MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 def4337ca193c1f12040948f1d5df46215d163c6d4a04080e3b29b30d0c2f05d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: def4337ca193c1f12040948f1d5df46215d163c6d4a04080e3b29b30d0c2f05d
SHA3-384 hash: b61817da7e7f20f470a7b1c10154057e4c08e65af6b6c53c31f7e4fb70d6271f5e9610d39971b4ec672a04e59700d948
SHA1 hash: 802e0d27c59bdec0fb18cb4beb1628db01e059d8
MD5 hash: 493095dd7d6f9571de627e339d22edee
humanhash: island-pasta-stream-finch
File name:Invoice080622.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:680'448 bytes
First seen:2022-06-08 07:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:INl/hI72iNJ9qhzVC6l/29B9oL1jqLb5pCh5ckd2xgWQ9q:whI71zkXcBC1mfY2xvQ9q
Threatray 1'245 similar samples on MalwareBazaar
TLSH T18EE4E080636AAD76F23C5377647091042339361EA5FCCA2A57AD70CE24E27835AF2F57
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.133.1.3:32790

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.133.1.3:32790 https://threatfox.abuse.ch/ioc/664284/

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Invoice080622.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 07:28:08 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/d7327fde-776c-4239-b1bc-0f77e241e9b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277631/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62a04de38e867832d9e60948/reports/b4d046be-0923-4357-b14f-e29c77bd8b5d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bf237ad-1172-45a1-927a-dc43f5be1533
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008769
Signature
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/def4337ca193c1f12040948f1d5df46215d163c6d4a04080e3b29b30d0c2f05d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 03:23:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=332dg7fbspa7cicasshr2xpumik5cy6g2sqebahdwkntbugc6boq._file
Verdict:
malicious
Similar samples:
06bf758c09b920259a4408855cdcac6a5d09d30370a32ec500cc90b1bf057e17
RedLineStealer
0f6cb98819c06ce96011dfe482b4f5ebd91351d476bee0d58ab9ba85165b0710
RedLineStealer
16b1cff94d925182e95124fa432b55cc290fc81d9480493b3ff09e139eb0da6c
RedLineStealer
3e1ed40043db2a405086385b7217fba4dc74341a62045b39bc7a50ac62288da8
RedLineStealer
61243f6ee29e430e41dd9a380199a647daae46856a20f7c3ec7d80761b054060
RedLineStealer
811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8
RedLineStealer
923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338
RedLineStealer
b4898d7fdf1a32cf0f09c60cc874e704e3d9e4bac9bd6407d13cc5ecc7fe56f7
RedLineStealer
b704daa4a8ddc8d03b453d35507dc2c77a42cd96b5ee0fce810a51dc00fdee6c
RedLineStealer
b7bf1de793e0d6dfa04d392dc0d9f3c51a45aee617e7ec27c95d5c2d6ac054d5
RedLineStealer
cb65b3fc65a1a1c68f0d8bbf3d46f3fe49063f0065ef5cbed58029136169c01a
RedLineStealer
d17ea6f751d401fc47fbe5ec01bada28c9dc1294054dd07341b690d232200aee
RedLineStealer
e5141add8f1032a8e9bd792163b4e39187d2909007fa715b611d23264dddd1a7
RedLineStealer
e88dcfdcdd55c9c3d34192b4670110e6277aee2eb99310a1cd4f5059709466bc
RedLineStealer
+ 1'235 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:chief discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220608-h6m51shdc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.133.1.3:32790
Unpacked files
SH256 hash:
4c45fe9efd4a6fb32ca4deafc27c03700f5f4ddae6fe904be76897e559e399b0
MD5 hash:
600e6154541add201cdcb15ad00388e9
SHA1 hash:
f9be6755336b58fa6addf3b0a5f2fdbf1e10efba
Link:
https://www.unpac.me/results/bc6e4149-0db5-4d30-ab7c-fc4f05ee7ea8/
SH256 hash:
cce04d183e35d1142f8627cc3b84d0006f5b9d2e8fac540d8aa30bc383f2ae63
MD5 hash:
1878953b6b655ade513eea8df3b5fc51
SHA1 hash:
d74d34c85b91cbfa9a146b1ee121d15cf2c22c46
Link:
https://www.unpac.me/results/bc6e4149-0db5-4d30-ab7c-fc4f05ee7ea8/
SH256 hash:
319733cca1bc8f4ae7b7aa0565fe8bc6689d51dafa5bb896b32249effd332041
MD5 hash:
36a2f6732987116b9c7292d7871b8b74
SHA1 hash:
49e68a5f30751ee9f8d5eed8f4f46e317ff54fc4
Link:
https://www.unpac.me/results/bc6e4149-0db5-4d30-ab7c-fc4f05ee7ea8/
SH256 hash:
a95882b9caafe2f4322b82ffcedd05c525edeba1d83b694f6ed42dd7be37094f
MD5 hash:
f5fcdedbaf996952421f0e2083f39cd4
SHA1 hash:
058bcc2e1eba1dc5a02496f0822c5403634516e7
Link:
https://www.unpac.me/results/bc6e4149-0db5-4d30-ab7c-fc4f05ee7ea8/
SH256 hash:
def4337ca193c1f12040948f1d5df46215d163c6d4a04080e3b29b30d0c2f05d
MD5 hash:
493095dd7d6f9571de627e339d22edee
SHA1 hash:
802e0d27c59bdec0fb18cb4beb1628db01e059d8
Link:
https://www.unpac.me/results/bc6e4149-0db5-4d30-ab7c-fc4f05ee7ea8/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/def4337ca193/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/def4337ca193c1f12040948f1d5df46215d163c6d4a04080e3b29b30d0c2f05d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277631/

Comments