MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7
SHA3-384 hash: a0cd241c6a9a98d5ddaced2d03ad487306cca9a7a69d10bc2054098be057182b49b04a4de43b1a793a534c420240d3af
SHA1 hash: ddb5a95be90a165def5a37615be0f325a72d9810
MD5 hash: bab1932cc76f8312a073a7a2a689bf75
humanhash: floor-king-massachusetts-kitten
File name:bab1932cc76f8312a073a7a2a689bf75.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:170'496 bytes
First seen:2021-07-13 10:01:50 UTC
Last seen:2021-07-13 10:47:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:HW6hKBt7W/zEA+bQv1kk54FlITwg0FwtpnXK8EDj4dE46XSGV4/4/4w:HW6Qt7yz2bOP548YFwtIpeMV4/4/4w
Threatray 375 similar samples on MalwareBazaar
TLSH T199F3B12673A7D476C1C42230E461CB3B2668CD1307B0775AB5CABD67BD6B28D49BC2E4
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.198.57.69:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.69:80 https://threatfox.abuse.ch/ioc/159867/

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bab1932cc76f8312a073a7a2a689bf75.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 10:02:50 UTC
Tags:
evasion stealer trojan rat redline
Link:
https://app.any.run/tasks/d39e080c-4d7d-4b56-bad8-b8ab7007b828

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171340/
Detection(s):
SecuriteInfo.com.PWS-FCSRBAB1932CC76F.21762.11022.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6143322-389a-4138-9bc8-bd3d11c99ebc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815445
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447856 Sample: zHPfg7OWAp.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected RedLine Stealer 2->74 76 4 other signatures 2->76 7 zHPfg7OWAp.exe 15 8 2->7         started        12 WinHoster.exe 2->12         started        14 WinHoster.exe 2->14         started        process3 dnsIp4 56 videoconvert-download38.xyz 104.21.42.63, 443, 49740 CLOUDFLARENETUS United States 7->56 58 iplogger.org 88.99.66.31, 443, 49743, 49744 HETZNER-ASDE Germany 7->58 60 192.168.2.1 unknown unknown 7->60 44 C:\Users\user\AppData\Roaming\8078242.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Roaming\7747106.exe, PE32 7->46 dropped 48 C:\Users\user\AppData\Roaming\6045849.exe, PE32 7->48 dropped 50 2 other malicious files 7->50 dropped 78 May check the online IP address of the machine 7->78 80 Performs DNS queries to domains with low reputation 7->80 16 6045849.exe 1 4 7->16         started        20 1867073.exe 15 11 7->20         started        23 7747106.exe 14 2 7->23         started        25 8078242.exe 1 7->25         started        file5 signatures6 process7 dnsIp8 34 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->34 dropped 62 Antivirus detection for dropped file 16->62 64 Multi AV Scanner detection for dropped file 16->64 66 Machine Learning detection for dropped file 16->66 27 WinHoster.exe 2 16->27         started        52 pcfixmy-download-13.xyz 172.67.222.237, 443, 49746 CLOUDFLARENETUS United States 20->52 36 C:\ProgramData\72\vcruntime140.dll, PE32 20->36 dropped 38 C:\ProgramData\72\sqlite3.dll, PE32 20->38 dropped 40 C:\ProgramData\72\softokn3.dll, PE32 20->40 dropped 42 4 other files (none is malicious) 20->42 dropped 68 Performs DNS queries to domains with low reputation 20->68 30 WerFault.exe 20->30         started        54 gousynelis.xyz 185.198.57.69, 49754, 80 HSAE Netherlands 23->54 32 WerFault.exe 25->32         started        file9 signatures10 process11 signatures12 82 Antivirus detection for dropped file 27->82 84 Machine Learning detection for dropped file 27->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 10:02:08 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4hxt3kbcx4tbzpwonknscabsznxdiwyvodii76gk2x6nlwvm23q._file
Verdict:
suspicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
RedLineStealer
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
RedLineStealer
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
RedLineStealer
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
RedLineStealer
cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79
RedLineStealer
fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf
RedLineStealer
+ 365 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence
Link:
https://tria.ge/reports/210713-lbvvzbddw6/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
f25967da25142926b3b1898779af02d6abde9776d980ee3124e6b5631ff8e145
MD5 hash:
bfa61050274e74842288e846245264f3
SHA1 hash:
cd6f34e15c8d5658538e1dd2ab0e55a6973e02e9
Link:
https://www.unpac.me/results/9e36b10a-221a-4855-9056-eca42c528273/
SH256 hash:
4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7
MD5 hash:
bab1932cc76f8312a073a7a2a689bf75
SHA1 hash:
ddb5a95be90a165def5a37615be0f325a72d9810
Link:
https://www.unpac.me/results/9e36b10a-221a-4855-9056-eca42c528273/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1416187/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171340/

Comments