MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9f840c642b72622491f3f409e9d411c95bbc886f9325de92346c3011e838a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b9f840c642b72622491f3f409e9d411c95bbc886f9325de92346c3011e838a8
SHA3-384 hash: e0a989c23303aa1b6e110e07666b859a0c9aff283b80911f85acf99a7e5aec1141491cdfe60c8a0fb2726ff60ae84f10
SHA1 hash: 6c694ca22757dc271e7414d98ea578dca7396d33
MD5 hash: 504232315a7052c47656d081dd2b8c26
humanhash: alaska-nebraska-october-moon
File name:504232315a7052c47656d081dd2b8c26.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:357'888 bytes
First seen:2022-10-27 01:10:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 05aa90d7a986b3c8f094da06a7e0c5fa (1 x RedLineStealer)
ssdeep 6144:bgekpeiqQB88L5ztSFe6P1AOfLntnvmBIYXhQlCv6OKYE4ypiAqBib:sekpeiqQBzq1tLn0B3Xh09PiAEib
Threatray 817 similar samples on MalwareBazaar
TLSH T16374AE1CB561C032D4F324724DE2E2B9482CF9200B66D9FBE7CC1A6D5B35AE1A572D36
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.164.16.192:47029

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.164.16.192:47029 https://threatfox.abuse.ch/ioc/950795/

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
504232315a7052c47656d081dd2b8c26.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 01:13:27 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/1da8342f-eda6-4e2d-b543-e8840c81cca0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324628/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.24283.39.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Stealing user critical data
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45818/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8796b286-cf1f-4300-89b3-5df4faf4cad5
Result
Threat name:
Laplas Clipper, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098782
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 731433 Sample: F9JyRaGSFC.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 115 na.luckpool.net 2->115 131 Snort IDS alert for network traffic 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for dropped file 2->135 137 11 other signatures 2->137 11 F9JyRaGSFC.exe 2->11         started        14 chrome.exe 2->14         started        16 svcupdater.exe 2->16         started        19 chrome.exe 2->19         started        signatures3 process4 dnsIp5 181 Contains functionality to inject code into remote processes 11->181 183 Writes to foreign memory regions 11->183 185 Allocates memory in foreign processes 11->185 187 Injects a PE file into a foreign processes 11->187 21 RegSvcs.exe 15 12 11->21         started        189 Drops executables to the windows directory (C:\Windows) and starts them 14->189 191 Adds a directory exclusion to Windows Defender 14->191 193 Sample uses process hollowing technique 14->193 26 powershell.exe 14->26         started        28 schtasks.exe 14->28         started        30 schtasks.exe 14->30         started        32 GoogleUpdate.exe 14->32         started        113 clipper.guru 45.159.189.115, 49987, 80 HOSTING-SOLUTIONSUS Netherlands 16->113 195 Multi AV Scanner detection for dropped file 16->195 197 Machine Learning detection for dropped file 16->197 signatures6 process7 dnsIp8 125 193.164.16.192, 47029, 49699 AT-ASRU Russian Federation 21->125 127 transfer.sh 144.76.136.153, 443, 49702, 49703 HETZNER-ASDE Germany 21->127 129 3 other IPs or domains 21->129 103 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 21->103 dropped 105 C:\Users\user\AppData\Local\...\ofg.exe, PE32 21->105 dropped 107 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 21->107 dropped 109 2 other malicious files 21->109 dropped 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->173 175 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->175 177 Tries to harvest and steal browser information (history, passwords, etc) 21->177 179 Tries to steal Crypto Currency Wallets 21->179 34 chrome.exe 1 21->34         started        38 app.exe 1 21->38         started        40 ofg.exe 21->40         started        48 2 other processes 21->48 42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        file9 signatures10 process11 file12 95 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 34->95 dropped 139 Multi AV Scanner detection for dropped file 34->139 141 Detected unpacking (changes PE section rights) 34->141 143 Machine Learning detection for dropped file 34->143 155 2 other signatures 34->155 50 GoogleUpdate.exe 34->50         started        54 powershell.exe 18 34->54         started        56 schtasks.exe 1 34->56         started        58 schtasks.exe 34->58         started        145 Writes to foreign memory regions 38->145 147 Allocates memory in foreign processes 38->147 149 Injects a PE file into a foreign processes 38->149 60 vbc.exe 38->60         started        67 3 other processes 38->67 97 C:\Users\user\AppData\...\svcupdater.exe, PE32 40->97 dropped 63 cmd.exe 40->63         started        99 C:\ProgramData\Updater\VCXRYF.exe, PE32+ 48->99 dropped 101 C:\Program Files\fghjk.exe, PE32+ 48->101 dropped 151 Antivirus detection for dropped file 48->151 153 Adds a directory exclusion to Windows Defender 48->153 65 cmd.exe 48->65         started        69 2 other processes 48->69 signatures13 process14 dnsIp15 117 api.peer2profit.com 172.66.43.60, 443, 49704, 49706 CLOUDFLARENETUS United States 50->117 119 162.19.175.129, 443, 49705, 49707 CENTURYLINK-US-LEGACY-QWESTUS United States 50->119 157 Uses netsh to modify the Windows network and firewall settings 50->157 159 Modifies the windows firewall 50->159 71 netsh.exe 50->71         started        73 netsh.exe 50->73         started        75 netsh.exe 50->75         started        77 conhost.exe 54->77         started        79 conhost.exe 56->79         started        81 conhost.exe 58->81         started        121 t.me 149.154.167.99, 443, 49862 TELEGRAMRU United Kingdom 60->121 123 95.217.29.33, 49877, 80 HETZNER-ASDE Germany 60->123 111 C:\ProgramData\sqlite3.dll, PE32 60->111 dropped 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 60->161 163 Tries to harvest and steal browser information (history, passwords, etc) 60->163 165 DLL side loading technique detected 60->165 167 Tries to steal Crypto Currency Wallets 60->167 169 Uses powercfg.exe to modify the power settings 63->169 171 Modifies power options to not sleep / hibernate 63->171 83 2 other processes 63->83 85 4 other processes 65->85 87 2 other processes 69->87 file16 signatures17 process18 process19 89 conhost.exe 71->89         started        91 conhost.exe 73->91         started        93 conhost.exe 75->93         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b9f840c642b72622491f3f409e9d411c95bbc886f9325de92346c3011e838a8/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-22 08:23:00 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jopyiddefnzgejer6p2at2ouchevxpein6jslxusgrwdaepihcua._file
Verdict:
malicious
Similar samples:
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
RedLineStealer
3e12feacf2c7f28a71ade378c01afb4ff35c137e43840d3570cf1e820414f0c1
RedLineStealer
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
RedLineStealer
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
RedLineStealer
d1044c3ddb7c69269654bdf6c25b0a3640b2a1be2caed5637b81b96ebdf04497
RedLineStealer
d92db9c78fa87d6a9daf30ba9abc7056480f541d7a6b0b17a9f100109df8e6c9
RedLineStealer
fb0816b55ce0416b43f909bd41ec2083d8b1715b0765c04cd09eac6ef5c804e5
RedLineStealer
+ 807 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer
Link:
https://tria.ge/reports/221027-bjx85sacb2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
193.164.16.192:47029
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
4b9f840c642b72622491f3f409e9d411c95bbc886f9325de92346c3011e838a8
MD5 hash:
504232315a7052c47656d081dd2b8c26
SHA1 hash:
6c694ca22757dc271e7414d98ea578dca7396d33
Link:
https://www.unpac.me/results/90666949-b5f1-4c88-b5f9-22bdbd5c3f2e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b9f840c642b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b9f840c642b72622491f3f409e9d411c95bbc886f9325de92346c3011e838a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324628/

Comments