MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
SHA3-384 hash: 9e047e06f5b16f768aeb9e470efb4669a9fbbada4be101a9120fa682d1494500484111fa6de3333ada223fb29bf703ae
SHA1 hash: 3fbc5fc64467dbb77e66f93ab7430f21482a2bf0
MD5 hash: 0ce4735ef6b7d77652abd32d08087704
humanhash: zebra-burger-california-magazine
File name:SecuriteInfo.com.Win32.PWSX-gen.5037.28527
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:402'432 bytes
First seen:2023-09-16 12:46:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6316c96fc105fcdafe08845aa690ab (5 x RedLineStealer, 5 x MysticStealer)
ssdeep 6144:6tcaGEZt20ZSwbz8+Dxe8kVAONlZcnvdT2iCcVO4GzCh8Ey:6tFzZtT78Trjcn1Ph8Ey
Threatray 926 similar samples on MalwareBazaar
TLSH T1B8846B1032E0807AFC361379AE6CD6ED34A56EB407B53C9B539D497BCA309DDD972A02
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.5037.28527
Verdict:
Malicious activity
Analysis date:
2023-09-16 12:48:16 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/88cb33de-4fe9-4e57-8a12-2066ea9d4f6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449041/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5037.28527.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6505a3c734be449f0115f1b9/reports/92f29b12-3fb6-48a8-842a-c706643ada37/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/263d0ced-c1a1-4185-b905-e339cb246ab6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309454
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-09-16 12:47:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvujfch5ub26sn5fxqak7vfs7mdx2wxprldwp62bl6fx34y7vxla._file
Verdict:
malicious
Similar samples:
14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
RedLineStealer
199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7
RedLineStealer
252055d82e07b21166bc7cd77e43635b582947c7bdc60646c5edc4766bcc7f4c
RedLineStealer
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
a603f24dcfe2d6c509d38aa796680ba1ec48af5c984bceb106c7b28224cbfcbb
RedLineStealer
a85b8341d1594f4ec7d0aaf1cb367c0fe92ecd1914666107d1ed720d2bb7a1a2
RedLineStealer
b02a04e65ae9453f1c3bc5fcfd47686be2fb8b8f978c3ec29a0c6749106ed4f7
RedLineStealer
cccc9e44afb3839868c474e6e4942f0a359861c5322c6a9fe1ebd9ba79175b00
RedLineStealer
dd7559d441f5207d13dd4e8486af5146085c326b27e0ba2b4a72acbcd2a60984
RedLineStealer
ec53e2555605c5424630d394f6b11677be607c4060ea5772b4afd9ed4f0f94c7
RedLineStealer
+ 916 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@black_santa21 infostealer spyware
Link:
https://tria.ge/reports/230916-pz7peaae7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
Unpacked files
SH256 hash:
5ca37bf533a9cf2df9a3ec4885766eca61882c98471457e2a44cd31fbb999f63
MD5 hash:
1e88890fe8a8c73b4d1f31f3fd5d1737
SHA1 hash:
e66082342a3889043cbbbd7c1b2a6c0f0abe0ccd
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dbfdad7d-345f-4aff-80bc-8afacbfda5e6/
Parent samples :
a3ecec0dc331e402e4c9ae68e1c5554b373e39298800e1a74da6a320aafa940e
4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
SH256 hash:
4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
MD5 hash:
0ce4735ef6b7d77652abd32d08087704
SHA1 hash:
3fbc5fc64467dbb77e66f93ab7430f21482a2bf0
Link:
https://www.unpac.me/results/dbfdad7d-345f-4aff-80bc-8afacbfda5e6/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d689288fda0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711877/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/449041/

Comments