MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1
SHA3-384 hash: 58240908393ee644e8336a16c55bc23cd14c190748825fbf62f0ce72b7a0f0dcdc44eab8c8454241defa4dcb9e6e9594
SHA1 hash: ca0412908a81ffb6a13d8ee995c7b8403d2fd9d4
MD5 hash: 8fda93aeca08ee27488514cc3eb85c8d
humanhash: bluebird-item-island-cola
File name:8fda93aeca08ee27488514cc3eb85c8d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:20'480 bytes
First seen:2021-11-01 10:16:37 UTC
Last seen:2021-11-01 11:55:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d9a890ba06b9d48c09122c53429a485 (1 x RedLineStealer)
ssdeep 48:6H7yMI6/S/3QBsb3zP4+2HBSEV9EUJIs/7FY9/n3rs5zRJhFzDTtMw3wJvK2:2wTDGHBSEVF7F8/bRS2
TLSH T13C920F26FAC4A571F1884B765DB3CBA51426BC305E018E17BA487FBF1C782805DE1B6B
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.70.186.150:33967

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.70.186.150:33967 https://threatfox.abuse.ch/ioc/241094/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Your+File+Is+Ready+To+Download (20).zip
Verdict:
Malicious activity
Analysis date:
2021-11-01 10:00:12 UTC
Tags:
loader evasion trojan opendir rat redline stealer vidar formbook
Link:
https://app.any.run/tasks/77d8b193-d234-4441-a54d-6a5e8f17a886

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.96.19934.13403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/617ffa319a5a1e91c5d9f956/reports/006c85ca-43c6-44bd-8c0a-9841f7f6c7ee/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6d36bfc7-8206-4286-a298-2f0e38edac15
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880308
Signature
Creates an undocumented autostart registry key
Found C&C like URL pattern
May check the online IP address of the machine
Potential malicious icon found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512742 Sample: Unvth9jEVg.exe Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Potential malicious icon found 2->61 63 Yara detected Powershell download and execute 2->63 65 6 other signatures 2->65 12 Unvth9jEVg.exe 1 2->12         started        process3 process4 14 mshta.exe 22 12->14         started        dnsIp5 53 185.70.184.39, 49744, 49747, 49748 HOSTKEY-ASNL Netherlands 14->53 17 powershell.exe 15 25 14->17         started        process6 signatures7 55 Creates an undocumented autostart registry key 17->55 57 May check the online IP address of the machine 17->57 20 powershell.exe 18 17->20         started        24 conhost.exe 17->24         started        process8 dnsIp9 49 185.70.186.150, 49801, 49870, 49877 HOSTKEY-ASNL Netherlands 20->49 51 ipinfo.io 34.117.59.81, 49798, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->51 47 C:\Users\user\AppData\Roaming\RED.vbs, ASCII 20->47 dropped 26 cmd.exe 3 2 20->26         started        28 cmd.exe 2 20->28         started        file10 process11 process12 30 wscript.exe 1 26->30         started        33 conhost.exe 26->33         started        35 wscript.exe 28->35         started        37 conhost.exe 28->37         started        signatures13 67 Wscript starts Powershell (via cmd or directly) 30->67 39 powershell.exe 30->39         started        41 powershell.exe 35->41         started        process14 process15 43 conhost.exe 39->43         started        45 conhost.exe 41->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1/
Threat name:
Win32.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 09:58:50 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=abzspmrqnjsmdcx4hzk2wz5ubvzeovajwi5p26w5yklmumfafliq._file
Verdict:
unknown
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:5908cc22e96771eb97c6c7d015057b18f92a9bcd infostealer spyware stealer suricata
Link:
https://tria.ge/reports/211101-mbdqbaedej/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Blocklisted process makes network request
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Unpacked files
SH256 hash:
007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1
MD5 hash:
8fda93aeca08ee27488514cc3eb85c8d
SHA1 hash:
ca0412908a81ffb6a13d8ee995c7b8403d2fd9d4
Link:
https://www.unpac.me/results/c10e8b21-5a82-4f4d-8001-cecef64f31d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 007327b2306a64c18afc3e55ab67b40d72475409b23afd7addc296ca30a02ad1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644572/
  
Delivery method
Distributed via web download

Comments