MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
SHA3-384 hash: 57bd2742933907cba7c4f2c7d88061f9fc9d25acf85467d85753b720b832888456bf8db0127dacbb4c5ff1558743ca18
SHA1 hash: e79bf35157e110c81a43af2f3b54d7a015f613b3
MD5 hash: 5ac3358abe03a6faa36599fe785b85b2
humanhash: november-leopard-red-alabama
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:331'128 bytes
First seen:2024-09-09 13:56:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+7wpoNEo95MvVJDcDkpc1RJsaCAHX0BDQdX82mwM3xy:7poNRWFcDc2CA30pQdXhu3xy
Threatray 9 similar samples on MalwareBazaar
TLSH T18C6423010C9C0C05E7FF9BBBA0D186164EA2465516DCD38F5269B23BBFAE3651FE912C
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe RedLineStealer


Avatar
Bitsight
url: http://147.45.44.104/malesa/66ddde9c4d56a_crypted.exe#1

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-09 13:57:08 UTC
Tags:
stealer redline metastealer pastebin telegram exfiltration crypto-regex ims-api
Link:
https://app.any.run/tasks/83d571f7-58ed-4634-8fe0-4bc507c3bdb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22038.13769.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66defeb06b8536bde965e3cb
Tags:
Encryption Static Redlinesteal
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Adding a root certificate
Changing a file
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66defeb262e2338211082b2f/reports/8c539f81-96a8-4b16-98e2-0d268fb936ec/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf38b878-8969-4ba0-b56c-21800cfba17e
Result
Threat name:
MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508030
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Drops large PE files
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508030 Sample: file.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 52 pastebin.com 2->52 54 api.telegram.org 2->54 56 smkn2sumbawabesar.sch.id 2->56 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 72 8 other signatures 2->72 11 file.exe 2 2->11         started        15 Path.exe 2->15         started        signatures3 68 Connects to a pastebin service (likely for C&C) 52->68 70 Uses the Telegram API (likely for C&C communication) 54->70 process4 file5 46 C:\Users\user\AppData\Local\...\file.exe.log, CSV 11->46 dropped 90 Contains functionality to inject code into remote processes 11->90 92 Writes to foreign memory regions 11->92 94 Allocates memory in foreign processes 11->94 96 Injects a PE file into a foreign processes 11->96 17 RegAsm.exe 21 25 11->17         started        22 conhost.exe 11->22         started        signatures6 process7 dnsIp8 48 45.91.202.63, 25415, 49707 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 17->48 50 smkn2sumbawabesar.sch.id 194.163.35.141, 443, 49708 NEXINTO-DE Germany 17->50 42 C:\Users\user\AppData\Local\...\filename.exe, PE32 17->42 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->74 76 Installs new ROOT certificates 17->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 17->78 80 3 other signatures 17->80 24 filename.exe 14 9 17->24         started        file9 signatures10 process11 dnsIp12 58 api.telegram.org 149.154.167.220, 443, 49712, 49715 TELEGRAMRU United Kingdom 24->58 60 pastebin.com 104.20.3.235, 443, 49711, 49714 CLOUDFLARENETUS United States 24->60 44 C:\ProgramData\Path\Path.exe, PE32 24->44 dropped 82 Antivirus detection for dropped file 24->82 84 Multi AV Scanner detection for dropped file 24->84 86 Machine Learning detection for dropped file 24->86 88 2 other signatures 24->88 29 Path.exe 14 2 24->29         started        32 cmd.exe 24->32         started        file13 signatures14 process15 signatures16 98 Antivirus detection for dropped file 29->98 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 29->102 34 schtasks.exe 29->34         started        36 conhost.exe 32->36         started        38 timeout.exe 32->38         started        process17 process18 40 conhost.exe 34->40         started       
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae/
Threat name:
Win32.Spyware.Metastealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-08 18:25:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yraurqhtyffoukboyeloo2hv2pcyuudhfwpewodhdgfdibu36kxa._file
Verdict:
malicious
Similar samples:
1071d6290a7dd366135a37c2667366e6642d719c34f25a6ed02bba9de9fa99d0
RedLineStealer
2c0f008432d2604d3578b9ba1f896ecaff4add7d6ece6051f5940de892c26c91
RedLineStealer
37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
RedLineStealer
b16ef1bdc9bcba0db197bba5bca6fa08ece713de76412e6bea6de5a8dab2af6f
RedLineStealer
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (tg: @logsdillabot) credential_access discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240909-q8849stfrd/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
45.91.202.63:25415
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/81cf0d8a-a5fd-42ef-9264-888dbc6a0fa1
Unpacked files
SH256 hash:
1ef55e48395e0f2579c32129a75d552e0ce1d1bb417264a9d60281a07d995ee6
MD5 hash:
4882eaaa1fc6598529de4c12947823f0
SHA1 hash:
0abae6850d2d4cac6f62fd1f7601c4d73a519237
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/1bcb144d-6238-424a-9e59-77385b01b12c/
Parent samples :
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
0b6cd2b1e18193ba33edbd6a3fc464a6e302f0da7f881dd48aedbf6ba993aa32
eb61898f47a0fc4109e1b5368162d6e64aec443193b40792a9d9e918f93d8b20
SH256 hash:
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
MD5 hash:
5ac3358abe03a6faa36599fe785b85b2
SHA1 hash:
e79bf35157e110c81a43af2f3b54d7a015f613b3
Link:
https://www.unpac.me/results/1bcb144d-6238-424a-9e59-77385b01b12c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c44148c0f3c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3164206/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments