MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7
SHA3-384 hash: e740b958ab6bb95080f3006f393eec1a52e4b0fcdf72894a2b19c197a2afc2d80e9e07a779974bc0c4b10c5107fcee88
SHA1 hash: 0e476fde9eb2f99c36af59833f93fafe5d5ad291
MD5 hash: 7f8a15aca0965d3ef7f5e36245ee20fa
humanhash: venus-kilo-music-tennis
File name:SecuriteInfo.com.Trojan.GenericKD.45853323.31157.31821
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:925'184 bytes
First seen:2021-03-07 23:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ptqmRTTqKdijAEoZHeMg1cHZq9rgAuvJ:ptAwxZzCSZMrL
Threatray 112 similar samples on MalwareBazaar
TLSH 9015BE29BB807BE2E61C4F36C5335610C3F1C2636632F3FB6EE059D5A612B49CA1E446
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.45853323.31157.31821
Verdict:
Malicious activity
Analysis date:
2021-03-07 23:34:31 UTC
Tags:
rat redline trojan
Link:
https://app.any.run/tasks/6aea1a60-b266-4a1d-a763-b317b67d6487

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122702/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45853323.31157.31821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630813
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-07 06:43:00 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
RedLineStealer
72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
RedLineStealer
99a9903d77272e93c262ae1391ef64f0639835f0cc9fc8b07f6fbc4d1bf40c5a
RedLineStealer
9dde30eea4bc51f6561d857ecb624f09e3257c3a015ff49a8f22f206fcab45c1
RedLineStealer
9e4326708091e0200c65e604aa974e6032c0533e2fa1e71d39f8d78ebacd8195
RedLineStealer
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
RedLineStealer
afeb708ad46713f215fe9e8bfada31b7b518fcd081f1592778d514fc41012d3f
RedLineStealer
cfa2a92908f847cecdc4485e2ecc75d095c1ccbfb6dc64f9cda00a8b208c1f1f
RedLineStealer
d65fa2504374d19e221d6631799f41426450d650355098be07f7cfa667d80bf9
RedLineStealer
dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
RedLineStealer
+ 102 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery infostealer spyware
Link:
https://tria.ge/reports/210307-fhk16dylkn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7
MD5 hash:
7f8a15aca0965d3ef7f5e36245ee20fa
SHA1 hash:
0e476fde9eb2f99c36af59833f93fafe5d5ad291
Link:
https://www.unpac.me/results/14b27f42-cd46-4855-af14-ebcf97e095a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4fc6b82cb39e7ba08b5c9d519bf11111e76d3313f0e2bd93c3b67d15b155c2e7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1053165/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122702/

Comments