MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4298f77e454bd5f0bd58913f95ce2d2af8653f3253e22d944b20758bbc944b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments 1

SHA256 hash:	b4298f77e454bd5f0bd58913f95ce2d2af8653f3253e22d944b20758bbc944b4
SHA3-384 hash:	bc363c84f6b02867852a24d8a119a1ded75f59fb2d9f124f798f3b6bf5d752c9bed6eed89a846a4175d7c46ecca7435c
SHA1 hash:	87eb7a01e9e54e0a308f8d5edfd3af6eba4dc619
MD5 hash:	6adb5470086099b9169109333fadab86
humanhash:	earth-speaker-jersey-comet
File name:	6adb5470086099b9169109333fadab86
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	557'664 bytes
First seen:	2022-01-15 10:02:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f8345c0cb269c7cdcd38445b6587b155 (1 x RedLineStealer)
ssdeep	12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
Threatray	229 similar samples on MalwareBazaar
TLSH	T120C4E0E85549534BE4FDFF7CE306E5B8A22A1DAAF1CC438298157C8E0B768D5901FC4A
File icon (PE):
dhash icon	f0d8cccab68ce070 (1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6adb5470086099b9169109333fadab86

Verdict:

Suspicious activity

Analysis date:

2022-01-15 10:06:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ceb57756-44ce-4fc1-a796-8081c1795d81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/219499/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.24877.11786.10326.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61e29be1e997359713f1b3fb/reports/6739ad40-331a-4613-9b50-dc707a62ad2b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b218339-e9fe-4d7f-95de-622f291990ec

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/921133

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4298f77e454bd5f0bd58913f95ce2d2af8653f3253e22d944b20758bbc944b4/

Threat name:

Win32.Infostealer.Generic

Status:

Suspicious

First seen:

2022-01-14 09:23:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wquy657eks6v6c6vrej7sxhc2kxymu7teu7cfwkewidvro6jis2a._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

0efde7ce3c9faa2cd31bb3053fa0adb1cafdf9a42b847d45849c3f5d7270b4f6

RedLineStealer

15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d

RedLineStealer

27e3dba2c9a650f67d7d14b0fcc6c49cbf71b995e555651736b10030804c31e1

RedLineStealer

31766eecb30b54ce96546c75d37a133ee490b808e71b99c59b2e0cf703a27553

RedLineStealer

862bca412c4b47a0036d1963ec1c7bb1d5b404bd4d203b4d7c9cd82856281d55

RedLineStealer

f3f6a9292fb02c58a1c2a803845f04181658a539706ba03dfdb57404a40f1053

RedLineStealer

f6e66176892baaf25ab56e5d0f77efc2936d101d0adc8243b97e1a5dec244b02

RedLineStealer

+ 219 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220115-l3ek9aebcp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

b9ebe7196d04a674cad5120604071cd4af4a4b89ffa0fde663cd9958cbcbf4f8

MD5 hash:

6139fdebe718ef409abd284e2440c076

SHA1 hash:

8aeae60190f51961fc7d1a386c59466025d1dee4

Link:

https://www.unpac.me/results/d7f2809c-0008-42f4-9954-fffa56d81b09/

SH256 hash:

b4298f77e454bd5f0bd58913f95ce2d2af8653f3253e22d944b20758bbc944b4

MD5 hash:

6adb5470086099b9169109333fadab86

SHA1 hash:

87eb7a01e9e54e0a308f8d5edfd3af6eba4dc619

Link:

https://www.unpac.me/results/d7f2809c-0008-42f4-9954-fffa56d81b09/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4298f77e454bd5f0bd58913f95ce2d2af8653f3253e22d944b20758bbc944b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.