MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
SHA3-384 hash: f54a76814fc7557fc1b160d9c4ec358a08970a53cf21cc253d7a979f7ffee8e3c9cfe6874bceb110a90f8182075a4074
SHA1 hash: 55a15b7fd693a0b1fa3f38679c3aeb48d9213486
MD5 hash: 638aada1a331d4e78016c5690510b6ff
humanhash: sodium-thirteen-sink-twelve
File name:94846EDFED07F0DFFAB570F7C0E746E0077012FA5854B6B610552A8CA5A48F74.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:384'000 bytes
First seen:2024-07-24 19:12:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b43e1344b27321e8381c60a4a19bca2 (6 x Stop, 4 x RedLineStealer, 1 x Ransomare.Stop)
ssdeep 6144:2Psht3wMkq6OdDe5hdbULfrVkWu97/1cz0GDDS1Odec/WEHH8ZSc475+rDdP4T6p:2PDMkqXDe5PaDe97g0yFbHcZSr7YP
Threatray 1'434 similar samples on MalwareBazaar
TLSH T1CB84CF10B790D035F5B722F4497BD3ADB93E7AB05B6461CB62E95AEA02346E4EC30317
TrID 31.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
17.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 8c9a8ceeaa9ecc8c (2 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a15242cb3d02fa0e49566a
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Modifying an executable file
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a152824c5c17942a7d0808/reports/681d804a-96d6-4f15-9dae-3b36fc3a3160/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85812852-fff7-4da0-a5c9-252129b1dec3
Result
Threat name:
Bdaejec, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480614
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 19:13:06 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2behp6peuadjssy6ptmdcoklnrgh6w6xq7qtsjzrlf25o2occ2kq._file
Verdict:
malicious
Similar samples:
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
RedLineStealer
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
RedLineStealer
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
RedLineStealer
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
RedLineStealer
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
RedLineStealer
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
RedLineStealer
+ 1'424 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:50n aspackv2 discovery infostealer
Link:
https://tria.ge/reports/240724-xw36tasfkj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.123:34450
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d56d52b8-e423-43da-9286-d7ff3c293e06
Unpacked files
SH256 hash:
2767de6964de10e75abc9d3d0cabe6b8d388a3b7af8a145f1a4ec88d10339510
MD5 hash:
4ed460470422fe23a6d880ed25b83209
SHA1 hash:
f42368aa1e6caf6c391bb971bc60750aefcfe721
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/463b08fb-fc0d-4cc7-b84c-297d4387b4c7/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
e91235274497606449cd88b55806818968beb74b2b07c6d2f1bde7aa63d1273a
MD5 hash:
a579937aa5afe3fa3358c95bdbb00300
SHA1 hash:
6638780c6885831197a3cd7d129ef457524d4b57
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/463b08fb-fc0d-4cc7-b84c-297d4387b4c7/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
8649f7e4e216932a183e51fc921ed31f9d158ae4274f290e36f4fdf62eaa9d8c
MD5 hash:
c875d51539971dd9b84990610b131906
SHA1 hash:
24c526387e9123a399d41e9b6f1a56c9429b5226
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
Link:
https://www.unpac.me/results/463b08fb-fc0d-4cc7-b84c-297d4387b4c7/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
557c5511b29ce84acb1dfc23def1176609adf66a134c02ad046f4a765f9cb4d9
MD5 hash:
dd0f3f8a551f74bd1db82772a5842686
SHA1 hash:
ac7b8052d5331b85b8007613d7758e5308467c9a
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/463b08fb-fc0d-4cc7-b84c-297d4387b4c7/
SH256 hash:
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
MD5 hash:
638aada1a331d4e78016c5690510b6ff
SHA1 hash:
55a15b7fd693a0b1fa3f38679c3aeb48d9213486
Link:
https://www.unpac.me/results/463b08fb-fc0d-4cc7-b84c-297d4387b4c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressA
KERNEL32.dll::MoveFileA

Comments