MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d1156922abdd8f08ab3303db31bcf58bf2bfbaf73ebc7e527a20336d2dfa0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01d1156922abdd8f08ab3303db31bcf58bf2bfbaf73ebc7e527a20336d2dfa0b
SHA3-384 hash: 6c394e0ac46fb0374921743ac04b0bfb5ed66eb1b16713bce01fa9465a02b080fbb322b9a51344098ddf1b4916e8412d
SHA1 hash: 91b9dc23d8ea5f8cd64d0877e8dc3c3c17e1b55c
MD5 hash: e1cbf7419f3324c49c2776af5621f442
humanhash: lemon-december-lemon-mike
File name:E1CBF7419F3324C49C2776AF5621F442.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'116'160 bytes
First seen:2021-07-30 23:46:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:bVAHnh+eWsN3skA4RV1Hom2KXMmHa/5/5nOpddVaD5:Yh+ZkldoPK8YaB/sA
Threatray 77 similar samples on MalwareBazaar
TLSH T17635BE02B391D076FFAB91739B5AF60256BD7D294123852F12D82D75BDB00B2233E663
dhash icon a331516ae73619c3 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
146.185.239.11:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
146.185.239.11:80 https://threatfox.abuse.ch/ioc/164979/

Intelligence

File Origin
# of uploads :
1
# of downloads :
583
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E1CBF7419F3324C49C2776AF5621F442.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 23:47:15 UTC
Tags:
evasion loader trojan rat redline stealer
Link:
https://app.any.run/tasks/13c2b369-81d9-4221-8a8e-d7502cbfee7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175392/
Detection(s):
Win.Malware.Sodinokibi-9863207-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66ba1e44-fa40-479b-82a5-3531ccd1c33f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824807
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457215 Sample: FX1URl5dms.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 7 FX1URl5dms.exe 22 2->7         started        process3 dnsIp4 33 youwebmaster.com 45.139.184.124, 49724, 49727, 49728 HostingvpsvilleruRU Russian Federation 7->33 35 iplogger.com 88.99.66.31, 443, 49725, 49726 HETZNER-ASDE Germany 7->35 37 2 other IPs or domains 7->37 23 C:\Users\user\AppData\Local\...\271083797.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\2094696772.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\zzz[1].exe, PE32 7->27 dropped 29 C:\Users\user\...\DunesMultiMedia[1].exe, PE32 7->29 dropped 53 May check the online IP address of the machine 7->53 55 Binary is likely a compiled AutoIt script file 7->55 12 2094696772.exe 15 26 7->12         started        17 271083797.exe 14 3 7->17         started        file5 signatures6 process7 dnsIp8 39 cookiebrokrash.info 12->39 41 api.ip.sb 12->41 31 C:\Users\user\AppData\...\2094696772.exe.log, ASCII 12->31 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 65 2 other signatures 12->65 19 conhost.exe 12->19         started        43 larieresta.xyz 146.185.239.11, 49749, 80 PINDC-ASRU Russian Federation 17->43 63 Performs DNS queries to domains with low reputation 17->63 21 conhost.exe 17->21         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01d1156922abdd8f08ab3303db31bcf58bf2bfbaf73ebc7e527a20336d2dfa0b/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 18:49:21 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahirk2jcvpoy6cflgmb5wmn46wf7fp52647ly7sspiqdg3jn7ifq._file
Verdict:
suspicious
Similar samples:
29e852d6a556df006e46464f0b601724a91d72909ac519d0d013c3bd9a6c6bc1
RedLineStealer
36e5646b2622d4c47947fa54a8f35c1c9d91db60ce3116e352f9f93b8a9f3ada
RedLineStealer
4cde71fb4e89497e06afb7d96f4c148091dfc4be92406d6bcbba1a4d0a6b2993
RedLineStealer
908959fae28ad03836fb12b94a9a2f80981ec15f6481c230b9108f097edeb176
RedLineStealer
94dd05296d8d74177b29554f601fb651b0f9e3a9816a31eb9a688b407462f945
RedLineStealer
98eade342865b6c1f27721b690496e36a5d4558648cb0db626e18375b2ea78cb
RedLineStealer
9a81b984ce34890356c5e3f6c8813012e3f260665692c69d638771b5c826884a
RedLineStealer
9d662bd420f18cbf003a812c807113db5c48e6504480afff870e320b4ff7b95f
RedLineStealer
e8a770fcbfbdf7ee350c3df44ea62a2c4e36ca523f9f14b0b770395dabea7fc4
RedLineStealer
ea342f618a8caa17bae45cd0a55cd404451dd0e589886ae00eb5fc9ff59e79cc
RedLineStealer
+ 67 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210730-5mbzv2p19j/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
01d1156922abdd8f08ab3303db31bcf58bf2bfbaf73ebc7e527a20336d2dfa0b
MD5 hash:
e1cbf7419f3324c49c2776af5621f442
SHA1 hash:
91b9dc23d8ea5f8cd64d0877e8dc3c3c17e1b55c
Link:
https://www.unpac.me/results/a86b52b6-968b-48df-9f0e-ea017901a999/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01d1156922abdd8f08ab3303db31bcf58bf2bfbaf73ebc7e527a20336d2dfa0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175392/

Comments