MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666
SHA3-384 hash:	e0a944fa63b97a3caab3228b9d15a0a0190122189b93d1cbbb6939f37b76dbe755932306baae11cd622bc0e17d59d172
SHA1 hash:	4e71562ac3eb1912ef8fb728aab23520b618f543
MD5 hash:	e708d707d501cbe44f35c93978b13872
humanhash:	artist-yellow-eighteen-venus
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	370'688 bytes
First seen:	2023-03-08 20:20:45 UTC
Last seen:	2023-03-10 09:32:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	318b75056fe1945612232cd0eae11bd2 (8 x RedLineStealer, 1 x Smoke Loader, 1 x CobaltStrike)
ssdeep	6144:Yt1LlAnIwmJqyLRZ9Lw+AcZAnjbo2F4SqXAhd4eZu:Yt1ZAIBJqCZtpwjM2aXAhZZu
Threatray	16 similar samples on MalwareBazaar
TLSH	T1B974012177E0C432E6A7467028B09BE59F7FB87105398A4F3B690B686F307D196B6317
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	968ceab2b696dc19 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://91.215.85.15/doz.exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-08 20:22:19 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/14b57507-7523-427e-99dc-47dc258fab6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/372689/

Detection(s):

Sanesecurity.Malware.28986.BadIN.UNOFFICIAL

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult gozi greyware lockbit

Link:

https://www.filescan.io/uploads/6408ee2ff1a68c396b2dd359/reports/a5ca7ae5-59f7-4190-a0b6-3213369cf05b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/97a7769d-6c3d-4b16-a283-0ddfca247667

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189765

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-03-07 20:22:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 39 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ysue6ljzs5257qdcbklm34jvzjo5ewnwnenqkk2jymix2e26ezta._file

Verdict:

malicious

RedLineStealer

0c1d1a60a0fc143c9fc830be48c53d488b414921cf4d97d66466ff2a628d1b4d

RedLineStealer

1cae7e40933c543d85b22fd00cf88898a5daa6118c8c50e9875472736a53eb7c

RedLineStealer

32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0

RedLineStealer

9bb31ac6d350fec7927ae213adec3f4363b815c7afce36495286a3c281db5412

RedLineStealer

9cda3093dddacbd05e0e9c8ce7320c73320ff2ea4b66ca3578b5b4fd9dc80fe2

RedLineStealer

a2d2e85551546b62fa238f23860cff382bcb3dfaff891d070105a01ba5c15626

RedLineStealer

a9cc7e813f650f2c50de712a456cef1fd375ab5addd057ba326aacacb1db346f

RedLineStealer

da67b579a79711316bea01386826c26dd956ce8cf31695d7391a243a7588143a

RedLineStealer

f0ec980108157002c8ca92507a2caa1f9a2cfa548959c7b1a2533ab7030966ee

RedLineStealer

+ 6 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230308-y4zc9sfg6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

fe20253e6bcafed3a581e5269b6864d1fdf838983b0b4427bd9e4696ba3d1ffe

MD5 hash:

9297cc2bad28fe469640b35f8f9358a1

SHA1 hash:

b62081ed7e83a8721d5bf5df0d5ea9fdec2822e2

Detections:

redline

Link:

https://www.unpac.me/results/dad9a29b-8319-4ddb-aabf-c1313ebb1414/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca

MD5 hash:

9dc3abbfdcd1bb7cafb14a35b60d6713

SHA1 hash:

6aacaf8c94121006562f4a013283741340e99693

Detections:

redline

Link:

https://www.unpac.me/results/dad9a29b-8319-4ddb-aabf-c1313ebb1414/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696

MD5 hash:

bcc57bbabee21070c3b1c1c0d6549c1d

SHA1 hash:

374f18b741a610c8d532d793c52e2aae22fc7856

Link:

https://www.unpac.me/results/dad9a29b-8319-4ddb-aabf-c1313ebb1414/

SH256 hash:

c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

MD5 hash:

e708d707d501cbe44f35c93978b13872

SHA1 hash:

4e71562ac3eb1912ef8fb728aab23520b618f543

Link:

https://www.unpac.me/results/dad9a29b-8319-4ddb-aabf-c1313ebb1414/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c4a84f2d3997/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2556788/

Cape

https://www.capesandbox.com/analysis/372689/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample