MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b
SHA3-384 hash:	6a63c51c28c9446fe7c6c5b01b20bc20023c1426538f0071028538ca8fc9f0af910290601054b8a634a545f67edd3115
SHA1 hash:	cefeb6661c83f953a8ea07161963f4e3f9d55541
MD5 hash:	2153e47a0dc1bb8431f3a5ba0cf4d8d6
humanhash:	zebra-ohio-king-kitten
File name:	2153e47a0dc1bb8431f3a5ba0cf4d8d6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	370'176 bytes
First seen:	2022-03-21 15:47:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1f4d968dd55bfd215498c3ca94c2cf7 (1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	6144:yldhGIG4ihW54BilZrxOl4upQztHHp9HZIGnwVqBOtwRquN:0dhythW54BiFKatHHD5cVqBOtwR
Threatray	8'728 similar samples on MalwareBazaar
TLSH	T17574C000F6A0D035F5F716F8597593B8A93E7EE2AB2090CB62D066EE56356E0DC3131B
File icon (PE):
dhash icon	25ec1370399b9b91 (21 x Smoke Loader, 18 x RedLineStealer, 10 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
65.108.63.122:17814

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.63.122:17814	https://threatfox.abuse.ch/ioc/434090/

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253672/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10137/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware mikey packed

Link:

https://www.filescan.io/uploads/62389e3edfdfa8501cc78a49/reports/25d75fb4-5834-4e22-98be-416e26059705/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/13539145-00c1-4c7e-845d-901b639a90f1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960928

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-16 07:12:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 42 (90.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j5qhb7rfttmd5umupr7fn6weruuyng67r62o6tmfhlg4jxdeoyfq._file

Verdict:

malicious

RedLineStealer

34114068f879bb490e6ea528cf7f05cfc2af45c9fc020d6a8695ca0500ea2f2d

RedLineStealer

56a34b76ba7c81e554eeb1dcfe93a6d0f61103536f9a0387fb220768bd2149df

RedLineStealer

6be47b4e88113c1a5670018b9e6c81ce5a90677334da72fabed0af3eb4f0361b

RedLineStealer

6db5590e19d5b589c985d532e5c4930351efb94a14b6be015c568de453e858d4

RedLineStealer

80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de

RedLineStealer

c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679

RedLineStealer

ee1d6f27421d1d7d0b2dd8f00c8df9b5b8e36b4f9f2303a027265bd11e6aad4b

RedLineStealer

+ 8'718 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:abobo discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220321-s8vyradgdj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.108.63.122:17814

Unpacked files

SH256 hash:

7a7262cf109fd96bf7c5d2b1d184eae2d803243d6e1c08ba4d663281d91dc70f

MD5 hash:

2aa4b59067603ace67175b2c9845825d

SHA1 hash:

e15295288fb9e4a686f92ec25ef7c96dc951c79a

Link:

https://www.unpac.me/results/1de9fed1-c23a-4392-ad03-f1bd1c561000/

SH256 hash:

fab09f4e8e0a051aade757cb34294769f6d89f434d4d7f70339802eb25c53d1a

MD5 hash:

463e8ca6988f268df9989808c25af4d2

SHA1 hash:

9e0ea38876ab358df0b0e5eb6ec961e1c1f738cb

Link:

https://www.unpac.me/results/1de9fed1-c23a-4392-ad03-f1bd1c561000/

SH256 hash:

ad4203a7fbe830633113cffc0f9d771845ab4f7ef300a3f505aeac5c96a044b3

MD5 hash:

0d4d3fbe2a4e5ce1cef11f835e4e142e

SHA1 hash:

0056bb4761a185973a9851e84cb0278907450da6

Link:

https://www.unpac.me/results/1de9fed1-c23a-4392-ad03-f1bd1c561000/

SH256 hash:

4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b

MD5 hash:

2153e47a0dc1bb8431f3a5ba0cf4d8d6

SHA1 hash:

cefeb6661c83f953a8ea07161963f4e3f9d55541

Link:

https://www.unpac.me/results/1de9fed1-c23a-4392-ad03-f1bd1c561000/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4f6070fe259c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 4f6070fe259cd83ed1947c7e56fac48d29869bdf8fb4ef4d853acdc4dc64760b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2109478/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/253672/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample