MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce
SHA3-384 hash: 37875713caafbcc3a72143cede1360e05dcaf251f68cb36cd31585d30cdf55480b5dabb570ded60b077109b0bf97834f
SHA1 hash: 2709496b7205c9d10c28c5e069879e95db236a5a
MD5 hash: a4a306682bf75b4976c3441f5151db97
humanhash: mockingbird-white-east-cup
File name:a4a306682bf75b4976c3441f5151db97
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:359'936 bytes
First seen:2021-08-01 12:06:43 UTC
Last seen:2021-08-01 12:33:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8b9c145ec19b60e1b1e5259a226415a (2 x RedLineStealer, 1 x TeamBot, 1 x Stop)
ssdeep 6144:4CajGoQi5Vzdze6SYCYgDKviJuraE7qCGEYIM:wDB5VBSYd+K6JoORE
Threatray 4'150 similar samples on MalwareBazaar
TLSH T1C574F1113681C472E36109304865CBA02B79FCB19D784607B75867EF6EF33F1AA7AE46
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'015
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4a306682bf75b4976c3441f5151db97
Verdict:
Suspicious activity
Analysis date:
2021-08-01 12:09:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75e116a5-d4cb-40fc-8611-313a419de726

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175565/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.55225.22289.17744.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a window
Creating a file
Sending a UDP request
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aac8b0a3-48f5-4c2e-b5f5-b17041547c63
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825084
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 10:36:31 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35dcsn4dle2pt3npvn3hyraek6tuc3gme6izkxnzpvdrjjag2xha._file
Verdict:
malicious
Similar samples:
390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf
RedLineStealer
45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558
RedLineStealer
4b255928648623b33ead203ba323598bd376bf58aa34fc00e8eb3e562413a193
RedLineStealer
4da1e9b11e61a8f2633da08aa63bb869e7130d04b15d06a81db1047f687ebcc5
RedLineStealer
8b2b689999ceb3c815eebb3b53961aa2a13bf9e4647f8b074c726a535781aa94
RedLineStealer
b1330a858ce06e3f08a15aa545af2976de9fbf212fa0ebbee92efaa1962dad85
RedLineStealer
bdae4240709c06d733b9d67851a9d5f159102d145ab7f57ab689358a196916bf
RedLineStealer
eeb882e1d0487c43be9d91050b9ec7eeee5e2e1d315cbbb715e983a7a9ba99e5
RedLineStealer
eeeb63ae9b769764bd474d5367d3a0c4efaba149d355595de5be92fafe08de19
RedLineStealer
fca68250f0af2ea4d2ae1747c92b89e67799cd41db4b6dfe8eed57cdcf1cb07b
RedLineStealer
+ 4'140 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix 01.08 infostealer
Link:
https://tria.ge/reports/210801-kdfcgd2jma/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.17:18597
Unpacked files
SH256 hash:
7da9fa901d5f4f0832ac3e2fe35ff534798f52aa2b9f0618092ed25365209c29
MD5 hash:
b9b9b1d8916b368f5a99c181fc7720e3
SHA1 hash:
8bc159a49fee483766e6efcfda1dfbd7b975d51c
Link:
https://www.unpac.me/results/65b5c72a-aba1-41f1-9209-752f307be54c/
SH256 hash:
c065b2313dc467dda180d74e13d0bb8dc4c75988cd2f399a317bd4391cb1ee08
MD5 hash:
1fd0771cda67f05c3ce6fa84cf9e663f
SHA1 hash:
4200a82c5a5368b21c0d9ba3997d2da8c95a1207
Link:
https://www.unpac.me/results/65b5c72a-aba1-41f1-9209-752f307be54c/
SH256 hash:
e94199b77b83b913fa595a1cd98b7173b3b2faabe52eb5797354ef4f7551a76f
MD5 hash:
a56d4ba64da99b48bef44a8d5b5dcd18
SHA1 hash:
3b4c5a0e1396946ff34aa233bac1e5256c68aae5
Link:
https://www.unpac.me/results/65b5c72a-aba1-41f1-9209-752f307be54c/
SH256 hash:
df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce
MD5 hash:
a4a306682bf75b4976c3441f5151db97
SHA1 hash:
2709496b7205c9d10c28c5e069879e95db236a5a
Link:
https://www.unpac.me/results/65b5c72a-aba1-41f1-9209-752f307be54c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1481313/
Cape
Cape
https://www.capesandbox.com/analysis/175565/

Comments


Avatar
zbet commented on 2021-08-01 12:06:44 UTC

url : hxxp://dahgarq.top/jolion/apines.exe