MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments 1

SHA256 hash:	0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4
SHA3-384 hash:	6037bbed26f6f79ca63c194c4b9725b499097258764f6fd08a7ebc8fe8cb2dc394aaef38edf26fcdb65ebdb84cb75801
SHA1 hash:	f5a7e31fb788f45741539604bf3848850a18f7fd
MD5 hash:	514d7999fe66e570441ddfe29816318b
humanhash:	red-seventeen-moon-pizza
File name:	514d7999fe66e570441ddfe29816318b
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	602'624 bytes
First seen:	2021-10-07 23:58:23 UTC
Last seen:	2021-10-08 01:59:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	be06676f0b26f3557b735abbe8be48ec (7 x RedLineStealer, 1 x RaccoonStealer, 1 x DanaBot)
ssdeep	12288:Z1tcJvaci06JbV+g8+7rR+haFpXYhIX3hZb3TOW:Z1tffPqCOqhZb5
Threatray	759 similar samples on MalwareBazaar
TLSH	T181D4011136DA8438F67E6EB44A71CAA146777C21893094CB27F15BBD1F264F0AF25B23
File icon (PE):
dhash icon	a1bcdcac9c8cb484 (8 x RaccoonStealer, 5 x RedLineStealer, 4 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

514d7999fe66e570441ddfe29816318b

Verdict:

Malicious activity

Analysis date:

2021-10-08 00:00:07 UTC

Tags:

evasion opendir loader trojan rat redline

Link:

https://app.any.run/tasks/d101808b-537b-4644-88bf-3eaf64eeaa4b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/195979/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.9097.8531.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e916477-fd06-4403-9c63-0d83e09658ea

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866735

Signature

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-10-07 23:59:12 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=butoubf2flzb7kypx32ox2btdwydp4gvic6fng2vshbpme5fal2a._file

Verdict:

malicious

RedLineStealer

5ef5f8a5b159ff8bb0e899dc25f57293c7bca8f5ac5d644c49a6c92be1b21405

RedLineStealer

63c9bab720391433d6195ee41da8a049281f5c8e2ea20d074961bf31b93986a0

RedLineStealer

64eb44d654d183e8f4736bd96c1b487e0f7b39243fe1016fe5d108b6c3f98bad

RedLineStealer

b666325729d0aa8e49292441558e945d0075439d6e6a544181fe708864835383

RedLineStealer

bab3076b60729cc5d29552f08178e6e384b9af86da78037cb2492b33218a7294

RedLineStealer

d1be37152c2045f831a7c907c2a35fc604158ee7ecb871bbdac1e0300b3bfcaf

RedLineStealer

ec51c1a42099d2ebcb00e68608346ac14013c57f5a87713f6ab41b17c305b537

RedLineStealer

+ 749 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix08.10 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/211007-31p3msdbgl/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

185.215.113.15:57055

Unpacked files

SH256 hash:

6406e5b071565f6db56fb41f7690b555eb4fcc4b4aca123dfe96dac4cbba2bbc

MD5 hash:

663d8acb0ae6b6e5b2f4e276bcfe393a

SHA1 hash:

384c0d7d7ec122683f751182c58c50894c28e2c8

Link:

https://www.unpac.me/results/7d803648-4d81-4065-a0e0-4cc84e6cdccf/

SH256 hash:

0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4

MD5 hash:

514d7999fe66e570441ddfe29816318b

SHA1 hash:

f5a7e31fb788f45741539604bf3848850a18f7fd

Link:

https://www.unpac.me/results/7d803648-4d81-4065-a0e0-4cc84e6cdccf/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0d26ea04ba2a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d26ea04ba2af21fab0fbef4ebe8331db037f0d540bc569b5591c2f613a502f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer