MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3
SHA3-384 hash:	a9c935cfacb1364b38ccfaeec0c6606ce60884c20b3de9d565d913088a7d971696174829b94be02f3a0459eeb6c7f471
SHA1 hash:	a993d6a6f27a0f44ddad9007162c89ac43a84d30
MD5 hash:	fea9f90702018c989160d4da46d5c045
humanhash:	zulu-connecticut-mockingbird-mango
File name:	fea9f90702018c989160d4da46d5c045.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	593'920 bytes
First seen:	2021-07-04 11:20:50 UTC
Last seen:	2021-07-04 11:50:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0e505561e4a7cf571623e5bc39a38b30 (1 x RedLineStealer, 1 x CryptBot)
ssdeep	6144:Kos5+XW1k1P8E8GGYF8bveHcoxYNGVR71l3wMqVS8W36xNoUwRgzg6tMhY+aqzMq:KzMXW6P0fZoaYVR7kPznugzlkBMtYvt
TLSH	5DC412253710C133CA4569791D31C362B7297872AE7AD84B7B59073D2FA23C0EE76369
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fea9f90702018c989160d4da46d5c045.exe

Verdict:

Malicious activity

Analysis date:

2021-07-04 11:24:09 UTC

Tags:

evasion trojan loader

Link:

https://app.any.run/tasks/6b798877-9403-446a-91f7-dff1e627423b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/169613/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.11960.21885.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e36d3625-32b3-4e13-b376-67fc8355ab04

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/811585

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses known network protocols on non-standard ports

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2021-07-04 11:21:08 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4msiyvmdf5hrl3exxqcjmd6kddazsoojhoiqqhhralnfvtcl3bq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 04.07 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210704-dlxm868qqx/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

d871e285d3833a7b44679a4a26137275e42333037da8cd891121f5dfc06c0caa

MD5 hash:

8b82a23501981d6a599e4c44acfe6d41

SHA1 hash:

407959a0486a11cbda5d85e1bd307f816d8ae5f4

Link:

https://www.unpac.me/results/53b5966a-19b7-42e8-90a6-4bde34c42b5b/

SH256 hash:

17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3

MD5 hash:

fea9f90702018c989160d4da46d5c045

SHA1 hash:

a993d6a6f27a0f44ddad9007162c89ac43a84d30

Link:

https://www.unpac.me/results/53b5966a-19b7-42e8-90a6-4bde34c42b5b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer