MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f0b201db1a7926cf768cbec1633e57a2a3cb86487e074324a5f3946ae30d93b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	0f0b201db1a7926cf768cbec1633e57a2a3cb86487e074324a5f3946ae30d93b
SHA3-384 hash:	186bf8f1b5a2d07da562bc5897a2b55e1bb435a2c3f234c62a85c0f45792aeb1dfaaadf7ce7c8a98a118dcadcdb94748
SHA1 hash:	614fdc34397b5440b9288873de6878ae5c00cfe4
MD5 hash:	91c688f92059dee71946e4c3dc62a2a6
humanhash:	speaker-alanine-venus-black
File name:	SecuriteInfo.com.W32.AIDetect.malware2.24164.30872
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	681'984 bytes
First seen:	2021-08-14 03:39:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc12335fcaf380223f708d3b30304b0a (7 x RaccoonStealer, 4 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	12288:rHjdGwv6iPOITRyQRmijOt/00QrTtnayBEH6Gd0PqI6xb50zJBDUN:rMwv6riIc3BS5bUJBIN
Threatray	608 similar samples on MalwareBazaar
TLSH	T140E4E130B690C835F9B711F489AA937C642D7D616F7050CF62D12AFE0A346E8AD32797
dhash icon	d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware2.24164.30872

Verdict:

Malicious activity

Analysis date:

2021-08-14 03:42:43 UTC

Tags:

evasion loader trojan rat redline stealer

Link:

https://app.any.run/tasks/02dd900b-17ae-4957-b2d1-e854de15ef10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/179126/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.24164.30872.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0fc788d1-eeee-406e-ad2d-2a4f72747eb9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832744

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f0b201db1a7926cf768cbec1633e57a2a3cb86487e074324a5f3946ae30d93b/

Threat name:

Win32.Infostealer.Tepfer

Status:

Malicious

First seen:

2021-08-14 00:39:29 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b4fsahnru6jgz53izpwbmm7fpivdzodeq7qhimskl44unlrq3e5q._file

Verdict:

malicious

RedLineStealer

4871df59eb4440514615fa7ef4a9f1bdfeb7e47a0d622ff354d89363cc3622d6

RedLineStealer

5a7ee4cb1dccb84bc40cd076d86a4b97e67776cd7b7ff6c2ed8816bd4046a4e5

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b437017fcf0a4f6444183cbe1533b1f0901b83b501ac190adc787de4cc7f11a6

RedLineStealer

c8c9ac9588a132bbff1ed31922a18b697d63581667232cfa71a551559ceb3324

RedLineStealer

e9e058a97ae8281cf6435c759d712e14f91640aff79cc8a39dc605c46c042c60

RedLineStealer

f83ff096f4980980eae6c666d70d49763f35e17980a231e7ceaea40f9615f5e1

RedLineStealer

+ 598 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 14.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210814-g1rltzskzn/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

50f735f32ff43d161de89ce9503047c3f54d7c3c798cc744a7af0f36dda5bcf5

MD5 hash:

80d910223dc9b23d15a268f835cdd7cf

SHA1 hash:

6c8fcc8b57c35ff1b3665bcc840a1fe557c6d36c

Link:

https://www.unpac.me/results/f09adae8-46cc-40e4-a648-9cf486c4dc90/

SH256 hash:

0f0b201db1a7926cf768cbec1633e57a2a3cb86487e074324a5f3946ae30d93b

MD5 hash:

91c688f92059dee71946e4c3dc62a2a6

SHA1 hash:

614fdc34397b5440b9288873de6878ae5c00cfe4

Link:

https://www.unpac.me/results/f09adae8-46cc-40e4-a648-9cf486c4dc90/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0f0b201db1a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f0b201db1a7926cf768cbec1633e57a2a3cb86487e074324a5f3946ae30d93b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer