MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274
SHA3-384 hash: 22b5450c624e466d46930783ea775032ec97b05672aed90cd178fd56c4dd16aa62e1c31196d1c21746977e3c3b38b04d
SHA1 hash: a8b72bc6c5dfb4faa6f7a3130c4cbe97dcb94868
MD5 hash: bedd102705b18c32efaa5f6b95151c44
humanhash: robin-arkansas-romeo-video
File name:bedd102705b18c32efaa5f6b95151c44
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:398'336 bytes
First seen:2022-06-08 23:38:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:eS2dycefMidbBlIS89eQuNW4PfYVrU5HasQ3WYTb7wY51KVJJCGU5yMeS7i:e2D9Blv89eQOWWQUIxTHw8KPU5y
Threatray 3'129 similar samples on MalwareBazaar
TLSH T1B784F147E7D4D08AD0017A3B56E20AA4E274FD187C16D753198CB6DE5EF6B44A8C22CF
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
bedd102705b18c32efaa5f6b95151c44
Verdict:
Malicious activity
Analysis date:
2022-06-08 23:40:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/19c8b6e2-38b0-4bdf-97cb-c5b6bc870181

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277929/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62a13317a2b1fc9744d7c072/reports/36fdfd7e-c75c-46b7-bb16-e59685b78b09/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6059a99b-16b5-4f7d-b39d-330cc4916ba8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009503
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 22:11:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=juteeh73kbreiz6auf3s4h22cmjmrmxviywcsyqocaiksvyimj2a._file
Verdict:
malicious
Similar samples:
29863b4eb0d89b1c869858f7c1a8c728663a457f5229f249c993faa73a0800e5
RedLineStealer
29de6adb16cf46a0a53d88fca1749aa63e773ae31fb327a4eac4eab9c9842e2d
RedLineStealer
32cb6180375716275c4a3932bc7f4d2ccc9b7348562db364bab7059b83eefa75
RedLineStealer
7f21772a5af60e60ec8a64a678c5c3cd5bdf30c2dff9c314f6f7341a39ed30ed
RedLineStealer
b247599ef98b9e9144954a5c41083cdd1e46854a54b46e25b7fc729045345f63
RedLineStealer
f62abb12b617c2d02a803a656ec77887dda201942859ad15a9499de4c28ea2aa
RedLineStealer
+ 3'119 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:krystal discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220608-3m9vwsbch3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
193.106.191.222:23196
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/6c9a1948-4604-40de-ab93-e4afe35ed1b6/
SH256 hash:
dd28abe8eccb8267cafcd59a86992005f6e05b930120e7eeadb8f264a562fb85
MD5 hash:
2fe44421404e2b0e0ce53d53eb431fff
SHA1 hash:
b70dbdcf280e7df7f728b7e653a83c15c8041468
Link:
https://www.unpac.me/results/6c9a1948-4604-40de-ab93-e4afe35ed1b6/
SH256 hash:
3ef5b417c473ba6ff452fe9b68a7d247686c34436ecdffc9bc951003b33d3cb1
MD5 hash:
c7eea11019a8fbd576b35b7ccf2cc36b
SHA1 hash:
9901cbb4d2d1c11336a6308c3c2d3a9a8f1bfdcf
Link:
https://www.unpac.me/results/6c9a1948-4604-40de-ab93-e4afe35ed1b6/
SH256 hash:
4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274
MD5 hash:
bedd102705b18c32efaa5f6b95151c44
SHA1 hash:
a8b72bc6c5dfb4faa6f7a3130c4cbe97dcb94868
Link:
https://www.unpac.me/results/6c9a1948-4604-40de-ab93-e4afe35ed1b6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d26421ffb50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AlphaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4d26421ffb50624467c0a1772e1f5a1312c8b2f5462c29620e1010a957086274

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2230459/
Cape
Cape
https://www.capesandbox.com/analysis/277929/

Comments


Avatar
zbet commented on 2022-06-08 23:38:08 UTC

url : hxxp://193.106.191.245/OrigiBuild.exe