzl3g5tunoclkk55huxkaywl36zjfvoq._file
Verdict:
malicious
Similar samples:
0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
RedLineStealer
5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e
RedLineStealer
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
RedLineStealer
8226b5885ea94def0a895da5a98fdcbd826da231a0eaded5bfa380a84cf8d0d9
RedLineStealer
93b19478b4902aa33f9722f5dd0c209cd0e7246d4ad6b3837dbe4eb8b103386b
RedLineStealer
a647e223490db9af36e0794732566345a266e8793bc9a3e45ea58b5cbcd8435c
RedLineStealer
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408
RedLineStealer
ec7ee9dde198537f08df06105918ea77c1be48e8b988b4a9c3f54e7d27628de8
RedLineStealer
fb0902eee42d919696c4f445165b1837b8274c9505ebd916fc820e63e9b1202e
RedLineStealer
+ 2'801 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 evasion infostealer
Link:
https://tria.ge/reports/221107-kh6cssafcl/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
107.182.129.73:21733
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c3d4fa8d-f26f-483f-b397-3fe6e8890b0c
Unpacked files
SH256 hash:
4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
MD5 hash:
e755b7599fc8b631b954d2d80a3246cb
SHA1 hash:
0f557b0b356fc7b5462d252cccd19f93b2cc696a
Link:
https://www.unpac.me/results/381d00ff-12f1-46eb-8193-46ce25df3ef8/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b8e43a1cee9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/329761/

Comments