MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76
SHA3-384 hash: 4b77726070e417a7e5d8a48664b2a7b783ae5d1b5fca8a7bedaf4840d8acf999c8b407569750390cad9d4957c3a787d8
SHA1 hash: b02ea5190b0ae4b7a76b6adefecf382c65e47ee9
MD5 hash: 2cfd2401d76429aa6d05b25472a94fa0
humanhash: double-lake-mobile-edward
File name:2cfd2401d76429aa6d05b25472a94fa0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'733'120 bytes
First seen:2023-10-04 14:14:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b77966559e48caa7890a2432200a2b65 (7 x RedLineStealer, 1 x LummaStealer)
ssdeep 24576:Et9DJXz9Dz+Hg0tIUnygszebhWMVfjo3:Eh9Dz+Hh1nM4Wko
Threatray 108 similar samples on MalwareBazaar
TLSH T100857D653FC345B1DFA311BA01FC7963827D98B00B2649C79EC75BDE86E09C25E32992
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Win.Packed.Pwsx-10008461-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/651d73689b16696e9f8fc2c9/reports/06ec85f6-b098-4007-952a-9bda6084a17d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fb1f44e-0b31-4461-ad1e-5c8614fd4a8c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319522
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-04 14:15:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jywuxja2euuk5zofmf5z5uarcdanjpqyigwvxcxuiabgpggpzj3a._file
Verdict:
malicious
Similar samples:
4d7e863742ac8167ec9f6d83ade46c04c3d70c802dd1e64721324f52c6afd9a4
RedLineStealer
9cbdb8e2103328fcd51687a14b752ffb2d3a28a7d5de6cc2c912861070d65fe5
RedLineStealer
9f5289a682a53144b0a38d1af54d935194934188efb4cdb92127f3afe5f3753a
RedLineStealer
c235740f48d901ce404e6f78b01ad689ad01e9196b1be94b99b44960b8e86397
RedLineStealer
d55de05dfad137adbba7033ffedcc2dd7f90ff72224f0ba0014fc7d3fb805047
RedLineStealer
d99ad61e2c82cdee34498ec86c2eb31e39dd2be6c3469bf37f425f584b385bae
RedLineStealer
e2ced4dd6add11ab9e3a0869c00def6490f31c164131bb44af6e721f59e63e00
RedLineStealer
f37b36c1284b088c45a5ae76da926170f1228d7688ae8c5ec2b3e7e10565a52a
RedLineStealer
fed524edd9865ef4fed5ff98119145e023a7e104d43338cb68a8dd1347e899bd
RedLineStealer
+ 98 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@ytlogsbot infostealer spyware
Link:
https://tria.ge/reports/231004-rkkmfaec78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
176.123.4.46:33783
Unpacked files
SH256 hash:
027365ae99f0098c292bb45e47573e554c4c2ea31c3030af5bd515e711e09d8f
MD5 hash:
876e91bda071a0e3d0a762a17b86d84c
SHA1 hash:
e3d1f8ae20ffe09698f4f16e07d3a444d5f7b349
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3dbfcccf-10c8-4027-b1d6-9b5acc979be4/
SH256 hash:
4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76
MD5 hash:
2cfd2401d76429aa6d05b25472a94fa0
SHA1 hash:
b02ea5190b0ae4b7a76b6adefecf382c65e47ee9
Link:
https://www.unpac.me/results/3dbfcccf-10c8-4027-b1d6-9b5acc979be4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e2d4ba41a25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4e2d4ba41a2528aee5c5617b9ed01110c0d4be1841ad5b8af440026798cfca76

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2716371/

Comments


Avatar
zbet commented on 2023-10-04 14:14:40 UTC

url : hxxp://171.22.28.213/1.exe