MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
SHA3-384 hash: e13b1499a861d659ba5c070c9a8c71cda6a0ff640f72edd45826f6deeb9249111e08776f7e24d218679cffb879a02c91
SHA1 hash: 73e5da45efb8fd5d49bafce6dee1dd821cdb8988
MD5 hash: a413967d29faa8bfe4a16a4559cb31c0
humanhash: zulu-sixteen-gee-steak
File name:a413967d29faa8bfe4a16a4559cb31c0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:369'664 bytes
First seen:2023-03-07 17:32:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ca9aeb70e388366d4b49ad6e91f0c93 (9 x RedLineStealer, 2 x Smoke Loader, 1 x Stealc)
ssdeep 6144:FLPm5PKqhKsktou8kTRjK12KUl9fNGEXjzgU0onQCf4eZ:FLmtJGXTaqlFNfvgUJ5/Z
Threatray 29 similar samples on MalwareBazaar
TLSH T18174F121BBE1D03AF6AB04709C69F6A5DA3F78325168861B7318576E1E332D0977B313
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 011adad08c8c9890 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a413967d29faa8bfe4a16a4559cb31c0
Verdict:
Malicious activity
Analysis date:
2023-03-07 17:35:18 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/9b8f3c4b-d10c-45bd-81ec-653b24b76fde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372407/
Detection(s):
Sanesecurity.Malware.28986.BadIN.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult gozi greyware lockbit
Link:
https://www.filescan.io/uploads/6407754f7f18ce9b01806896/reports/f4cf4196-5240-490a-9c49-17fa2bcd8ca6/overview
Verdict:
Malicious
Labled as:
Ransom.84989A88
Link:
https://www.hybrid-analysis.com/sample/4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e780e643-cba2-439d-a516-0ef5658bbc7d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188824
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 17:44:26 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=joja53b75pi4cawvxzbfxaafhrnfnvmc4cqwyjfrfs252qwyb22q._file
Verdict:
malicious
Similar samples:
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
RedLineStealer
4cec6318bedc7655dfc3a6eabca18bf6651c13dd84957a813c9dde047e411902
RedLineStealer
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
RedLineStealer
7fa53adc326d8a45b36a04c69a7fbc8f5f1651d1cac4fcc9a03fd34ef4aca914
RedLineStealer
9e075cfce69b8fceb8028d1f8647c3f8abde1964fa44a3f65254cc1c2993a7cc
RedLineStealer
a39063fc04d2b939f094b36835d5839c28818652db5efe9c05a039c9facbd514
RedLineStealer
a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425
RedLineStealer
b0616290928a4dc2b15cd8a0e1ab6be754cfc6c4d46bc50f4dfbc3234a364966
RedLineStealer
b4dedc316dd5f2f935d6ace81bd4188fc470cd83acbfa1c8de07a34cc778a5f6
RedLineStealer
d65ff348b355affe66cf32d1e054d9b8ebf22757642a678c6a55e821c647191a
RedLineStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230307-v4vhjaba74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.27:4123
Unpacked files
SH256 hash:
496d8c34bad7d9ae8c3fd18eeb73cffb9a8ddccfef5c7fa96284b8055964081e
MD5 hash:
b574673143aaf47273898512b24562ef
SHA1 hash:
cc5b004dc56e56df7cfbefb040c184b5f94bae6f
Link:
https://www.unpac.me/results/5c6509be-6157-462f-a28c-b72cb77e3ef6/
SH256 hash:
af62a39d8eebf45788b0ff565b251d64e6c5d5b363679b91ab39ff40d70ba682
MD5 hash:
d28c2698ab9fb9fad786591b59db927b
SHA1 hash:
c27b8e93eb2d7c681d1368677e8d1eb57dc660da
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5c6509be-6157-462f-a28c-b72cb77e3ef6/
Parent samples :
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
a39063fc04d2b939f094b36835d5839c28818652db5efe9c05a039c9facbd514
b4dedc316dd5f2f935d6ace81bd4188fc470cd83acbfa1c8de07a34cc778a5f6
6808fc9dd786edeedf05207404c383bb65f65c77f0b6d9ad6af021acffa57dce
cc954ad57b0d199e35338bebb2c18ca63a5dfe2191f647945b8427e8dfb4203f
0c6574915c7d6484f072b1cc10e4aa4c6d04a328702608763bd67807c64a3a13
d3de2fa2fee4852c02d6be5629ecd98a41e6cc68be44be8891363cbfbe1ce75d
e1c49e9f6ca080d6b0726863419639bec545897260cb888ef2eba24bf237c82a
af81398d9dd6bf934e0c0463b474e6ad745318c51179c52e003be536f30cba1b
bc30a77e12e73bc5117293a00f2f39a5c402404ab511f36979e0f3d00fea3b14
0196d177ad5c0fa45978723063d3ad7ad06e4972986b32f7b4ef9b6ec27176a1
83461a529d4326fd622d61e88012e5188ce3607c5f11889d7cb28324e693fd5c
dd6a747e6e11e33377fd70a5678dadbfbb010bacace4b4459c5b83a095743c16
740fa42fcb01706b87003995e8058ed06e2c4b92afd711e6127c58cb0341bbe4
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226
9e9ff5827f90993bf7e9a8bd7f1b9f064180bff8211ca87d8e1d5886c11d5508
956218c1b0cd410c5fe5d3f19b69b120a6373a05d357bea7d7190a3754fdefb8
0b7b1deaf0f90e3bfe4ce968eeaaa95741ecd1714a4566a9d4084d420294b750
4cec6318bedc7655dfc3a6eabca18bf6651c13dd84957a813c9dde047e411902
9e075cfce69b8fceb8028d1f8647c3f8abde1964fa44a3f65254cc1c2993a7cc
7fa53adc326d8a45b36a04c69a7fbc8f5f1651d1cac4fcc9a03fd34ef4aca914
997c73cd1e75587de8ddbdbabc4527454f80eb06515efe6f5d8d0bae39e0dfa0
d65ff348b355affe66cf32d1e054d9b8ebf22757642a678c6a55e821c647191a
4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
03d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
9cda3093dddacbd05e0e9c8ce7320c73320ff2ea4b66ca3578b5b4fd9dc80fe2
2ea0bdd6a345b67435ffb4208a1fd0d05057a590cf2030e6b49887815ae6dc44
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e
d3f8b9ca52931ea88524319a7d1acaa2e261f4303c66baa32ea3a3f02c370cf8
968abf589a80baeea44d2e9af46cbdc5619b0414990eb418703f6609cefd399e
4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
SH256 hash:
ccce936c2a1c4388fab72933fa9fa26927e48e2f6ba8196e159670f317114116
MD5 hash:
38e45ef56b0207e9b25a597ce6031fb2
SHA1 hash:
024ca86af9ed7838c058e0746ad7d8ba92b06289
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5c6509be-6157-462f-a28c-b72cb77e3ef6/
Parent samples :
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
6808fc9dd786edeedf05207404c383bb65f65c77f0b6d9ad6af021acffa57dce
0c6574915c7d6484f072b1cc10e4aa4c6d04a328702608763bd67807c64a3a13
bc30a77e12e73bc5117293a00f2f39a5c402404ab511f36979e0f3d00fea3b14
0196d177ad5c0fa45978723063d3ad7ad06e4972986b32f7b4ef9b6ec27176a1
83461a529d4326fd622d61e88012e5188ce3607c5f11889d7cb28324e693fd5c
740fa42fcb01706b87003995e8058ed06e2c4b92afd711e6127c58cb0341bbe4
9e9ff5827f90993bf7e9a8bd7f1b9f064180bff8211ca87d8e1d5886c11d5508
956218c1b0cd410c5fe5d3f19b69b120a6373a05d357bea7d7190a3754fdefb8
4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
9cda3093dddacbd05e0e9c8ce7320c73320ff2ea4b66ca3578b5b4fd9dc80fe2
2ea0bdd6a345b67435ffb4208a1fd0d05057a590cf2030e6b49887815ae6dc44
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e
968abf589a80baeea44d2e9af46cbdc5619b0414990eb418703f6609cefd399e
4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
SH256 hash:
4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
MD5 hash:
a413967d29faa8bfe4a16a4559cb31c0
SHA1 hash:
73e5da45efb8fd5d49bafce6dee1dd821cdb8988
Link:
https://www.unpac.me/results/5c6509be-6157-462f-a28c-b72cb77e3ef6/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b920eec3feb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2561884/
Cape
Cape
https://www.capesandbox.com/analysis/372407/

Comments


Avatar
zbet commented on 2023-03-07 17:32:10 UTC

url : hxxps://libnde.eu/gallery/photo_004.exe