MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
SHA3-384 hash: a727383c3c93a4afbbf082eeedbc5582b0eee3bf17aaa4321293b8bff630414bfa394ecdef172869f121e07649904fa5
SHA1 hash: d40f9a142823ff045ef1744f295eea28ad5ea45d
MD5 hash: c780b3167a20b5a301cf38a47632e8ad
humanhash: edward-michigan-oxygen-lima
File name:SecuriteInfo.com.Variant.Mikey.145425.22281.4686
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:308'224 bytes
First seen:2023-03-08 13:32:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8a699b19de854b1d45a8cb5567d77787 (2 x GCleaner, 1 x RedLineStealer)
ssdeep 3072:aQ3XmDX/mIMhZYn4jMEi+Ts1HBIexK+K0sc7I/xTTvyUYGyraHH2DmcnnIHiJlqP:teXuIMhqB6mmdzxdYaH2Dm2nIUGjyn
Threatray 3'854 similar samples on MalwareBazaar
TLSH T1B964D00277EDB961E6725A714E3DC3B53B2FBD634E68666F23186A1F09702D1C932312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 916a6a6a6a6a6a64 (28 x Smoke Loader, 25 x RedLineStealer, 9 x Tofsee)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Mikey.145425.22281.4686
Verdict:
Malicious activity
Analysis date:
2023-03-08 13:35:26 UTC
Tags:
redline
Link:
https://app.any.run/tasks/9c54159c-76c1-4141-9071-8ab7d3a275e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372591/
Detection(s):
SecuriteInfo.com.Variant.Mikey.145425.22281.4686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mikey packed ursnif
Link:
https://www.filescan.io/uploads/64088e8f23801f5963545fe0/reports/d6ecf0bf-01df-4da6-951b-69af33f8a0a1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40df1c63-ac00-45a8-9562-585535f97bc9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1189736
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 11:17:50 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp7owmn4np2xo2eovnbzzvpdfuq363tykuhwegwmtupwqigyybtq._file
Verdict:
malicious
Similar samples:
0c6574915c7d6484f072b1cc10e4aa4c6d04a328702608763bd67807c64a3a13
RedLineStealer
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
RedLineStealer
6808fc9dd786edeedf05207404c383bb65f65c77f0b6d9ad6af021acffa57dce
RedLineStealer
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
RedLineStealer
968abf589a80baeea44d2e9af46cbdc5619b0414990eb418703f6609cefd399e
RedLineStealer
a39063fc04d2b939f094b36835d5839c28818652db5efe9c05a039c9facbd514
RedLineStealer
a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425
RedLineStealer
b4dedc316dd5f2f935d6ace81bd4188fc470cd83acbfa1c8de07a34cc778a5f6
RedLineStealer
cc954ad57b0d199e35338bebb2c18ca63a5dfe2191f647945b8427e8dfb4203f
RedLineStealer
d3de2fa2fee4852c02d6be5629ecd98a41e6cc68be44be8891363cbfbe1ce75d
RedLineStealer
+ 3'844 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fud infostealer
Link:
https://tria.ge/reports/230308-qthzjaea65/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.27:4123
Unpacked files
SH256 hash:
496d8c34bad7d9ae8c3fd18eeb73cffb9a8ddccfef5c7fa96284b8055964081e
MD5 hash:
b574673143aaf47273898512b24562ef
SHA1 hash:
cc5b004dc56e56df7cfbefb040c184b5f94bae6f
Link:
https://www.unpac.me/results/63529c18-ff0b-4e8a-9f0c-e236e030e314/
SH256 hash:
af62a39d8eebf45788b0ff565b251d64e6c5d5b363679b91ab39ff40d70ba682
MD5 hash:
d28c2698ab9fb9fad786591b59db927b
SHA1 hash:
c27b8e93eb2d7c681d1368677e8d1eb57dc660da
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/63529c18-ff0b-4e8a-9f0c-e236e030e314/
Parent samples :
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
a39063fc04d2b939f094b36835d5839c28818652db5efe9c05a039c9facbd514
b4dedc316dd5f2f935d6ace81bd4188fc470cd83acbfa1c8de07a34cc778a5f6
6808fc9dd786edeedf05207404c383bb65f65c77f0b6d9ad6af021acffa57dce
cc954ad57b0d199e35338bebb2c18ca63a5dfe2191f647945b8427e8dfb4203f
0c6574915c7d6484f072b1cc10e4aa4c6d04a328702608763bd67807c64a3a13
d3de2fa2fee4852c02d6be5629ecd98a41e6cc68be44be8891363cbfbe1ce75d
e1c49e9f6ca080d6b0726863419639bec545897260cb888ef2eba24bf237c82a
af81398d9dd6bf934e0c0463b474e6ad745318c51179c52e003be536f30cba1b
bc30a77e12e73bc5117293a00f2f39a5c402404ab511f36979e0f3d00fea3b14
0196d177ad5c0fa45978723063d3ad7ad06e4972986b32f7b4ef9b6ec27176a1
83461a529d4326fd622d61e88012e5188ce3607c5f11889d7cb28324e693fd5c
dd6a747e6e11e33377fd70a5678dadbfbb010bacace4b4459c5b83a095743c16
740fa42fcb01706b87003995e8058ed06e2c4b92afd711e6127c58cb0341bbe4
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226
9e9ff5827f90993bf7e9a8bd7f1b9f064180bff8211ca87d8e1d5886c11d5508
956218c1b0cd410c5fe5d3f19b69b120a6373a05d357bea7d7190a3754fdefb8
0b7b1deaf0f90e3bfe4ce968eeaaa95741ecd1714a4566a9d4084d420294b750
4cec6318bedc7655dfc3a6eabca18bf6651c13dd84957a813c9dde047e411902
9e075cfce69b8fceb8028d1f8647c3f8abde1964fa44a3f65254cc1c2993a7cc
7fa53adc326d8a45b36a04c69a7fbc8f5f1651d1cac4fcc9a03fd34ef4aca914
997c73cd1e75587de8ddbdbabc4527454f80eb06515efe6f5d8d0bae39e0dfa0
d65ff348b355affe66cf32d1e054d9b8ebf22757642a678c6a55e821c647191a
4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
03d64d5b343e6d39c98916b02fcaf9a90bf0eef42e35e3b9d6dcb1ad735ec639
9cda3093dddacbd05e0e9c8ce7320c73320ff2ea4b66ca3578b5b4fd9dc80fe2
2ea0bdd6a345b67435ffb4208a1fd0d05057a590cf2030e6b49887815ae6dc44
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e
d3f8b9ca52931ea88524319a7d1acaa2e261f4303c66baa32ea3a3f02c370cf8
968abf589a80baeea44d2e9af46cbdc5619b0414990eb418703f6609cefd399e
4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
SH256 hash:
ccce936c2a1c4388fab72933fa9fa26927e48e2f6ba8196e159670f317114116
MD5 hash:
38e45ef56b0207e9b25a597ce6031fb2
SHA1 hash:
024ca86af9ed7838c058e0746ad7d8ba92b06289
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/63529c18-ff0b-4e8a-9f0c-e236e030e314/
Parent samples :
70eab914a7cdc96af43a5340602e194ce18ddc6329a7c54513211fc50003cde4
0fcc087da8ba15afbf4d184615f5afcc0e89392f04c607c441e655a3cab989ee
6808fc9dd786edeedf05207404c383bb65f65c77f0b6d9ad6af021acffa57dce
0c6574915c7d6484f072b1cc10e4aa4c6d04a328702608763bd67807c64a3a13
bc30a77e12e73bc5117293a00f2f39a5c402404ab511f36979e0f3d00fea3b14
0196d177ad5c0fa45978723063d3ad7ad06e4972986b32f7b4ef9b6ec27176a1
83461a529d4326fd622d61e88012e5188ce3607c5f11889d7cb28324e693fd5c
740fa42fcb01706b87003995e8058ed06e2c4b92afd711e6127c58cb0341bbe4
9e9ff5827f90993bf7e9a8bd7f1b9f064180bff8211ca87d8e1d5886c11d5508
956218c1b0cd410c5fe5d3f19b69b120a6373a05d357bea7d7190a3754fdefb8
4b920eec3febd1c102d5be425b80053c5a56d582e0a16c24b12cb5dd42d80eb5
9cda3093dddacbd05e0e9c8ce7320c73320ff2ea4b66ca3578b5b4fd9dc80fe2
2ea0bdd6a345b67435ffb4208a1fd0d05057a590cf2030e6b49887815ae6dc44
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e
968abf589a80baeea44d2e9af46cbdc5619b0414990eb418703f6609cefd399e
4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
SH256 hash:
4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067
MD5 hash:
c780b3167a20b5a301cf38a47632e8ad
SHA1 hash:
d40f9a142823ff045ef1744f295eea28ad5ea45d
Link:
https://www.unpac.me/results/63529c18-ff0b-4e8a-9f0c-e236e030e314/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4bfeeb31bc6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4bfeeb31bc6bf577688eab439cd5e32d21bf6e78550f621acc9d1f6820d8c067

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2561884/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2562862/
Cape
Cape
https://www.capesandbox.com/analysis/372591/

Comments