MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945
SHA3-384 hash:	32e19a4e97e5af8d9880e573fe22131569874c20a7bb7905d2b118eec4e21838ee483d2cd7369bedee27755dbe5e83c1
SHA1 hash:	f81fd529ee73c8d7f37f52b1712e435d44041ac9
MD5 hash:	bc4a12b631aae51af9fa25fcfc6fa46c
humanhash:	angel-north-montana-butter
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'693'700 bytes
First seen:	2022-10-06 12:14:33 UTC
Last seen:	2022-10-06 14:19:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7a688bd2f7775d0c8bac9f276c94cc5b (3 x RedLineStealer)
ssdeep	24576:y6RzhOYk6ccgOY5YdNuquUyMd7dd9Rv0aO0lM7asTzJ0kAm+EjvLr5yxUl3RuQ5Y:y0OYk6c/qu5zTVtAm+Ejvtl32
Threatray	568 similar samples on MalwareBazaar
TLSH	T1E2C52A135A9B0D75CDD23BB4A1CB633AA734ED30CA3A9B7FB608C43959532C56C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from https://vk.com/doc735662571_647988134?hash=JuA8TLzNdljR2tfhowQYnYczKKXCYtmgVfGyTIdo7rD&dl=G4ZTKNRWGI2TOMI:1665058097:wOChhZMSpUrpmKaHN2u2jZuCcz6IlQAtH63kUAP6BDz&api=1&no_preview=1#t

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317295/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.3640.27322.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Creating a file

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41534/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/633ec6c890cb824e9da0311a/reports/ddf76815-3b0a-47d0-8064-9443416dee19/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/081c17cd-0ceb-4687-8588-3fa82e4c4dab

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1084978

Signature

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-10-06 12:15:13 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsy5jnn3ft47o7anzunuwcgsva2ouyabrxtwejkbmrctn56qffcq._file

Verdict:

malicious

RedLineStealer

4a595205329af35588da8df7dda235efb43db5bfc3e77fa107af5dc536fecbd2

RedLineStealer

4bc344e09f50cad258856aca3c3ce4f62f91bf414f29bf67311665185844e7db

RedLineStealer

617da3e0b1e7f1257bc4d0a1762f516002bfd15f3090c1c98e60f867efded904

RedLineStealer

7eff4f2344e8b0857d8045e73a199fc159ce1cbcd6a405606dd5e01c437fe6d0

RedLineStealer

8371e7ba1621bbba6b75ff061f6df8ba2c2c4e2cd9844035dbc1c263bcd76c74

RedLineStealer

a755ddce5ccba523434a36c677d058baef63ecb90e33670a96a70efc7978d411

RedLineStealer

bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202

RedLineStealer

+ 558 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer spyware

Link:

https://tria.ge/reports/221006-pewreaheej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

79.137.192.9:19788

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e18361b8-21fb-43ab-b53d-d4cc63c2c582

Unpacked files

SH256 hash:

33b0b6e35bfe2f8f1277c2b20079680b30ebcb47aa32eff825728492ba647281

MD5 hash:

ca5bb883eb52af35e7968bdb5000e003

SHA1 hash:

4727f16c6f1cfa15a723e39a1cb6597a4e2846d8

Detections:

redline

Link:

https://www.unpac.me/results/638ce946-8ffc-4dba-9ebe-ec07608ed8e9/

SH256 hash:

4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945

MD5 hash:

bc4a12b631aae51af9fa25fcfc6fa46c

SHA1 hash:

f81fd529ee73c8d7f37f52b1712e435d44041ac9

Link:

https://www.unpac.me/results/638ce946-8ffc-4dba-9ebe-ec07608ed8e9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4cb1d4b5bb2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4cb1d4b5bb2cf9f77c0dcd1b4b08d2a834ea60018de7622541644536f7d02945

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/317295/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample