MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0
SHA3-384 hash: 44d37ff0c3abf4186513a9c363beb8d219778c6ff2856db3e74599a9453dc270f8aeaab66577d8bfd8873009d3e965cf
SHA1 hash: ab6452f3bb2ee73cc6b07433662579db48323c14
MD5 hash: b0db257c306058635683c5d1ffb14840
humanhash: orange-ceiling-mountain-winter
File name:b0db257c306058635683c5d1ffb14840.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:939'520 bytes
First seen:2023-10-22 11:55:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:SVQaMFM0Mvxv92HAGuMO9qRa8OHhkS6sB3m9GnVZi/XZqe:SVjv90HzO9T8OiS6s3VZ
Threatray 190 similar samples on MalwareBazaar
TLSH T1CB156C7D1DF88227B978D6A2DFA0C432B061D6EFF5629D29D4D756818702A03B4C70BE
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.137.22.177:55615

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b0db257c306058635683c5d1ffb14840.exe
Verdict:
Malicious activity
Analysis date:
2023-10-22 11:58:10 UTC
Tags:
sinkhole stealer redline trojan
Link:
https://app.any.run/tasks/cc65b2e9-77ec-4eba-b0b1-267d10915958

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.769.3150.23350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65350dd3e3768e7905c5ff6a/reports/48df94cc-6584-4587-837f-73c1ce362bf7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26551671-d94f-4918-ae16-38c3fbaff2da
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330024
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330024 Sample: HZoQR6jzxs.exe Startdate: 22/10/2023 Architecture: WINDOWS Score: 100 40 api.ip.sb 2->40 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 12 other signatures 2->50 8 HZoQR6jzxs.exe 7 2->8         started        12 dVobSx.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\dVobSx.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp4910.tmp, XML 8->38 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->52 54 Found many strings related to Crypto-Wallets (likely being stolen) 8->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->56 60 2 other signatures 8->60 14 HZoQR6jzxs.exe 15 49 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        58 Multi AV Scanner detection for dropped file 12->58 22 dVobSx.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 42 45.137.22.177, 49718, 49720, 49721 ROOTLAYERNETNL Netherlands 14->42 62 Found many strings related to Crypto-Wallets (likely being stolen) 14->62 64 Tries to steal Crypto Currency Wallets 14->64 26 conhost.exe 14->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 08:54:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtpvockeaw6jkqqqxzoc7334fcg2pooopymlogdjfyxutvjssgqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d
RedLineStealer
06fa859540733cee9ea3da2fc973b3a2c323e8b1e7d1d86a1fa37be6e58c55a1
RedLineStealer
2c4c1e3b9b19dc261dd44b2f59d139e3f53a7369a4bfd100c27260d511c51224
RedLineStealer
42409ca4edfb20f9a4b449b89e00f76fa75b40a50ac597f12fc4a39d9b1a69d7
RedLineStealer
7db9709a28664b72ccb106fb5474722a58e2248427c55abd0327d2ae73434cc2
RedLineStealer
801352e073b5e718021995a07e3506fd05b12ee410b69f242c1b9dd2917c30ac
RedLineStealer
9c91537c85883eeb9b15a6ead090c3b7ad260455f022562cac8abdbe92f65370
RedLineStealer
a6cfc55d0412682c88c7906372c40a1d2745c4ad975a65967c2370dc2eb2cab8
RedLineStealer
cd4f4252279410bc08ab3f37cb032a87c0c98077c4fc9981266a9964c37274a9
RedLineStealer
ea94dbd02c762a2ad10e292b346aab4ef7607e9acdd8dabf99cfd39af6b2354d
RedLineStealer
+ 180 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/231022-n316cshh56/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.137.22.177:55615
Unpacked files
SH256 hash:
887c1868b2035053475d59246536ddd62c27337ec9f013d6dfe6c995e8eddea0
MD5 hash:
5bb973a00cee0e6c57b856335112abc7
SHA1 hash:
fe1e343446b8eb10b55d2a73e9f5060b375275b7
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
SH256 hash:
1bd6ec29dfe2e92495b93c8890df5c70ecba23b370e70d7d80b9f3dbdf937e19
MD5 hash:
d3ac6bbc030ee2f6f06ae1e7359120b5
SHA1 hash:
d060ffad2d7ef4f76aa253f3f3d86ad4897af6ac
Detections:
win_delivery_check_g0
Create hunting rule
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
SH256 hash:
ea6847239b8454de1c89f034bfd564344b3314b3fe9748226019bf17230743ef
MD5 hash:
1b46663de1abc94bd92f81e5688ca068
SHA1 hash:
b957eb5b3edac64e9df7c8d14e2a121a094e01d4
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
SH256 hash:
b3bd23e94510610f86ab4a18c30a04be3bd4876266857d6fc39d2a1b3ce0e019
MD5 hash:
695e2d9b9f9d72c6e6ccdfec7a475571
SHA1 hash:
77228a01edfa9687bd4e95a44abfc745b4a78719
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
SH256 hash:
4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0
MD5 hash:
b0db257c306058635683c5d1ffb14840
SHA1 hash:
ab6452f3bb2ee73cc6b07433662579db48323c14
Link:
https://www.unpac.me/results/bfc8e144-9206-48ab-a7d5-1ab14e059ec6/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4cdf57094405/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cdf57094405bc954210be5c2fef7c288da7b9ce7e18b718692e2f49d53291a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments