MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71
SHA3-384 hash:	75f6c7f08e602b3a0eb5c1d03b612331051456a205b5549a24a3229284b6c98b2d684c67d33bb75f8a478d4652afb38b
SHA1 hash:	ae46dc7a946ce39470d2195186142e0a72984fda
MD5 hash:	e1f5122a4a690ee91a44d867051592e1
humanhash:	purple-oregon-kilo-winner
File name:	4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	865'296 bytes
First seen:	2021-03-27 21:05:41 UTC
Last seen:	2021-03-27 22:32:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Iv70FhWLCKzv9/hxMrzOa1Aot4/guLWcnAz0L6Z56CZ1HFLHqnJTcDsoooooooor:IvQGTxut4/7v4aCZF0a6
Threatray	273 similar samples on MalwareBazaar
TLSH	0B05AE762A1EB5DAD7D05E789622D095C2FF8E9364A7E116CDEA3BC5AC702C0D702133
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://lienabsays.xyz/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://lienabsays.xyz/	https://threatfox.abuse.ch/ioc/5607/

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71.danger

Verdict:

No threats detected

Analysis date:

2021-03-27 05:45:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/000fa374-bb99-4585-b705-b9c385c45f51

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127294/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45965852.30643.2406.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Connection attempt to an infection source

Stealing user critical data

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb802e39-0730-4ce8-8ffe-0563bdc1ebc5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/655960

Signature

.NET source code contains very large array initializations

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71/

Threat name:

ByteCode-MSIL.Trojan.Phonzy

Status:

Malicious

First seen:

2021-03-24 19:24:00 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtzb4wdrhqoryjvlqi4sb4zknctv6phvo7hluq63rkcuarv65nyq._file

Verdict:

malicious

RedLineStealer

41ff1e7d1148b7336cec20f3d4962a0bfa978b4d90b465a9706d1599ff10e2c2

RedLineStealer

765b482b453872d5c03a3919057fac267ca22f85ff3b7fa3b2ea44c31b3a2604

RedLineStealer

8f2fb0c54f7b6c6ccc3bc70cfa83165a4b8905b89744dd98a01ad7f632c82f95

RedLineStealer

91800daa547a2afed2b16ab87634d0466d24d8769b9573ac7ded4c9f94e627ba

RedLineStealer

b5ca5c69a95053bc4a01b47da753cdae82afda75b8bd327b1ffc83a63efb443e

RedLineStealer

e33cc945d6b0681de6b34b52f0cb609676cdf5f3ecf61f4122b64d7a7e74b5ca

RedLineStealer

e54ef11002b82a18e2e43463a42eeac85673feaa06eaa96e82e7982ab498c1c0

RedLineStealer

ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

RedLineStealer

fe0a5fde4fbbddd79d2938af2373c69a8219ea73831be712f1bca86150a30461

RedLineStealer

+ 263 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/210327-1zmarn44qx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

RedLine

Unpacked files

SH256 hash:

664378a7830c48ca160c3bef7d2e52bab1aec4a1b06ec0a6f45b28c3227a69f7

MD5 hash:

da86420bd23111867c5fffb37ee08e3d

SHA1 hash:

ee51c2014733ed2bdb9f01cc8ba46032329c8f91

Link:

https://www.unpac.me/results/af339d61-d380-4ea4-b869-8a0f4a26c5af/

SH256 hash:

60c40c4345576d9b9e3deb679216176588c04e4712a7c02be1076090a2a0763f

MD5 hash:

3aabc9dcf0396b97177eebc8ecf818f9

SHA1 hash:

d0d18e62566046b61f42682ab1110c7f768c0225

Link:

https://www.unpac.me/results/af339d61-d380-4ea4-b869-8a0f4a26c5af/

SH256 hash:

bb6b1fd7c9f3684008b7b7ecd7594383a45ecfe0f54d139452337fde0f513a9e

MD5 hash:

e40cf3f277257afeaf94580a78789f80

SHA1 hash:

77fe5c8b35959bb24b914ce0c01719cce01ac605

Link:

https://www.unpac.me/results/af339d61-d380-4ea4-b869-8a0f4a26c5af/

SH256 hash:

4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71

MD5 hash:

e1f5122a4a690ee91a44d867051592e1

SHA1 hash:

ae46dc7a946ce39470d2195186142e0a72984fda

Link:

https://www.unpac.me/results/af339d61-d380-4ea4-b869-8a0f4a26c5af/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4cf21e58713c1d1c26ab823920f32a68a75f3cf577ceba43db8a854046beeb71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127294/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample