MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194
SHA3-384 hash: 145f20915357e3ff26db93d21d7f373b4192191fc70e67164ac44042c182a2ff246577a99ae278ccbb10ed2f7bbc8439
SHA1 hash: 3d86b00f8bd72e8b7ee9296f5309fb1c10fd9951
MD5 hash: b27fb2bd4b4a839c5f89f074f174115d
humanhash: tennessee-six-cup-cardinal
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:316'688 bytes
First seen:2023-05-21 21:24:32 UTC
Last seen:2023-05-22 07:29:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b46b7655f5ed701dbc7075afa681ec5a (5 x RedLineStealer, 1 x Stealc)
ssdeep 6144:TsEoNr4X4MlEZxkiSpYzZ7NT1rIkt56HkI:h4r4Xsxki84N03
Threatray 3'274 similar samples on MalwareBazaar
TLSH T154645C23AA868035FC2B95F847C699B951EC79701B9F40E7EBF59FDF4D90AC06620207
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc797927207_660752680?hash=CnIOGZLBIepB8flEeeoShP8gHGyz1eQZUAIROVxsyYz&dl=zIVzWzzttbA6tvLr7nBfgIVqKqAhRCjM4b58gyb03qL&api=1&no_preview=1#joki1410

Intelligence

File Origin
# of uploads :
3
# of downloads :
292
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-21 21:27:29 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/1b33ffa3-263b-4f3f-b156-b5ee32da8a17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.13792.18523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/646a8c2fd1c3e79281c79d19/reports/3dfcc96e-5eb7-4e1c-99f8-c5c97df6e544/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b5bb1b1-813c-47da-891c-4670bdbed943
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1238985
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-21 21:25:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxff4ov677lk7pg5haxtmwtuu2cyqgkz5mizybmpclrbzqewqgka._file
Verdict:
malicious
Similar samples:
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
RedLineStealer
20bd893c6533e002d8b51e41fd1f8b6717e34a10e0691fc41254807b78f77a75
RedLineStealer
34fd6c819f0ff0375583329f712d9ac94a78ca8314e612d4bd303ea8b918d4f0
RedLineStealer
5df17f53387714d342d63a5946626f3e52be8438ee0701b44c42506f7d003367
RedLineStealer
5e61ca396611b20ac59f4701d471fce71202fa690f5481c5f71d0f1b00336406
RedLineStealer
5eca819baed9b9624bfcf5b048699cbde7d8a9d9a0f28a99fcad341f775972f0
RedLineStealer
90a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
RedLineStealer
ca02d7d9ded6d35965b5eae79da178fbb884c9002ae33b342a689ee8842990dc
RedLineStealer
cf755affe24a7e970b02ffeceddce25f80f94c4b4cc547c8b5cd03493bb0e557
RedLineStealer
d3627bdaf1d8b36baff815b06e6155bb5decf04f20fa7300c0faebca4aa930e1
RedLineStealer
+ 3'264 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:persom infostealer spyware
Link:
https://tria.ge/reports/230521-z9k89sce38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
176.124.219.192:14487
Unpacked files
SH256 hash:
eec3dc87517e79dc3bb51fb8fc1be1b9152a9f621085351104ecd9269037a4d3
MD5 hash:
f79637aba12ca13e0d7c4ba20a5e644f
SHA1 hash:
9ac7d6fcbaf4c54d1c4f8e0b861eb340c2b5d5ba
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/4daf5b87-637e-4704-abe7-407c10d97f40/
Parent samples :
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27
bcc8671116930bf6f9819cbd6fcebf1a5612ed32bb417eaff633ed11ad301059
baeaf04706b138445bb7faa9401f428d4f114e8f9a4e7ce84e4064a3b6428402
4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194
SH256 hash:
4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194
MD5 hash:
b27fb2bd4b4a839c5f89f074f174115d
SHA1 hash:
3d86b00f8bd72e8b7ee9296f5309fb1c10fd9951
Link:
https://www.unpac.me/results/4daf5b87-637e-4704-abe7-407c10d97f40/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4dca5e3abeff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4dca5e3abeffd6afbcdd382f365a74a685881959eb119c058f12e21cc0968194

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments