MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
SHA3-384 hash: c7458c1551c1d9c63f336582aab63b25eef3889508a5e5081e0a1cb6e08456f33f50bd60652b8bc4d26d1dea51b4b276
SHA1 hash: 6a30c01505a666f109502e563df48287fc68af7b
MD5 hash: 05d2607674b12556392ad7d31c498bb2
humanhash: berlin-tennessee-spring-ohio
File name:file.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'103'872 bytes
First seen:2023-06-13 10:07:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f5db7731adf1fd2516934d54d3675e06 (1 x RedLineStealer)
ssdeep 6144:vhMIAaYKyQdiU+oboLaSORJ3k5QH2rCfdOrAOGLNf9C42PVWI/L6VGuXZ:vhMvaYTQdiU+oboLLuiELNOPVWIzmfZ
Threatray 121 similar samples on MalwareBazaar
TLSH T127356C4C66D14431D8BD50314FA98A684B282D2C8FF69DDB37B846EF4F21AF19A314E7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 10:08:45 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/111ad0f4-bc01-40a3-a89f-ed2ec9f8e3cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398194/
Detection(s):
Win.Packed.Lazy-10002615-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90426/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin
Link:
https://www.filescan.io/uploads/64884003c6414862d206d8bf/reports/851e2ca7-102e-423a-b169-c6016616c1be/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2c2514e-f302-463d-bcb5-98cca4ce8bad
Result
Threat name:
MinerDownloader, Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253493
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 886513 Sample: file.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 102 pastebin.com 2->102 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 18 other signatures 2->126 13 file.exe 1 2->13         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 signatures5 152 Contains functionality to inject code into remote processes 13->152 154 Writes to foreign memory regions 13->154 156 Allocates memory in foreign processes 13->156 158 Injects a PE file into a foreign processes 13->158 20 RegSvcs.exe 15 8 13->20         started        25 WerFault.exe 24 9 13->25         started        27 conhost.exe 13->27         started        29 conhost.exe 16->29         started        31 Upshot_o.exe 16->31         started        33 conhost.exe 18->33         started        35 Upshot_o.exe 18->35         started        process6 dnsIp7 104 95.216.249.153, 49699, 81 HETZNER-ASDE Germany 20->104 106 api.ip.sb 20->106 108 hersaclean.com 151.106.103.88, 443, 49707, 49708 PLUSSERVER-ASN1DE Germany 20->108 84 C:\Users\user\AppData\Local\...\ajetr2fx.exe, PE32 20->84 dropped 86 C:\Users\user\AppData\Local\...\Upshot_o.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\...\Doej4oa.exe, PE32 20->88 dropped 142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->142 144 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->144 146 Tries to harvest and steal browser information (history, passwords, etc) 20->146 148 Tries to steal Crypto Currency Wallets 20->148 37 ajetr2fx.exe 1 20->37         started        40 Upshot_o.exe 1 1 20->40         started        43 Doej4oa.exe 20->43         started        110 192.168.2.1 unknown unknown 25->110 90 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->90 dropped file8 signatures9 process10 dnsIp11 128 Antivirus detection for dropped file 37->128 130 Multi AV Scanner detection for dropped file 37->130 132 Machine Learning detection for dropped file 37->132 138 3 other signatures 37->138 46 RegSvcs.exe 1 37->46         started        49 WerFault.exe 37->49         started        51 conhost.exe 37->51         started        118 65.109.64.82, 4308, 49709 ALABANZA-BALTUS United States 40->118 134 Found evasive API chain (may stop execution after checking mutex) 40->134 136 Creates autostart registry keys with suspicious values (likely registry only malware) 40->136 53 conhost.exe 40->53         started        100 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32 43->100 dropped file12 signatures13 process14 signatures15 160 Writes to foreign memory regions 46->160 162 Injects a PE file into a foreign processes 46->162 55 AppLaunch.exe 46->55         started        60 conhost.exe 46->60         started        process16 dnsIp17 112 github.com 140.82.121.3, 443, 49713, 49714 GITHUBUS United States 55->112 114 raw.githubusercontent.com 185.199.110.133, 443, 49716, 49717 FASTLYUS Netherlands 55->114 116 pastebin.com 104.20.67.143, 443, 49712 CLOUDFLARENETUS United States 55->116 92 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 55->92 dropped 94 C:\ProgramData\Dllhost\dllhost.exe, PE32 55->94 dropped 96 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 55->96 dropped 98 C:\ProgramData\HostData\logs.uce, ASCII 55->98 dropped 150 Sample is not signed and drops a device driver 55->150 62 cmd.exe 55->62         started        65 cmd.exe 55->65         started        67 cmd.exe 55->67         started        file18 signatures19 process20 signatures21 164 Encrypted powershell cmdline option found 62->164 166 Uses schtasks.exe or at.exe to add and modify task schedules 62->166 69 powershell.exe 62->69         started        72 conhost.exe 62->72         started        74 conhost.exe 65->74         started        76 schtasks.exe 65->76         started        78 conhost.exe 67->78         started        80 schtasks.exe 67->80         started        process22 signatures23 140 Query firmware table information (likely to detect VMs) 69->140 82 wermgr.exe 69->82         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049/
Threat name:
Win32.Trojan.LaplasClipper
Create hunting rule
Status:
Malicious
First seen:
2023-06-12 22:15:45 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rg7mlx3psnucbabmuzjpztatcajv6rqfb2ntbyrxaxcbbskqbeq._file
Verdict:
malicious
Similar samples:
1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20
RedLineStealer
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
RedLineStealer
34ec272be14b0de074ccaa9a4b2996e6e92579f94905ed20f3370d39e41fd2a3
RedLineStealer
57969c17dec58c9fa8fd79b063900cac9d4e91fc96105c7a185cab010a9893b2
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
RedLineStealer
ec50003de83269b82d86c2a2e4e44e6df77cc3aa7d3b967124b44cb47279c262
RedLineStealer
ede10b0831b70e13402d1210000353719d5164bc5480f0ff45de0e9e8cfa3498
RedLineStealer
fadd57bfef9fe4d5a74bc4a5a23e7218c7390d7b1954c0dfed8df2eaea1f6b2f
RedLineStealer
+ 111 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:redline botnet:2 clipper infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230613-l57ptagb9x/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Laplas Clipper
RedLine
Malware Config
C2 Extraction:
95.216.249.153:81
http://45.159.189.105
Unpacked files
SH256 hash:
d3328508bdb70df86bb6557c03ad3b1ab46eab7cc3d918e27d36120ce1a16868
MD5 hash:
7f56baf8ab69d57f016de1c238db7c42
SHA1 hash:
a2c9ff3c80c824b27c48ed7246d9b1ff7e7b2e48
Link:
https://www.unpac.me/results/145628cd-41b8-4bbf-b9ea-bd41787439bd/
SH256 hash:
4cfcb5252b9dc0cd6a8e6fdcfce4b71b4fc7a22dbe2592c1a1830c382746096b
MD5 hash:
5cc6eba5212c6ee96dbcc75c68efcc0e
SHA1 hash:
2bbefc88d1a04e3a3a03e4dc9d63f70d686fb245
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/145628cd-41b8-4bbf-b9ea-bd41787439bd/
Parent samples :
dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
8794abaf3a4964f9ffbcc0f75bd96af30b4b6b4e307c048eb497ae2dc4458c27
a63139a21058e0e9e39b22c8b293f409d4382a66b6824c2ab89c1172daf16e3e
SH256 hash:
dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
MD5 hash:
05d2607674b12556392ad7d31c498bb2
SHA1 hash:
6a30c01505a666f109502e563df48287fc68af7b
Link:
https://www.unpac.me/results/145628cd-41b8-4bbf-b9ea-bd41787439bd/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc4df62efb7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398194/

Comments