MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80
SHA3-384 hash: b48279ac0bb1489420d5ee0b02312267f015ef23b6297d0f15d2b3207b5e8cb4f2186b6eb2d75b3d02ffb143ce977747
SHA1 hash: 3f7b5bd7026d3cc3c20158d150c78da2aa5cdf7c
MD5 hash: d6431cc0ff3345514db8387d5b1dee65
humanhash: low-fish-finch-early
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:375'296 bytes
First seen:2022-11-02 10:00:47 UTC
Last seen:2022-11-02 14:51:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85f057030595237c3f2cf414c45c1e15 (1 x RedLineStealer)
ssdeep 6144:A9qlz7WNX4HVMa3lQTdwM3WabAO3L7bFjI5ExxoQ8eFb7uPb5wcmZ:6ql3WB4HVLvabBL7byEhRaPb
Threatray 908 similar samples on MalwareBazaar
TLSH T1D0849D05B3808473C4722D323AE45FF4586DBC60476A99EBAFBC3A3E5FA46DD9530099
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc759438714_648724041?hash=mMHWWAskto0cB5Exhj1j5jPG6KXmczlHVJ6C3BekWPD&dl=G42TSNBTHA3TCNA:1667309152:2BSmm1nQ0JVCL12BSgeUctUMne6aISlsAs8EA3sZL9c&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
110
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-02 10:03:55 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4534064c-510a-4177-8a66-447d76bff5f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327056/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.12396.16761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47346/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63623fe3a5db8d309cbc56bf/reports/f58515cd-1064-462d-9cc3-f88602242796/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4101ec1e-fd6f-47d6-83c2-44d3a2cdbf9d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103111
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735772 Sample: file.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 91 stratum-eu.rplant.xyz 2->91 93 pool-fr2.rplant.xyz 2->93 119 Snort IDS alert for network traffic 2->119 121 Multi AV Scanner detection for domain / URL 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 11 other signatures 2->125 12 file.exe 1 2->12         started        15 MoUSO.exe 2->15         started        signatures3 process4 signatures5 143 Contains functionality to inject code into remote processes 12->143 145 Writes to foreign memory regions 12->145 147 Allocates memory in foreign processes 12->147 149 Injects a PE file into a foreign processes 12->149 17 vbc.exe 15 7 12->17         started        22 conhost.exe 12->22         started        151 Antivirus detection for dropped file 15->151 153 Multi AV Scanner detection for dropped file 15->153 155 Detected unpacking (changes PE section rights) 15->155 157 5 other signatures 15->157 process6 dnsIp7 87 51.89.201.21, 49697, 7161 OVHFR France 17->87 89 transfer.sh 144.76.136.153, 443, 49698 HETZNER-ASDE Germany 17->89 77 C:\Users\user\AppData\Local\Temp\setu2p.exe, PE32+ 17->77 dropped 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->127 129 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->129 131 Tries to harvest and steal browser information (history, passwords, etc) 17->131 133 Tries to steal Crypto Currency Wallets 17->133 24 setu2p.exe 17->24         started        file8 signatures9 process10 signatures11 135 Multi AV Scanner detection for dropped file 24->135 137 Hijacks the control flow in another process 24->137 139 Writes to foreign memory regions 24->139 141 3 other signatures 24->141 27 RegSvcs.exe 22 24->27         started        process12 dnsIp13 95 cdn.discordapp.com 162.159.130.233, 443, 49700, 49702 CLOUDFLARENETUS United States 27->95 79 C:\Users\user\AppData\...\setup4325r.exe, PE32 27->79 dropped 81 C:\Users\user\AppData\Local\...\setup32.exe, PE32+ 27->81 dropped 83 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 27->83 dropped 85 3 other malicious files 27->85 dropped 31 setup4325r.exe 18 27->31         started        36 setup.exe 27->36         started        38 setup32.exe 1 27->38         started        40 WerFault.exe 27->40         started        file14 process15 dnsIp16 97 dba692117be7b6d3480fe5220fdd58b38bf.xyz 104.21.17.54, 443, 49704, 49705 CLOUDFLARENETUS United States 31->97 73 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 31->73 dropped 103 Antivirus detection for dropped file 31->103 105 Multi AV Scanner detection for dropped file 31->105 107 Detected unpacking (changes PE section rights) 31->107 117 8 other signatures 31->117 42 schtasks.exe 31->42         started        75 C:\Windows\System32\drivers\etc\hosts, Non-ISO 36->75 dropped 109 Query firmware table information (likely to detect VMs) 36->109 111 Modifies the hosts file 36->111 113 Adds a directory exclusion to Windows Defender 36->113 44 cmd.exe 36->44         started        47 cmd.exe 36->47         started        49 powershell.exe 15 36->49         started        51 powershell.exe 36->51         started        99 youtube-ui.l.google.com 142.250.147.136, 443, 49701 GOOGLEUS United States 38->99 101 www.youtube.com 38->101 115 Tries to harvest and steal browser information (history, passwords, etc) 38->115 53 cmd.exe 1 38->53         started        file17 signatures18 process19 signatures20 55 conhost.exe 42->55         started        57 conhost.exe 44->57         started        59 sc.exe 44->59         started        69 9 other processes 44->69 61 conhost.exe 47->61         started        71 4 other processes 47->71 63 conhost.exe 49->63         started        65 conhost.exe 51->65         started        159 Uses cmd line tools excessively to alter registry or file data 53->159 161 Uses powercfg.exe to modify the power settings 53->161 163 Modifies power options to not sleep / hibernate 53->163 67 conhost.exe 53->67         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 20:13:10 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3skdfgocbtvqorlyug5kyviqcph322bqusfj6mz3zpdz2ng3saa._file
Verdict:
malicious
Similar samples:
0d09a4ab3e8ceb83ed61d72f369dafe02bcfee6e57551b3a9077aee0a718aee8
RedLineStealer
2f0d73b8d448b26e1f8885f54a95214eb0e84b4a5e8b3d25a06fa743b036afe7
RedLineStealer
80c13f76051a4426e06c7581bdcaba65b79e497761d7329e306745d2150d1f43
RedLineStealer
96cf568e9e8f3102cee6f7b304e442aee7002c07113a1389718b83612c1b05b9
RedLineStealer
ba97aff9e292934583134ecf8c052cbb61348e43568793711b09af9dac50f643
RedLineStealer
f27ce34603fde8869721599a66678b19798a89bf75ef049a9020b4be9b8c8a6d
RedLineStealer
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734
RedLineStealer
+ 898 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware stealer themida trojan upx
Link:
https://tria.ge/reports/221102-l175sabfek/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Identifies Wine through registry keys
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Modifies security service
RedLine
RedLine payload
xmrig
Malware Config
C2 Extraction:
51.89.201.21:7161
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e741daf-6d00-4a43-a9e1-5d6c5dc5b789
Unpacked files
SH256 hash:
4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80
MD5 hash:
d6431cc0ff3345514db8387d5b1dee65
SHA1 hash:
3f7b5bd7026d3cc3c20158d150c78da2aa5cdf7c
Link:
https://www.unpac.me/results/bc7cffee-7a93-42e7-8d4a-db26f462632f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ee4a194ce10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ee4a194ce1067583a2bc50dd562a8809e7deb41852454f999de5e3ce9a6dc80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/327056/

Comments