MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d
SHA3-384 hash:	909e0635fd4ad1bd1791d474001962d1e0ddb5723cc9967e96a298289d5216aa61ec530a24e3c32d2b71b44924277ebf
SHA1 hash:	ccbf541ac310ce1faff0f4964e43b9fc1fab10b7
MD5 hash:	68781871dcdfae9dc22a7bbcb773f603
humanhash:	jupiter-india-speaker-floor
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	224'768 bytes
First seen:	2022-11-12 20:52:22 UTC
Last seen:	2022-11-13 07:59:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ea931bc21ede436bf268fa9ffe43108a (7 x RedLineStealer, 1 x RecordBreaker)
ssdeep	6144:528pT4GONQ1mwyB331mwyB3N3xux9jfmqQYm7sfDU1N15nII:528pT4GONQ1mwyB331mwyB3N3qjfgYmF
Threatray	1'297 similar samples on MalwareBazaar
TLSH	T19E24BF3731208030CCD1DAF614F2C46B9CADA6726FD5D1CB20AC119B5A7EBD71926A5F
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc760750097_655950179?hash=eA6HPrOtJdmxOGVO1TBzTvWzGRuWuJYE4SBEHLaKFzT&dl=G43DANZVGAYDSNY:1668286073:WIXWrZNzr8TcweMsQxjutKRyZsRj9iSVmmyKdu0GdN4&api=1&no_preview=1#new10

Intelligence

File Origin

# of uploads :

304

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-12 20:55:19 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/5ff0baf3-c8fb-4226-8ffb-c35f00127051

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/333026/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.125.22628.19453.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/637007aea8a86b129ea0761a/reports/be2b3e02-9fef-4423-b228-d9f38e4dc6b5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9feb79e-9c40-4638-a614-8aabecbc3579

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1111979

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-12 20:53:07 UTC

File Type:

PE (Exe)

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jopepyd522ocwubti5xqvaz3tjkkdana5kxekbf3d2mundijfkoq._file

Verdict:

malicious

RedLineStealer

4baad1bdeba458bce02653fe5c28afb57116bd69671345279c37d0b33b79c0a1

RedLineStealer

5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13

RedLineStealer

6989c100d05851d4c1ef01005d7e0f56954ab0ec29184bbc5d31adfb1138ddd0

RedLineStealer

84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172

RedLineStealer

aeb61f0481761fc93164b5fe5593431438fa2531f6375f3d88938742d73bade4

RedLineStealer

+ 1'287 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:new11121 infostealer spyware

Link:

https://tria.ge/reports/221112-zpaa9she55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Uses the VBS compiler for execution

RedLine

RedLine payload

Malware Config

C2 Extraction:

jalocliche.xyz:81
chardhesha.xyz:81

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a3173d49-e920-4695-9ea1-f81ce6f10645

Unpacked files

SH256 hash:

ffce69fc9efafa1ce83ee78388188beb95bde443c40dd4e65c0cbcf97ea33a5d

MD5 hash:

8a2cb82dd29062dd5cd28c56b8f330c1

SHA1 hash:

a3e8823fd316ae628b83a06747e1c43ddf3331b9

Detections:

redline

Link:

https://www.unpac.me/results/2e96104a-6256-4218-862d-5a58e03fa34b/

SH256 hash:

4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d

MD5 hash:

68781871dcdfae9dc22a7bbcb773f603

SHA1 hash:

ccbf541ac310ce1faff0f4964e43b9fc1fab10b7

Link:

https://www.unpac.me/results/2e96104a-6256-4218-862d-5a58e03fa34b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/333026/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample