MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c5d8d4835688b21d071c4b10e341b3224afbd09561ce201d4ce735588afb9ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	4c5d8d4835688b21d071c4b10e341b3224afbd09561ce201d4ce735588afb9ed
SHA3-384 hash:	97fbf327b148d1525e2fa696e57b546e118be5ce26fc5fcb6ac49f499f56ad678cdf02277dd8ddba974fb9b154abff4b
SHA1 hash:	89ff6b9864c3211a10b73e42a817a62c480950d5
MD5 hash:	521a826ab419588ed5706c014abe36ca
humanhash:	cat-sink-music-freddie
File name:	4c5d8d4835688b21d071c4b10e341b3224afbd09561ce.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	362'496 bytes
First seen:	2022-03-28 02:16:09 UTC
Last seen:	2022-03-29 06:20:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	de2a87646cc33f42cff0f6e99f12662e (2 x RedLineStealer, 2 x Stop, 1 x DanaBot)
ssdeep	6144:Y5g5giE3AEh/OUdMtFkyJVxWQ2F97J7Z70GxhyBZFVeZ3YUgA2NDs2eo:YbiE3r/OfayJVil7l0GxhyBZPuIUS
Threatray	4'280 similar samples on MalwareBazaar
TLSH	T18874C000B790D035E5F721F44A7AD3A8B93E7EA06B2494CB22D52BEE16346E4ED31357
File icon (PE):
dhash icon	6cf49055d4f2b04e (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.177:34450

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.177:34450	https://threatfox.abuse.ch/ioc/456498/

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup_x32_x64.exe

Verdict:

Malicious activity

Analysis date:

2022-03-28 01:49:49 UTC

Tags:

evasion trojan socelars stealer loader opendir rat redline vidar ransomware stop arkei

Link:

https://app.any.run/tasks/a4213bbe-c135-4178-8808-960f616a4f67

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/258297/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.19580.13749.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11635/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62411aa09253b276b78a8a72/reports/fccf6dff-07c0-4f57-b9fd-830fed7844c8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0164dc76-f8dc-438d-9cce-eb771113c16d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/965455

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c5d8d4835688b21d071c4b10e341b3224afbd09561ce201d4ce735588afb9ed/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-03-28 02:17:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jroy2sbvncfsdudrysyq4na3gisk7pijkyooeaouzzzvlcfpxhwq._file

Verdict:

malicious

RedLineStealer

5113706441e3129a1fc253b6a047fde54352681f6caca844137a17322a7e0a4d

RedLineStealer

6d1ea36232c2cb2450e7c9293e04eaa84a3e4a3f9676b9d84b2343ee29f30112

RedLineStealer

c489acd81c9d833c18cd6cb0bb776e7697a9cc793243a9aa9bff1c955394d157

RedLineStealer

ca023814aa064ac9cd4015cf89eec32339828447bb34d2f45c44ef9d064603ff

RedLineStealer

ed2a2f78e6eb462fdacd796d6dc2685498fe1a548fccb57463601bc48456870b

RedLineStealer

+ 4'270 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220328-cqpq1sbhek/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7fe30e39cd402df57db4038dba3242fdf9700ab4ea4d8368cff34f30fe0db7ac

MD5 hash:

156b98d629bba01b712266ed2978f134

SHA1 hash:

c0d9874f8f89cb2c893b2d34e8b9a127982b7fbf

Link:

https://www.unpac.me/results/7894eea6-b10d-47c7-a5e2-6c79a7fc38d4/

SH256 hash:

795e1469e3f0d6c13212fd0a06d3699d7cd77d78e476d88298fec7720a7d285d

MD5 hash:

559bbc82bc82866ac57f7a74ca11b861

SHA1 hash:

5e2b8c43e14a377b0a959a13bed3e4460c9b94e8

Link:

https://www.unpac.me/results/7894eea6-b10d-47c7-a5e2-6c79a7fc38d4/

SH256 hash:

33f47aae79fe71287f3c35a260e19578251360246daa0eb56e6e0c819bf4f5ff

MD5 hash:

50f57cfa9b7ee11beb5ccbfa76484505

SHA1 hash:

077b759a7b885806bd0b5442f74d14cd5d7af7eb

Link:

https://www.unpac.me/results/7894eea6-b10d-47c7-a5e2-6c79a7fc38d4/

SH256 hash:

4c5d8d4835688b21d071c4b10e341b3224afbd09561ce201d4ce735588afb9ed

MD5 hash:

521a826ab419588ed5706c014abe36ca

SHA1 hash:

89ff6b9864c3211a10b73e42a817a62c480950d5

Link:

https://www.unpac.me/results/7894eea6-b10d-47c7-a5e2-6c79a7fc38d4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4c5d8d483568/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c5d8d4835688b21d071c4b10e341b3224afbd09561ce201d4ce735588afb9ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258297/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample