MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2b79c988dec9594d3f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2b79c988dec9594d3f64
SHA3-384 hash:	968141be3b25d4911cd387bb523892c737c91f323247b7d9656a13f411ebe754aef3dd2581d7640e73eb00656ea3e996
SHA1 hash:	d38a0aae45ca3f399056c1af819a84ac4bf8f782
MD5 hash:	2d79fb71f371e9f758b50d7345c5913f
humanhash:	september-texas-coffee-bluebird
File name:	4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	400'896 bytes
First seen:	2021-10-28 11:01:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0f7adf3ddfcd5cd172c9a2547afae4e3 (1 x RedLineStealer)
ssdeep	12288:EwQEENdsACStoVLAiedkGhd2fc8QBQQ6Qn/:ETEE/ttoV8Hhd2dhc
Threatray	2'972 similar samples on MalwareBazaar
TLSH	T1CA84BF00B7A0C034F5B212F84ABA9368B93E7AA1676894CF53D52AEE57346D1FD31317
File icon (PE):
dhash icon	badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.103.9.151:31261

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.103.9.151:31261	https://threatfox.abuse.ch/ioc/239225/

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/200898/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.79312.28999.1125.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/617a832fa9d585e6d53d0e4f/reports/43a6449f-48f2-4c3e-b844-ba8e932633d0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ebdf3ff-2ff2-4359-929d-06980d9080d8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/878499

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2b79c988dec9594d3f64/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2021-10-28 03:09:50 UTC

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jw5n6arupkzrmp5jf3eswef4foahajyog2ncw6ojrdpmswknh5sa._file

Verdict:

malicious

RedLineStealer

3405731ce8212b634f19c22bccba238c2f8bdaedc518ee43acc8257bf184397d

RedLineStealer

4555039b1d96ef3a91d2272dbcbcdd76b835f41fb2b765e28e205dcea0205149

RedLineStealer

5bbf7c41579bac06169c81fafe92940dcf10b511d21cafa41e7ab809961305a3

RedLineStealer

83d6c0356008f91b0f7c742b05bb12a30f5da5289e14c49f3a6f0ffa8020bddf

RedLineStealer

a56535178bb2c4e9fdaf4c5c6d26d58224b9bfac8b0c4be2b035b778e6ef6d9f

RedLineStealer

b93c3342ed056d702f68cda57ccdd6ea92c34addac671f174e7070477cf4c156

RedLineStealer

bd49a745c03761b578007d77f1c82379af8f4ae324bb41a558477935beab05d8

RedLineStealer

f8eaf4927a573dd810d0d51d0af5b72dfe12045dd7e84535ff9b636ec8f6dfb1

RedLineStealer

+ 2'962 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211028-m45dqsfhfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

94.103.9.151:31261

Unpacked files

SH256 hash:

9effc7fbf7bad86d566641784323d9a1e26b2357f06823e39fa5fb5b8d3fa96b

MD5 hash:

3c9034052dc9e487ce2234d21f1af12e

SHA1 hash:

9136891307540b5d80a84649090f3229e9ec799c

Link:

https://www.unpac.me/results/0de9a695-5569-481e-9f37-0ccf6253529c/

SH256 hash:

9a63cc04e2f1fc04fcf88875e855fd04dd6405828013f7890f2ae24ed348451b

MD5 hash:

012bcca5bacf6a0c8d598cb7035b6aa4

SHA1 hash:

25b70189a83a65302a837651c5f5ae331e1dd5ce

Link:

https://www.unpac.me/results/0de9a695-5569-481e-9f37-0ccf6253529c/

SH256 hash:

4aa8fbde4e1ddda1b9c30a00b934561229ac6f047c65f34b793b533314098731

MD5 hash:

8ba041aef84afeaeeb4c02546bccc9c6

SHA1 hash:

13581332a1713a12460556010555ec0505bf99c0

Link:

https://www.unpac.me/results/0de9a695-5569-481e-9f37-0ccf6253529c/

SH256 hash:

4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2b79c988dec9594d3f64

MD5 hash:

2d79fb71f371e9f758b50d7345c5913f

SHA1 hash:

d38a0aae45ca3f399056c1af819a84ac4bf8f782

Link:

https://www.unpac.me/results/0de9a695-5569-481e-9f37-0ccf6253529c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4dbadf02347a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4dbadf02347ab3163fa92ec92b10bc2b8070270e369a2b79c988dec9594d3f64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/200898/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample