MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
SHA3-384 hash: e65ee3ef52d7fc94c236de3fb7adf88109a606711d9ead8292a1b8fdaa4e42ecdbb09e75a4c12c4ff0d84ea9724d6c4d
SHA1 hash: 93c455fbd0f645c6cf56208eb34489f889866913
MD5 hash: cad110ca2f60ecd3c9c16e973b59d3f1
humanhash: black-whiskey-georgia-georgia
File name:cad110ca2f60ecd3c9c16e973b59d3f1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:493'056 bytes
First seen:2023-02-11 09:01:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4319aad8f4d315da40f6f14bc8933fbe (7 x Smoke Loader, 6 x RedLineStealer, 2 x Tofsee)
ssdeep 6144:+wbRelJfN6Our+zezosQntff1DuFgqIbftdjJoSKMdkT/3uZt5:+w0ewenKtH1DSrwfrjsMdk
Threatray 14'816 similar samples on MalwareBazaar
TLSH T164A43B43A2917C55EB168B729E1EC6F8761DB9F08F0E77EB2218AA1B14712F2C573710
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 84c494c0c0a4c880 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.12:4132

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-11 08:34:39 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/bf1ba08f-d0fd-4844-9635-294286e83c6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/363863/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63e7598dae0d2eea07d4c5ef/reports/96464f6b-7adc-47fe-bf15-2ee8a7744350/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee8cdbb3-eb6d-48a5-a295-aa49d50e9843
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1171986
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 07:18:07 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzxsshh6gh4dlkrqw7pva6gf5tlm25mbas4krkhebs6xev7nnosq._file
Verdict:
malicious
Similar samples:
25811e71ad0831d7aee231e3c03245be29615cc8e4e5ea7165fde73bfa4960bc
RedLineStealer
3c6ee18e05f8ff187011dcac773e31c0bf128a2d4c8d3a17eeb8895fdb70b8d3
RedLineStealer
4b9c642204fc73a028838b29c302432c6cc910477db3f2dc08b8e4cb6bf71d71
RedLineStealer
5fe5023bd278c560ac70b19c03fd8edd86a9840181b171b6b0ac2adee386531f
RedLineStealer
6e22d94efa87e5166e89cb33d13758e32524e20820632f06ba8676389e5a0018
RedLineStealer
9099472b2e3457716b9902a0c3ea707941abfea41b7efdb0ddcd77785fb5ee9b
RedLineStealer
b586a85b1fc9d0b8370c88bca896d68b72797ee31e77f0afd080314dd6ca259e
RedLineStealer
c2284106dfb6f0631bef76af14842b4ba33b521a76416c07b0050a50df2a2f13
RedLineStealer
db5b23ccde538d4c45334e1b96ba2ed8c3d3734f63be9064c148402b2800ef46
RedLineStealer
f139fc5e2328804cc09d38a4c8403ea30d42be74046c35dc01ff7e937bd32ad8
RedLineStealer
+ 14'806 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:romik discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230211-kzf48scg63/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.233.20.12:4132
Unpacked files
SH256 hash:
6025e99b61cf27e4199afba2bbcaff306e1c73eb08d7706210b26d8e785f8a38
MD5 hash:
5a5d7c502c8de78f62818cd74dc3fad9
SHA1 hash:
f6a32259e84173fa3e674287fed9f7682d91ed00
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/63752060-9857-4220-88fe-1ffc5a205dfd/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
2939c2394ceba4ec6d09b39765f26de7b9b2e768ffe5426da4f1833f33b015ee
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dfbca902423ad0c0b53e3abb0cb4e57b3ee266cb4eaec98b9baf4b107d19ccd6
0832ff937c6402ec6b252692df3f45abbe08291b1696f243c99f5aef93270d88
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
dca38093bc51d165acf5754982d66fe28509c85d65492d8428a240e1f85df435
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
0423f6894af5cdff8c3ea348370c3c9e950fa161b6aa7ea78ae43020d6ad6458
1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e
b39502990b9ff0db6a020260147dac82e89ca3046f526ec81f3a6af1f241e78a
e68a8a2f89159710896291473b1f51b16968d9066bb621a43a858ef4e0c7291a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
75f41983d7da68c378b64f8e5633bde393f9c550469ae5bd4da6d64d6674286b
MD5 hash:
285e4cae921c512fec71492eaafc27c4
SHA1 hash:
7a1022b0ec66c57a216bd0f842906917e7851130
Link:
https://www.unpac.me/results/63752060-9857-4220-88fe-1ffc5a205dfd/
SH256 hash:
1b58cc46582d2af490ccd73e499c060493e03745d063c364e056b37bd27e923a
MD5 hash:
f99f30bc6d50869fd3efb586d707941c
SHA1 hash:
779d52ff7e1606bc249318253906cd380bc02148
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/63752060-9857-4220-88fe-1ffc5a205dfd/
Parent samples :
2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
b8fdb367212ce7f5bbf5347b559a7ebffb5094679eb716b136f63d1fcd5f4fe7
30dc59957be5e5e5ae63c4d07121749dc3300e9af19a842a4cd13d5133bd6b59
f708f025665d4d8181d7a9538ec24ced4f59e63a6a2056be2b4348c941455a77
260e65b2690949126f04ef058e26e9849b5883e17b7ff0c0e66fc9c370d980be
dca8f3bedff4d14276ff3621f6b171cac6cf4e4c3abe36beca67c6dee2ed03d6
13d54f839060b601a0c89beefd65599bd07fd37cee1e302c43bfb55c281fa23c
93ae529d7d511158aeb2ba42f7ac9e8cada410d03015bce3de712a56367aac7a
a2c0ff0add9a29e1b1af25b0faf553de9098a45b04ad98b51c2c6be7e74b6c9b
SH256 hash:
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
MD5 hash:
cad110ca2f60ecd3c9c16e973b59d3f1
SHA1 hash:
93c455fbd0f645c6cf56208eb34489f889866913
Link:
https://www.unpac.me/results/63752060-9857-4220-88fe-1ffc5a205dfd/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e6f291cfe31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532610/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/363863/

Comments