MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02036f54f589826e760d2301c89c1c8629f35fba717dc8b883b18dbfab3877c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	02036f54f589826e760d2301c89c1c8629f35fba717dc8b883b18dbfab3877c9
SHA3-384 hash:	c78dcc01611f1eefde36768cd86d519991d86fdc4f7698947cd31c691193345244fa9109270833347094e9b3a12065aa
SHA1 hash:	02e0bd2155d440529b68a769f935afe2a900d093
MD5 hash:	e31005117e39d83acd1e3cf7344ff26c
humanhash:	oxygen-nebraska-fifteen-crazy
File name:	e31005117e39d83acd1e3cf7344ff26c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	724'992 bytes
First seen:	2021-10-11 08:07:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61b48ca689a3ea2404ab8a6768ce938b (6 x RedLineStealer, 3 x Smoke Loader, 1 x DanaBot)
ssdeep	12288:VIIIMkgxVtTqJ3fXseRz94PvtOb5PlI/bK0cWjy/Ym16mSkNf0a0DCMYa4Rgl5:JVtTqJJgntO1Ib/rU4mFCa9M75
Threatray	775 similar samples on MalwareBazaar
TLSH	T1C5F4E010A6A0FC31F5F326F84AFA5278A52E7EA1AB6440CF22D416DD5A746E0FC31317
File icon (PE):
dhash icon	9824e790c4e7215c (12 x RedLineStealer, 4 x Stop, 2 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e31005117e39d83acd1e3cf7344ff26c.exe

Verdict:

Malicious activity

Analysis date:

2021-10-11 08:12:37 UTC

Tags:

evasion opendir loader trojan rat redline

Link:

https://app.any.run/tasks/4e74c712-0ad0-42d7-91a7-981c50173e93

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/196511/

Detection(s):

SecuriteInfo.com.Ransom.Stop.Z5.21129.14776.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6163f0e81c2d58ba74016760/reports/576983f8-5485-4939-8445-1a8f8f0d772f/overview

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868118

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/02036f54f589826e760d2301c89c1c8629f35fba717dc8b883b18dbfab3877c9/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-10-11 08:08:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aibw6vhvrgbg45qnema4rha4qyu7gx52of64roedwgg37kzyo7eq._file

Verdict:

malicious

RedLineStealer

157de0cb9d98f5da07fdda4961323b8678bd1c82cf6cd6461558ab6994d1a59c

RedLineStealer

16075a1ae3ca487866a8c061682a953fa87c6ccb28dd32524bdb8cfdc6bf6559

RedLineStealer

3e503d31e990d9452c5f5ee146e7f83f46df6b034563f8a6d10959de7b43ae78

RedLineStealer

578cce001b43605e2afee0c3eae2ec5c7a7a9447b5ab12db9e102b39b3bc4488

RedLineStealer

6156888192510a62cc139a1095349e42ad34adc2f62c69c5dd9642ad51ecfcd9

RedLineStealer

62b9a227f035544237037d32dda4613226215ae67d18f344f5d1f7533ef726f4

RedLineStealer

6ed5c2256aac5654f708b39f82f40f29ebab155e0e7fd237db5d70903a240981

RedLineStealer

8fc76e4b14fc2f43e710a43ad79e168513b97a4dccee37af410405f9836faca8

RedLineStealer

bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164

RedLineStealer

+ 765 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix11.10 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/211011-j1ky5sgfdp/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

185.215.113.15:57055

Unpacked files

SH256 hash:

fa8954a9f9fe500ca14d4a2513f5bfb85747a37f12f79dbadacd816edd38f0b4

MD5 hash:

51a2828187c40e2136382840a4f4a065

SHA1 hash:

dd88a0c54239446abc3ec9140a27c48029ad362d

Link:

https://www.unpac.me/results/e9fc9ac0-cbbf-4631-8c95-e8192dc07019/

SH256 hash:

02036f54f589826e760d2301c89c1c8629f35fba717dc8b883b18dbfab3877c9

MD5 hash:

e31005117e39d83acd1e3cf7344ff26c

SHA1 hash:

02e0bd2155d440529b68a769f935afe2a900d093

Link:

https://www.unpac.me/results/e9fc9ac0-cbbf-4631-8c95-e8192dc07019/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/02036f54f589/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02036f54f589826e760d2301c89c1c8629f35fba717dc8b883b18dbfab3877c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer