MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6
SHA3-384 hash: 1ad3a3128274d66c24f12cf7c562d4dd6a7be28cd50a3f5168e763612ba8f6c20f1cfc921d6d158bacdc7ddc580a9a63
SHA1 hash: e5c9d0a5f200e1bb60464ba6510f8d6cb73a9ecc
MD5 hash: 5df8405843064ea58e387a7f9c6fc0b9
humanhash: lemon-two-pluto-uranus
File name:5df8405843064ea58e387a7f9c6fc0b9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:372'736 bytes
First seen:2022-03-25 16:52:06 UTC
Last seen:2022-03-25 18:36:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b4b1fe70fbbdccbba7c09889838934 (3 x AZORult, 2 x Worm.Ramnit, 1 x RedLineStealer)
ssdeep 6144:G+pLw3TFfhAvLp2z62Dpl+X9Z+nD0nYwL6Q9HL6QGIY:5pLITFaKtuX9QnDmjj9rjGIY
Threatray 11'105 similar samples on MalwareBazaar
TLSH T16E84E01E89B70633F28B87319FD495D8477E7CA73A59E82FDF842D281762A4101A53B3
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
62.204.41.166:27688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.204.41.166:27688 https://threatfox.abuse.ch/ioc/451290/

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257799/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9752.21566.19386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/623df33da19c6494128e943a/reports/f5ea79a7-f879-4cdd-83ee-e9a5f2cdcaef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbad76c7-8d97-412e-bf8b-04be6b892694
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964740
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597217 Sample: HC48ucokZ2.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 7 other signatures 2->36 8 HC48ucokZ2.exe 15 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\vaqvame.exe, PE32 8->26 dropped 38 Detected unpacking (creates a PE file in dynamic memory) 8->38 40 Found evasive API chain (may stop execution after checking mutex) 8->40 42 Self deletion via cmd delete 8->42 44 5 other signatures 8->44 12 vaqvame.exe 4 8->12         started        15 HC48ucokZ2.exe 75 8->15         started        signatures5 process6 dnsIp7 46 Antivirus detection for dropped file 12->46 48 Multi AV Scanner detection for dropped file 12->48 50 Machine Learning detection for dropped file 12->50 58 2 other signatures 12->58 18 RegAsm.exe 2 12->18         started        28 62.204.41.69, 49758, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 15->28 52 Self deletion via cmd delete 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 56 Tries to steal Crypto Currency Wallets 15->56 20 cmd.exe 1 15->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started        24 timeout.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 12:33:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4tltm4z4i4fpelyswh4o3axvmngawrtznv5nvd2vqdtlfvc33ta._file
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
RedLineStealer
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
RedLineStealer
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
RedLineStealer
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
RedLineStealer
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
RedLineStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
RedLineStealer
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
RedLineStealer
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
RedLineStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
RedLineStealer
+ 11'095 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:redline botnet:03252020 botnet:default discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/220325-vdf78aacf3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
RedLine
RedLine Payload
Malware Config
C2 Extraction:
62.204.41.166:27688
http://62.204.41.69/p8jG9WvgbE.php
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
33c13f39cedaceb3b819806d15ae95d78216af888701c7456cda0f1624da278f
MD5 hash:
95957193082f6a11792e23636c33dbf3
SHA1 hash:
130a0e568005f876ed461c3fa64a0896d6c8837f
Link:
https://www.unpac.me/results/56af052d-02e5-4f1a-8b32-0528bd71df57/
SH256 hash:
dfa5b660d5bd0ccf8ca30cd7864f8e8b51f46cd94b8600fa0bffc0bee56c3e0e
MD5 hash:
9481a1c4286c666f3ad0b4431e392f3b
SHA1 hash:
27b5058d90dceb0f1e561370756e58e9008cb12c
Link:
https://www.unpac.me/results/56af052d-02e5-4f1a-8b32-0528bd71df57/
SH256 hash:
4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6
MD5 hash:
5df8405843064ea58e387a7f9c6fc0b9
SHA1 hash:
e5c9d0a5f200e1bb60464ba6510f8d6cb73a9ecc
Link:
https://www.unpac.me/results/56af052d-02e5-4f1a-8b32-0528bd71df57/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4f26b9b399e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
Cape
Cape
https://www.capesandbox.com/analysis/257799/

Comments