MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4
SHA3-384 hash: 5288f2a5d684101e651a97591d0a79fe3a11088f23c00a260e2859a44296f6670a86a10d1a8f887f507f68108dfb8619
SHA1 hash: c5224ddfc008426ec2a394d345e17c7ce5b307b9
MD5 hash: fb1b5fa2bb47f205cda6bb8e6dd405ae
humanhash: hydrogen-pennsylvania-crazy-cardinal
File name:Michael-Martinez-Google-Maps-Route8.jpg.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'969'792 bytes
First seen:2023-01-28 12:58:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:aVLGsZu+aZ0DpsO4v9NSUrfxEyR4nKIgbIRTrlIY5eUoV69m/i47pHxdjn1IP:KLGmL2vHA6bqb0a4pHv1
Threatray 10'021 similar samples on MalwareBazaar
TLSH T15695948BBB708E42E09435F2C0DF1A22A3F167B71773D146BE051AA086D67861F57B4B
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f08a47cd910303be (1 x RedLineStealer)
Reporter 0xToxin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Michael-Martinez-Google-Maps-Route8.jpg.exe
Verdict:
Malicious activity
Analysis date:
2023-01-28 13:01:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/580f0e0a-67ea-4a12-971a-79494cace367

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357740/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63d51c162d4f6d560e2368ae/reports/9fcd0a29-73ad-4fa3-a9d8-5dc6154377b3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecf32ad9-28fd-4593-8809-b480bfc604c8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160778
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 12:59:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 26 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rce5asf7hofylsjrcf22gmu5j2kebzfckhuabfl2rwso5ixqp2a._file
Verdict:
suspicious
Similar samples:
23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5
RedLineStealer
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
RedLineStealer
3ee82cb6b92599b06273f1a48091fdbab0ca285fb8147501a0392b8a2eba583c
RedLineStealer
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
RedLineStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
RedLineStealer
8c3ef73edfa0ae05e257b02ade9d540c736426d9fa20eb8a923a1acb0d4cb72c
RedLineStealer
ad7e94c87890fd0d5e1ad30178606823c42c01b5e07bbc56bb86bf2bf3ae1477
RedLineStealer
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
RedLineStealer
e69d8cb762149ef5d9cbc14ba3b4c1a48395c5261f9c404608a37c1807f1e19e
RedLineStealer
fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f
RedLineStealer
+ 10'011 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/230128-p72s5agc7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Blocklisted process makes network request
Unpacked files
SH256 hash:
d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4
MD5 hash:
fb1b5fa2bb47f205cda6bb8e6dd405ae
SHA1 hash:
c5224ddfc008426ec2a394d345e17c7ce5b307b9
Link:
https://www.unpac.me/results/993d4aeb-61ec-42c9-aabb-d83d3559b536/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4444e8245f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357740/

Comments