MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3
SHA3-384 hash:	4e8ce56dd51fc7bb3323d48bc82887643f57aac11e243686ed53a980c27f85f351b01e77d03dc299ab7596a8431b9342
SHA1 hash:	c214f3bd59a1b4816074940ed2da4ca3dff176fe
MD5 hash:	84b21d8725b7bec20436dbf3f82d2c15
humanhash:	mockingbird-nevada-washington-earth
File name:	SecuriteInfo.com.FileRepMalware.2822.22739
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	13'957'120 bytes
First seen:	2023-06-30 16:55:13 UTC
Last seen:	2023-06-30 17:48:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 77 x LummaStealer, 62 x Rhadamanthys)
ssdeep	196608:241EQYGZWHHnaDjH16JEQwZm058MKG1lXN2BGVsE8hSzJwJll8wQhRdxXe:ZEQYGZvD71CE205bpXUE7zJw3l8HhFO
Threatray	2'796 similar samples on MalwareBazaar
TLSH	T13BE6331953A46A90C22453F627F18A47042878521E34DA9B369FF33D1CF299EBE35F4B
TrID	83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.FileRepMalware.2822.22739

Verdict:

Malicious activity

Analysis date:

2023-06-30 17:00:06 UTC

Tags:

opendir

Link:

https://app.any.run/tasks/22b58e8a-27e6-40dd-bd6d-0facf0efd8a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.2822.22739.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/94286/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

91%

Tags:

advpack CAB control explorer installer lolbin packed rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/649f092626dab9d9c850784b/reports/5b63d327-24d4-469a-ad86-ba51fa32bf2b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5ad03af-227a-4194-b343-5c574c1dcd4b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1264363

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3/

Threat name:

Win64.Spyware.RedLine

Status:

Suspicious

First seen:

2023-06-28 22:59:27 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jok3joxnrk4z4rqmaddcqkakdq6bb4qj6r3rfnztnnku54m6vczq._file

Verdict:

malicious

RedLineStealer

4e1e9baa83e4e1f612490a1348ba9d6aa431563ad96320705d3ea886a8ede4e9

RedLineStealer

57e54db0cdc33fc67a654967cc6c6708de33b569e4efcfeaa2d2565a445f20bb

RedLineStealer

746f5d251c0d3883fd7a4d5775acdf6c12417f1365fc9db57a549f528ccd91dc

RedLineStealer

7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee

RedLineStealer

b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

RedLineStealer

bd213bacf745262d609025230b73d653d2ef62875f28860ea1b4d1a65f5c5cca

RedLineStealer

e62a32a33a570f93a15d0b1d4e8faf1ed30ea1aa15ec3e8bd9a0050cf557675d

RedLineStealer

f9c0b902d916f689dcf93a3557640741826483e3c2c3139a02605a5ec0546b29

RedLineStealer

fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

RedLineStealer

+ 2'786 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:stella discovery infostealer persistence spyware stealer

Link:

https://tria.ge/reports/230630-vfpmdafa4s/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

dragonlimb.com:80

Unpacked files

SH256 hash:

4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3

MD5 hash:

84b21d8725b7bec20436dbf3f82d2c15

SHA1 hash:

c214f3bd59a1b4816074940ed2da4ca3dff176fe

Link:

https://www.unpac.me/results/c5ef855f-3e61-4df8-a4be-f82d8529fdef/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4b95b4baed8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b95b4baed8ab99e460c00c628280a1c3c10f209f47712b7336b554ef19ea8b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample