MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6
SHA3-384 hash:	976c42603ee541ff29619b49e95d059cda7a3dc5c24715d574115df2ed079e4d460316427764b54cd44cdc751873628c
SHA1 hash:	ab2ed67ba84c01b0f2a497d9fafc39bf9393e8bc
MD5 hash:	ae43dc74a38a84230fa55d1786a78527
humanhash:	mobile-zulu-december-washington
File name:	ae43dc74a38a84230fa55d1786a78527.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'192'896 bytes
First seen:	2022-11-22 09:07:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	49152:lCSZUt1b8xKrw4NSHbCXvDtP+Um6SZ8ev5c:juHGT4NSHbChmUFSZ8OO
Threatray	102 similar samples on MalwareBazaar
TLSH	T1EEA53329EB9C9571DD6A2B704CEB478306213D304E3853BA3B87591A0D72BC4E83B75B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

1

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

ae43dc74a38a84230fa55d1786a78527.exe

Verdict:

Malicious activity

Analysis date:

2022-11-22 09:07:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eeb7835e-3d46-4aa0-8d67-b0dd5f4e5314

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337119/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending a UDP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll anti-vm cmd.exe packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/637c9172a0efd596b82f192b/reports/be5e4754-51cf-41ec-b137-aaaa79fecdc1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c5086319-f30f-4837-97ef-46960dd02c06

Result

Threat name:

Unknown

Detection:

clean

Classification:

evad

Score:

13 / 100

Link:

https://www.joesandbox.com/analysis/1118755

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jziamqijep7af5r3wlzratok4ty2vyrpx7jpcos66ni5mhb6j63a._file

Verdict:

unknown

Similar samples:

5235b4f3619c2a7c56d7ca2a22da5f0f07ce7b022fb8d8ad1b2c0c352d0cc122

97817a9421058db2e7cc334fe168079e288088bf27a20e8d4421b6aaf0598bc1

a17e38eb9cf906557d7e718135d95bb3d7683ddd40093c10b91414e0c84cbb1b

a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

aae2c924a51f3b520477cd8fd45271c38f8a0dd334ffd813d187e3b6b517c458

bc18e4cbdd507f6bfabd5b73513ad430951544efe453a7516bebcbdefb6e9eb5

d4aa4e2919521f861933491197e59c37a9a574480f8b83f7a1fa82ddae3ca2b7

e913efef17e825fea233b2718e80eeb7964ffc0abf8b6732bec99685474fc9c0

f79c5f68c9c4c758e5ae08d72ef34e0ae8f0875b54c05e4db396ee09b41e67f0

+ 92 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/221122-k3v3kabf5t/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

1adf433602ac12a58a6168faa3b86de076941d2e44532a8ff1f4391e4b657f68

MD5 hash:

b6845faecb3cd52f52eabd0a6ea16fde

SHA1 hash:

31292044f01c6fddc473387ccc9d9b88cbbb0338

Link:

https://www.unpac.me/results/10dc064b-11b2-4bc6-a249-2f8bf7fafc6c/

SH256 hash:

4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6

MD5 hash:

ae43dc74a38a84230fa55d1786a78527

SHA1 hash:

ab2ed67ba84c01b0f2a497d9fafc39bf9393e8bc

Link:

https://www.unpac.me/results/10dc064b-11b2-4bc6-a249-2f8bf7fafc6c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e5006410923fe02f63bb2f3104dcae4f1aae22fbfd2f13a5ef351d61c3e4fb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/337119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample