MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
SHA3-384 hash: e6548265886f4d0b9515db2d6fd5ab2470c9a97c58dd84e1718b429a069fa95095f6b39c7d9aad0f9b8a9c9e24a292ab
SHA1 hash: 8fd8e8696e22954c14415f0debf54fa15746ad77
MD5 hash: 9e1499766df19804efac25eb09ba3f39
humanhash: lima-cold-september-green
File name:9e1499766df19804efac25eb09ba3f39
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:350'720 bytes
First seen:2022-12-25 00:49:26 UTC
Last seen:2022-12-25 02:30:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cabdb70cbdd8d3392fe9f92c541a607 (1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:UCxLw8s5mLfryFh4pwJ6hFQGCxhz4LnYB6aMn:Uos8s5ezyvbMhFGzI
Threatray 12'549 similar samples on MalwareBazaar
TLSH T1F974F00CBEA2D475C6510970CC15CFE866BAFC309FA09A2F37507F1F1E70E91A52A296
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eaee (119 x Smoke Loader, 44 x Amadey, 41 x Tofsee)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9e1499766df19804efac25eb09ba3f39
Verdict:
Malicious activity
Analysis date:
2022-12-25 00:52:28 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7d5fd474-10b1-4241-8cd3-bc28fb898e36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7631.16296.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63a79e3c629a35af1ab3cf6e/reports/0ded15fb-e41b-41f4-ac34-9db0dbbfdd9d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58dce352-7028-4ee2-b48a-c70e3b56e3df
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140638
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90/
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 00:50:09 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jx42en74kicpfrvxe5h5eukl7cenr56zlhyxczudks4nmcd5bkia._file
Verdict:
malicious
Similar samples:
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
RedLineStealer
476fe5184ee699040c67e6a1cf362c0532fabe25cd5b162f732fbd1cc02b47fd
RedLineStealer
5270945de8fd0a548e710e4f2464679eda78b06626711bc8359939a68c277b19
RedLineStealer
91791f09eeafec7c137dd6f43d990a6475510ee67a76474f20d1012c023727d3
RedLineStealer
bfbf00babd2e290c90e2b17596a15d5f52fca7c43ad8d4691c7c4573d50615b0
RedLineStealer
c20ccf287acc446472287bc6f3370ade587831c6cc677e8ca1131005f9a89dfe
RedLineStealer
c85256fef5467ac50c978ef721ee7b93577df33ebed17b6e01249a37c3d9f38e
RedLineStealer
e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
RedLineStealer
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
RedLineStealer
f40d28a5ad690a3fa3fded93e6fae91bcf61f896871fff9b4687611c58c1dee2
RedLineStealer
+ 12'539 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:trud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-a6xqfsah54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
65f75c671b35cbde3bc6a355f88bf821f74c8a082c9744480a59bbd72defe0c7
MD5 hash:
1904c9b0a20ab75b269c4a8f7d30dacc
SHA1 hash:
c1aecaaf9ff915be2950fcdaa149dc773d349630
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6ff73db8-7e3e-46c7-9a91-14ad10e50cc4/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
MD5 hash:
078f90abfc1dddd108adcb85761689d0
SHA1 hash:
51a86a74c011e0a6813b0058104f6b21765ed99c
Link:
https://www.unpac.me/results/6ff73db8-7e3e-46c7-9a91-14ad10e50cc4/
SH256 hash:
a714830b23ef52a2529880c8e9a377e56dde10f7cddc4083a02cb6e6a932abe2
MD5 hash:
6fe9fc0e7c5ad24c8ace861f0e514001
SHA1 hash:
0e9ecc9f6687954e9f6f0b8d331a77d8cf9108ea
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6ff73db8-7e3e-46c7-9a91-14ad10e50cc4/
Parent samples :
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
MD5 hash:
9e1499766df19804efac25eb09ba3f39
SHA1 hash:
8fd8e8696e22954c14415f0debf54fa15746ad77
Link:
https://www.unpac.me/results/6ff73db8-7e3e-46c7-9a91-14ad10e50cc4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4df9a237fc52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2476460/
  
URLhaus
https://urlhaus.abuse.ch/url/2485560/

Comments


Avatar
zbet commented on 2022-12-25 00:49:29 UTC

url : hxxp://31.41.244.173/true/trud.exe