MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
SHA3-384 hash:	3c29ada878ca0fa230ab9139e9b186f0b92429e418fe0ea6ed6c15366a9e7ae000b7b9f53e4519ad4cbb36ec54e45734
SHA1 hash:	fe3658635c66bb8b0981fe3f73cebf1b229ed661
MD5 hash:	a48de889c19197426214da54922eb7ad
humanhash:	july-uniform-zebra-failed
File name:	a48de889c19197426214da54922eb7ad.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	405'504 bytes
First seen:	2023-07-20 10:22:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	01c4ee1c294ad77d8fcb236b1ae3a868 (2 x RedLineStealer)
ssdeep	6144:FdJL5aCNSwXadmlzRO3YUMmJxqD54zt2ySqOOS:7J1ahld8RUYUzED5It2POS
Threatray	150 similar samples on MalwareBazaar
TLSH	T1AB840AD3C7A23D59E9278B738E2FC6E8764EF2508E4D7B7D12199A2F00B0176D1A7610
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0008180804030200 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
178.32.90.250:29608

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

275

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

a48de889c19197426214da54922eb7ad.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 10:30:36 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/67f97a5d-e788-4db3-b14f-ddc133749bd6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/425983/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64b90b09fd9e198dc1166edd/reports/c9824087-a625-4af3-a772-663d011699cc/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious Packer

Malware family:

Malicious Packer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12de2e29-6574-4b10-8575-30af7870ea6a

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1276652

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB redline

Detection:

redline

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b/

ReversingLabs TitaniumCloud Win32.Ransomware.Stopcrypt

Threat name:

Win32.Ransomware.Stopcrypt

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-20 10:23:06 UTC

File Type:

PE (Exe)

Extracted files:

72

AV detection:

23 of 25 (92.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6t7nmqik6qfaiqp5bhe7ruvsaojy2rvyvymn25pw5j4kzh3hlivq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0600905449ba9b91c459bb4cb2859d8b33062475fc568930c15931f7fba4e5b2

RedLineStealer

11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14

RedLineStealer

3585046470ceeba22fea4a341e6a1b8998d43b4a0a53450747ee361c0c56f770

RedLineStealer

3d9868ef3b6c60ebe9ef766672923f57253ac74cd5bc2592e2d62bb984b5f95d

RedLineStealer

64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508

RedLineStealer

aaf09dfbee099f00c96d0cc72a4d5c9ac8101522eb43159c7a94ebdc221f69d4

RedLineStealer

c17f2f54fc2cefba56ff8d26c44fd63d71a015ee621aead29b7ca9bb7a0cb856

RedLineStealer

cfb31b24488df4fe68b547bc9a28f994e67191749f8c76dc07a6f25f48475287

RedLineStealer

eed4aae9bac8170a1629ffc3176a04f0ea9e58de8cb295a1332952b6afb3cf46

RedLineStealer

f46b5b289501e88dc89c7d8daf37156459bcacebceaff3af7718190384546dbd

RedLineStealer

+ 140 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230720-mesnmsfe75/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

178.32.90.250:29608

UnpacMe redline

Unpacked files

SH256 hash:

fd7fcb15664a8d6b15f986edf7b1b89ac04fd0b7e2c75ba51f2d7be2b16bd25e

MD5 hash:

226ebe2b896adda7d7ca7808c7830e79

SHA1 hash:

dbc7a3619f3ae0e77d983718ddf7447ff9aa2e0c

Link:

https://www.unpac.me/results/0bbea8bf-dde6-4895-a37d-70fba0b7e60d/

SH256 hash:

055d23615d232b3b26dce994eb4e011505be13199c97610974f011bba0adc805

MD5 hash:

84fdf79fc25c72aa2a12972d25e8476b

SHA1 hash:

72288d6450b272481eb9a606367f7ee848427f98

Link:

https://www.unpac.me/results/0bbea8bf-dde6-4895-a37d-70fba0b7e60d/

SH256 hash:

6b50f48dd61d0e8af9d39ec9c4326a28cd3298e8b336bfdd5c81cd3db2bb1e54

MD5 hash:

c5634c071c4a20379d58bf9e5f4d9a8c

SHA1 hash:

3c5e48ad01611b0c79b204ec398c9b3d8a30a21e

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/0bbea8bf-dde6-4895-a37d-70fba0b7e60d/

Parent samples :

d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2

SH256 hash:

6178ca1d58de3919bbb2953d0571abab36e10d95f83624ec6cd174b1d29aade1

MD5 hash:

92466a9033e3c20a4a960a352ddc1781

SHA1 hash:

35716bf3775bd1662e9359d74fbcbcfcc8427709

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/0bbea8bf-dde6-4895-a37d-70fba0b7e60d/

Parent samples :

d3c8faef1fc611343ee8bdd7462c6c9e0b90394da533475f46a518bb2c63329f
7db1063bd97bfec377245750eee13f04b2e28bd906ab67b8df9d78e0b8d7b413
a080fb72f5167c76a0076864e959058168d7fdf22699e51b865adc0688eebac9
69a41b421b0a89e91a5bda32b1d8ab7067cfa1d484134733f5a2b6355ed9025b
7c1f977a3b607dab39ee80ccef392929f038c69d75730e3881011b292c518710
b1ef8e8fc35cc8f9646a29e93322ce23de31a21825ef867ba9bf903a203d5efa
f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b
0ffe096e263b93450e971cb1485fd907b6572638228a1cd9ddd1575a866c6cc9
cdbfb15564317948c800599bf4e4ae31ca937d89a716dc1bf52752e10fa7980a
732c6933975284af9ff5eb21fb1f667a66c0751cd2dc87cb87e352dfa8918ee3
6cbe4e43208d3edd0da509a7bf7bd1a17b8cdd81806eb7107ab26adc633c4ae2

SH256 hash:

f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b

MD5 hash:

a48de889c19197426214da54922eb7ad

SHA1 hash:

fe3658635c66bb8b0981fe3f73cebf1b229ed661

Link:

https://www.unpac.me/results/0bbea8bf-dde6-4895-a37d-70fba0b7e60d/

VMRay RedNet

Malware family:

RedNet

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4fed6410af4/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe f4fed6410af40a0441fd09c9f8d2b203938d46b8ae18dd75f6ea78ac9f675a2b

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2686296/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/425983/