MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01
SHA3-384 hash:	94f3cbfa43fd2092bfdc12176e73cee6f6835196debb9a0c3a4b90f2d2cd5d25d95a0041487fbf57f8e116773d55ca75
SHA1 hash:	76f03cd7c177e0b4b6d0c84e68dde47713feefbe
MD5 hash:	7e1322576651962fadf5cfb2c64abf02
humanhash:	king-floor-oklahoma-fourteen
File name:	7e1322576651962fadf5cfb2c64abf02
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	320'512 bytes
First seen:	2021-09-18 01:34:58 UTC
Last seen:	2021-09-18 02:53:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8771048b1c01475c23bc95fc636ac433 (7 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
ssdeep	6144:7RAx+F2/Q8a8DbxoI4YAxDb4dPEQAxpD/74vtQlRESo5j+0DU:lL/8a8Dt4YADb4T2pD/74vtQlwV
Threatray	6'019 similar samples on MalwareBazaar
TLSH	T18664CF20B690C035E4B712F959BA93B9B83D7AB15F3450CB62E616FA12343E8DD30787
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7e1322576651962fadf5cfb2c64abf02

Verdict:

Malicious activity

Analysis date:

2021-09-18 01:35:53 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/cd427446-31ff-4507-9ffc-a86eb9659576

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/188860/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.11719.130.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5927df04-74f7-42a2-a524-bb302e074938

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/853098

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2021-09-18 01:35:06 UTC

AV detection:

14 of 45 (31.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j652rpnwlvdt6zdwq4slp7xzjbc5vwjozd654iduo6gigrhj5uaq._file

Verdict:

malicious

RedLineStealer

09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49

RedLineStealer

0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220

RedLineStealer

121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

RedLineStealer

24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52

RedLineStealer

4f95ff3d34492ddb8ca5afcc1c0940c1156bb713d9278678bfdd1c59963a3070

RedLineStealer

b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4

RedLineStealer

+ 6'009 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udp discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210918-bzplyaggb8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.20:13441

Unpacked files

SH256 hash:

90b0e7d902727351e4a88f3b02c2d3d15d202b2a0ea118c961c21c258617c1cf

MD5 hash:

6ac070b383c57c84bce059f1611a8bc0

SHA1 hash:

f8768f72c0cc63945cbe31b75e39a9d207db06b5

Link:

https://www.unpac.me/results/2f41f201-2550-4c45-a26f-ee7f99311f1c/

SH256 hash:

74ec8e7f6661e87226bb95a4ba97ae828c45f3142b78d068492cff7162bbbd47

MD5 hash:

f007c18cee4cbdd6992122a8a216ccc0

SHA1 hash:

5b931b76947bb4484ae7b94a60e83c65f92b21b3

Link:

https://www.unpac.me/results/2f41f201-2550-4c45-a26f-ee7f99311f1c/

SH256 hash:

fc667313899f6647f9d67a16af1234ac6b109223b7c3ce0d178614985cfd27e9

MD5 hash:

24eb234842defb045592109e300bed32

SHA1 hash:

4fa3017ddf932a7f7ae7fbbeda7eacbea609f283

Link:

https://www.unpac.me/results/2f41f201-2550-4c45-a26f-ee7f99311f1c/

SH256 hash:

4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01

MD5 hash:

7e1322576651962fadf5cfb2c64abf02

SHA1 hash:

76f03cd7c177e0b4b6d0c84e68dde47713feefbe

Link:

https://www.unpac.me/results/2f41f201-2550-4c45-a26f-ee7f99311f1c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/188860/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample