MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4e1a605afe024bb020bb043c2309f593b01a81490f78faac5f9492c7b5c0337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4e1a605afe024bb020bb043c2309f593b01a81490f78faac5f9492c7b5c0337
SHA3-384 hash: c440de8818b0ebc25a783160850f63195d4cc9e39eb83dff24ccd55b132a23a19d63b2cc2d70139f602ce5d0cdad634f
SHA1 hash: e100ddec8275e37b932479b5e5f2d50460d9423b
MD5 hash: a3ab6f9a6640d9713b847e7e95f2eb91
humanhash: green-solar-shade-florida
File name:a3ab6f9a6640d9713b847e7e95f2eb91.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:911'906 bytes
First seen:2022-02-24 22:01:19 UTC
Last seen:2022-02-25 00:14:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07d01df7a4dcda0b6d5a5f3bdc8aa070 (1 x RedLineStealer)
ssdeep 24576:jOC1FJwWlj++WfQWr8Cd2Z/w9SmjcnibkHcS8EXl6rF:1F96bACd2u9YibfEXcF
Threatray 6'571 similar samples on MalwareBazaar
TLSH T1E2151251BE84803DE2E912719A7E3F7C4ABCDE24072621D757E078256EB84E3B638357
File icon (PE):PE icon
dhash icon cc8eb292968eb2b2 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.108.20.64:46786

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.20.64:46786 https://threatfox.abuse.ch/ioc/390797/

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244500/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48402799.24402.10363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7352/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll vawtrak
Link:
https://www.filescan.io/uploads/6218006922f0497311433e7c/reports/1163ec4d-e1eb-40bf-a410-3e8fad4b6c94/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78dd1d50-8706-4a9b-9979-b06215991d3e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/946069
Signature
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Svchost Process
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578550 Sample: biocuPRJyR.exe Startdate: 24/02/2022 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: Execution of Suspicious File Type Extension 2->41 43 Sigma detected: Suspicious Svchost Process 2->43 8 biocuPRJyR.exe 7 2->8         started        process3 signatures4 47 Contains functionality to register a low level keyboard hook 8->47 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 svchost.exe 8->16         started        process5 signatures6 49 Obfuscated command line found 11->49 51 Drops PE files with a suspicious file extension 11->51 18 cmd.exe 2 11->18         started        22 conhost.exe 11->22         started        24 conhost.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\Far.exe.pif, PE32 18->35 dropped 45 Obfuscated command line found 18->45 26 Far.exe.pif 18->26         started        29 tasklist.exe 1 18->29         started        31 tasklist.exe 1 18->31         started        33 4 other processes 18->33 signatures9 process10 dnsIp11 37 tzDMpUHvEWM.tzDMpUHvEWM 26->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4e1a605afe024bb020bb043c2309f593b01a81490f78faac5f9492c7b5c0337/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 10:33:43 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytq2mbnp4aslwaqlwbb4eme7le5qdkausd3y7kwf7fesy624am3q._file
Verdict:
malicious
Similar samples:
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
RedLineStealer
0cba0f9dafbb15b07c0e8b87ccd3ea7c306198b67dd480c42aa822c0e51ad2e8
RedLineStealer
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
RedLineStealer
82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819
RedLineStealer
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
RedLineStealer
934a9881f22c30976cb47fdef452982f4dca6a0b94e67d2c64fe798850601771
RedLineStealer
ae7752f2d09d42090b41558309118f902afc0071e627fd6283ee7d314ecb5319
RedLineStealer
de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e
RedLineStealer
+ 6'561 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:war infostealer spyware
Link:
https://tria.ge/reports/220224-1xt63sdgc3/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.108.20.64:46786
Unpacked files
SH256 hash:
f21727b933293c4f7e75e0eb6129e02c9aa58bdcf8f8fa44fc76bc74e611e7c4
MD5 hash:
3d044dc721df2051289f220dc20a980c
SHA1 hash:
63b01022355d810add3fd1756fb72018ea2c34f1
Link:
https://www.unpac.me/results/e35fb05d-c51f-4bc9-8cb7-7ce3bd24a9fe/
SH256 hash:
c4e1a605afe024bb020bb043c2309f593b01a81490f78faac5f9492c7b5c0337
MD5 hash:
a3ab6f9a6640d9713b847e7e95f2eb91
SHA1 hash:
e100ddec8275e37b932479b5e5f2d50460d9423b
Link:
https://www.unpac.me/results/e35fb05d-c51f-4bc9-8cb7-7ce3bd24a9fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4e1a605afe024bb020bb043c2309f593b01a81490f78faac5f9492c7b5c0337

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244500/

Comments