MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb
SHA3-384 hash:	d82c37cec064f84a193cfc9c520cc3f520f39a5c2fd5bb9ff9ee5cbd0611ae1f4e88f79c6189a1d3dbd13adc1902c1dd
SHA1 hash:	1a608b82b26e1f64ff0b36e10a1e6dd343a05cb5
MD5 hash:	cbc21776218d192edf555ff5820fefcd
humanhash:	louisiana-hotel-emma-river
File name:	cbc21776218d192edf555ff5820fefcd.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	708'096 bytes
First seen:	2021-07-31 08:03:48 UTC
Last seen:	2021-07-31 08:53:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c2079ffa39581e8679e84dfd475d100b (2 x RedLineStealer, 1 x RaccoonStealer, 1 x DanaBot)
ssdeep	12288:BkkLxd7ZL6cxX/s9qKCPnnmNxis7gWxmBTderEgZHcGOhDqc3QPN99jpT4MgJuIL:BkWVtWCPOiMHMBTsPuMV+/LL
Threatray	553 similar samples on MalwareBazaar
TLSH	T16EE4F130BB80C035F4B715F445BA83BCB92D7EA0AB2454CB52D52AEE13356E9ED30697
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

584

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cbc21776218d192edf555ff5820fefcd.exe

Verdict:

Malicious activity

Analysis date:

2021-07-31 08:06:21 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/dcb676a6-8d5d-4ea9-b057-e3a080ea0bac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/175429/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader40.52706.7250.20428.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e84d4e88-7abc-42d9-bb66-224b8244e9d6

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824846

Signature

Antivirus detection for URL or domain

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-07-31 08:04:16 UTC

AV detection:

20 of 46 (43.48%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

3664c5c1f7d46088a9bd24d25aa8fe19f04d302ff289ce9cb6575ef4dad3a207

RedLineStealer

5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32

RedLineStealer

6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e

RedLineStealer

7c0bada1ef977f7b158ffa9ba3f761ca3c0b2cd169730b7c7ba0344fa4e32ae9

RedLineStealer

873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff

RedLineStealer

af3f767e38f4115339fdd61f3f3b878a1335e2201eb5b88e041cb47b1d0a7f46

RedLineStealer

f1b072a4977439e50f66ceaa57528f53227d95fe762d0cd5250c45ed59e3ee9b

RedLineStealer

fe0257d13e355ae9db561731c4a3ba67dfdae4758527fdc5bcee05567f72d97e

RedLineStealer

+ 543 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210731-dg63wllcb6/

Behaviour

Checks processor information in registry

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/4ddc6148-07a3-41ab-b027-063108fbd276/

SH256 hash:

11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb

MD5 hash:

cbc21776218d192edf555ff5820fefcd

SHA1 hash:

1a608b82b26e1f64ff0b36e10a1e6dd343a05cb5

Link:

https://www.unpac.me/results/4ddc6148-07a3-41ab-b027-063108fbd276/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1481233/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/175429/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample