MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4719a414c92f1ad559315342349548ab9d67117f917dc9a666bf647a00d6827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments

SHA256 hash:	f4719a414c92f1ad559315342349548ab9d67117f917dc9a666bf647a00d6827
SHA3-384 hash:	641189835b95fb7ddcca50392e09ac78d54af1fbe309644c2f1e5d3643082492ec494481d92c7f829ef45827cea65fbc
SHA1 hash:	48aa70759a96bac6205319feb9972e45f200ff1c
MD5 hash:	0b7c12b72bd019fcafe801506c075079
humanhash:	tennis-georgia-october-hot
File name:	0b7c12b72bd019fcafe801506c075079.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'568'641 bytes
First seen:	2022-08-01 12:40:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:Q6RmbyTIg6WvYMY6QvRcL6mMaPdwS2J72Rdp+tx4FygrL3xJhzBl3RuQ55313Y:EyTIzE2Dx4FygrrxDBl3W
Threatray	1'843 similar samples on MalwareBazaar
TLSH	T1BAC52A135A8B0E75DDD27BB4A1CB633BA734ED30CA2A9B7FB608C43559532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.124.22.27:8362

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.124.22.27:8362	https://threatfox.abuse.ch/ioc/840581/

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295576/

Detection(s):

Win.Dropper.Generickdz-9957947-0

Win.Packed.Redline-9958143-0

Win.Packed.Redline-9958313-0

Win.Packed.Redline-9958314-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27976/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug overlay redline spyeye

Link:

https://www.filescan.io/uploads/62e7ca21bcf76fcb6cd83585/reports/581dac21-c3f7-487a-ae63-c02968f1fd64/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6985733c-d868-40cc-b1fe-858a2350cb0b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1044152

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4719a414c92f1ad559315342349548ab9d67117f917dc9a666bf647a00d6827/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-07-26 16:37:11 UTC

File Type:

PE (Exe)

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ryzuqkmsly22vmtcu2cgskurk45m4ix7el5zgtgnp3epiannatq._file

Verdict:

malicious

RedLineStealer

2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9

RedLineStealer

30fbed67681818059d7b104cf61989607045a95f320d232304e94851faf16bc5

RedLineStealer

36ac1377c88fb5dd7ffb82c918ee1e07fa75ee2ff50f6ce129e859152bf0dc44

RedLineStealer

7d85c6c8abf4c9f2fa6c4528991979d5cbedefc73ec3ce83c04a4839b50c9555

RedLineStealer

b7abe062002f049e3531be30615eb91363d0db101b0c06b634afcd839471be71

RedLineStealer

d45c176cba326455a8f3547336ccf5e7bad7d345c9f856e8ecc6e2b94dc190a6

RedLineStealer

f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b

RedLineStealer

f9b5057081ca6e37c63a992234668b244551053a63582ee5bcd24e9e06222278

RedLineStealer

+ 1'833 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:2111195692 infostealer spyware

Link:

https://tria.ge/reports/220801-pwrh1sgcf6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.124.22.27:8362

Unpacked files

SH256 hash:

cc9bc80b0b61ed06faf43e8ee8ddcb73a39eb51a3e803b2afeba2d0de890995e

MD5 hash:

0a0be760263840a48da8e0bfe08f40d3

SHA1 hash:

321d69178e166a46d296679bf1c25d1d6c7fc39d

Link:

https://www.unpac.me/results/73843ba2-83c6-4fb3-8198-0b4b469c6755/

SH256 hash:

f4719a414c92f1ad559315342349548ab9d67117f917dc9a666bf647a00d6827

MD5 hash:

0b7c12b72bd019fcafe801506c075079

SHA1 hash:

48aa70759a96bac6205319feb9972e45f200ff1c

Link:

https://www.unpac.me/results/73843ba2-83c6-4fb3-8198-0b4b469c6755/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4719a414c92/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/f4719a414c92f1ad559315342349548ab9d67117f917dc9a666bf647a00d6827

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ArechClient Create hunting rule
Author:	@bartblaze
Description:	Identifies ArechClient, infostealer.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295576/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample