MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4479032b4e852fe1929d7f34c9895523ece2574701f5b7f3d7d9471a98f46c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4479032b4e852fe1929d7f34c9895523ece2574701f5b7f3d7d9471a98f46c7
SHA3-384 hash: b1dee46e4e6203fb8e73ae4b54c3c9dd3ca4622c44daa8936f1daed0e380c62e8c6dad31f3cb2bd32f3e493c70f09bac
SHA1 hash: 23f7fadd430a8c4b458f27887ac4b338fc218ca3
MD5 hash: a8eb86629c126b63d70237ead1b936d7
humanhash: pluto-april-vegan-alanine
File name:a8eb86629c126b63d70237ead1b936d7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'194'304 bytes
First seen:2022-12-29 20:20:23 UTC
Last seen:2022-12-29 21:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:7Ri6I14s8BOvvgAUL3Ek3AxOQNyjoOPzlN2kKwlhcHRe:t6j8BOvv5m3Ek3AxmDzlN2mlB
Threatray 1'990 similar samples on MalwareBazaar
TLSH T154163352A11436BAD1ED7DF80F24C41F99F2A3CF273457E5D9522A7B2E3DC0AE0092A5
TrID 47.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
10.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
104.193.255.48:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8eb86629c126b63d70237ead1b936d7.exe
Verdict:
No threats detected
Analysis date:
2022-12-29 20:23:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0d327e9-27e5-44d8-8262-a12c68075806

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.32763389.24919.14907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed redline shell32.dll shelma
Link:
https://www.filescan.io/uploads/63adf6b0bf1064ac5b2d13a1/reports/5055a924-7deb-4b3f-b13a-f3232d1e4741/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7c4476ab-6eaa-44c5-9062-bfb8365bc1c3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1142901
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4479032b4e852fe1929d7f34c9895523ece2574701f5b7f3d7d9471a98f46c7/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-27 00:21:51 UTC
File Type:
PE (Exe)
AV detection:
17 of 25 (68.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=urdzamvu5bjp4gjj27zuzgevki7m4jluoapvw7z5pwkhdkmpi3dq._file
Verdict:
malicious
Similar samples:
1f411086d94da3c1e9ec9ef281b490ff06302ad0c2df328f0e08f73d00fea025
RedLineStealer
57a6c44f15d7078d07680c0e0cee81fa4ab8ef90ef728794f1f6edc9d5778b33
RedLineStealer
7d8c8ecc7573c478e5a78a7dad1e3b2812f5c53ab1c8e014b640753838ea8764
RedLineStealer
84fb9818cd2c3445b4d5441adb8363ba4795872cc0193afa0d5faadce425c527
RedLineStealer
99574d9f64bd750fd89fedefe1dce8bbbd81eeaf740140f7887e92aaf5fea53b
RedLineStealer
d1953656ec53ea30ab42db20cf50c09fd318e2024f7a561878bd4aa897736ad2
RedLineStealer
d78f10d9f1fc9f184a8fb7ab10d1683a9857be12a81e504f2389edde9203ab5c
RedLineStealer
e1a5acda061debd043c819156a00f5e7a904a4a2c2a7bd9f888ca6fece353be0
RedLineStealer
+ 1'980 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:123 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221229-y4zn2aea96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
104.193.255.48:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/78d9ddd2-4121-440b-bc26-5f2b4b13eb64
Unpacked files
SH256 hash:
9a86730c1f783ca96dfd5042af5be8a6a6bc7ae739ca7dd77e0c5454253ea956
MD5 hash:
bd0dc62fd3e37065fa37d0eaed5d8fd7
SHA1 hash:
33c9bf80c896857b4b88fd0c4035338750b95d7e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/483381e3-0bce-4b1e-a92c-6afedb133848/
SH256 hash:
a4479032b4e852fe1929d7f34c9895523ece2574701f5b7f3d7d9471a98f46c7
MD5 hash:
a8eb86629c126b63d70237ead1b936d7
SHA1 hash:
23f7fadd430a8c4b458f27887ac4b338fc218ca3
Link:
https://www.unpac.me/results/483381e3-0bce-4b1e-a92c-6afedb133848/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4479032b4e852fe1929d7f34c9895523ece2574701f5b7f3d7d9471a98f46c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments