MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d
SHA3-384 hash: 81b22f883309e53ba0e4f52f1ed9f454879ce3e03861765d84e6582c41e8397f6413183d883fa452edb63d97a277d0b9
SHA1 hash: c7c309db0cc3eb88e594e4734acb5ffab6a399da
MD5 hash: 4dec218e641a09710cff1e3173926d87
humanhash: delaware-march-william-beer
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:481'792 bytes
First seen:2022-09-08 07:41:30 UTC
Last seen:2022-09-09 11:40:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7e16e45d5ca01868887e26a9f95ed7b (3 x Smoke Loader, 2 x Stop, 1 x RedLineStealer)
ssdeep 12288:LTxR4dTBSuPOjLye+8PM8p7HMB3zzSEK:LP4ZBSuPOj+8k3Bjz9K
Threatray 3'768 similar samples on MalwareBazaar
TLSH T1B5A41282B4D1CC72E4F192315834D7A0197BBC33E5754A8F339923BBAE712D22A72756
TrID 61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.5% (.EXE) Win64 Executable (generic) (10523/12/4)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon a2c3c2c3e2a2827a (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc523958404_646062359?hash=KIvXZyHo0dUuhSTch0KMlQgumG8rafrCPcRUlPy20NT&dl=GUZDGOJVHA2DANA:1662578648:rZl3upSIznxetyhpdQdSj9QM1oPVyCTBzOIK5Tuko2D&api=1&no_preview=1#low1eu

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.137.196.158:46279 https://threatfox.abuse.ch/ioc/848617/

Intelligence

File Origin
# of uploads :
7
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
installer.exe
Verdict:
Malicious activity
Analysis date:
2022-09-08 07:31:38 UTC
Tags:
trojan redline evasion opendir socelars stealer loader rat ransomware stop arkei
Link:
https://app.any.run/tasks/d4ca062e-685d-41c8-be4d-a27469c2234c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308666/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37022/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63199cced06d9bc4c7ab218c/reports/51d068eb-8091-4b1e-a285-14b662486c3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c1b9597-5e60-433a-a1d0-c9fa1aa5ecaa
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066932
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 22:39:47 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2zo2dc2s7accfv5wzjr7wt4oqvduzgx7ivble4lb2pufj52pmwq._file
Verdict:
malicious
Similar samples:
3052b50eb64e3b324dbf7ff3cdbf1c857d2d8a4efc49fe72c416291085c7f480
RedLineStealer
464138a68b9f01eacc14891f0c1089c1838809beb07b40e1467fe5b42af393c7
RedLineStealer
7ff24f32c7920252f317874bf6441350cb89f8c74aa7daccaa0f59c9ebab54ef
RedLineStealer
9632ef251fc7538bbf3d50d17035c5ceaf3d7a0fb571e424d0c3c28a829cdf85
RedLineStealer
b90f8c62a9dfda7a47704b3e867687edaaa358d14b0a39627dbb32c80ab2d98e
RedLineStealer
c7e6f33ef6015f109574556fd649eb1737b7240d7cf75e4b9b10e79f72ff6123
RedLineStealer
c8037e53bce9878999866f4f25aafb4469e2a0b91d4c64d3b3f16f4e77a23f10
RedLineStealer
f1d35589ab4afd274172a3a899254efcb6aaac6d50cb0e192bf93d162a1d70b9
RedLineStealer
+ 3'758 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220908-jjnnpsbbfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
79.137.196.158:46279
Unpacked files
SH256 hash:
3f00f20e63cbe734cf55985b8b16d424a772527de42f0c648c7a03af40140af3
MD5 hash:
b4fd53867fa23bed99d7b191b4f576b6
SHA1 hash:
a2e1f01136a12418796b395c983dc041f129274b
Link:
https://www.unpac.me/results/dcea1a8a-bab1-4883-af9b-5b248cb4e848/
SH256 hash:
f2d92f5a4ad2edb882db892ddfcc310b574c909c4d5461b325b6ae5afe0a4b4f
MD5 hash:
478c597a2d94d1722a1d8b85bbdef988
SHA1 hash:
728c220beeaeeb2279fdb3febd516df9026a54ff
Link:
https://www.unpac.me/results/dcea1a8a-bab1-4883-af9b-5b248cb4e848/
SH256 hash:
fd3b9fa53afc00f4ca1b509494a26dd214d300c8a1a7523b801cf368d972f9d4
MD5 hash:
7b794b4a0974202ace1ea87ee5c55097
SHA1 hash:
4636e024eb1e8630da0a61a5c97df86156e790c1
Link:
https://www.unpac.me/results/dcea1a8a-bab1-4883-af9b-5b248cb4e848/
SH256 hash:
a97a2783431ed8d514acedaf7dda9c4d9a1e9b1623913596c2e95e5072b77139
MD5 hash:
5845f0a56f425bf63329bf2f4a8b5c77
SHA1 hash:
20e94d7922988c281bceca32a56ca3d7b6713e84
Link:
https://www.unpac.me/results/dcea1a8a-bab1-4883-af9b-5b248cb4e848/
SH256 hash:
4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d
MD5 hash:
4dec218e641a09710cff1e3173926d87
SHA1 hash:
c7c309db0cc3eb88e594e4734acb5ffab6a399da
Link:
https://www.unpac.me/results/dcea1a8a-bab1-4883-af9b-5b248cb4e848/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4eb2ed0c5a97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4eb2ed0c5a97c02116bdb6531fda7c742a3a64d7fa2a15938b0e9f42a7ba7b2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308666/

Comments