MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 176e3a00a71c689b8239689432f5420092df00e2f497146fc7a87bb029014a69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	176e3a00a71c689b8239689432f5420092df00e2f497146fc7a87bb029014a69
SHA3-384 hash:	794dc66c537b294ef831bd15a96606d70a71da5030022a52af1ed504db83d8e67489399a3e67057e1d5bdc54d0af27e2
SHA1 hash:	d8568a675e6eb74a2a2a45544c435d2e51fc6f53
MD5 hash:	29873d5f4db7060243199e49d7af8930
humanhash:	asparagus-seven-quiet-pip
File name:	29873d5f4db7060243199e49d7af8930.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	681'984 bytes
First seen:	2021-08-14 06:54:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc12335fcaf380223f708d3b30304b0a (7 x RaccoonStealer, 4 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	12288:rj33CiYKZKaJwRfyF3UQQovVmA9PHklHNC/O0o1OrDW5rot8kXjVGRuD:rWiYKWB09PwHp0o1OrD08t8GcRS
Threatray	609 similar samples on MalwareBazaar
TLSH	T110E4F130F690C435F5F212F49969B3BC652D7EA15B6090CB52E52AFE9B346E4AC30387
dhash icon	d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

29873d5f4db7060243199e49d7af8930.exe

Verdict:

Malicious activity

Analysis date:

2021-08-14 07:02:58 UTC

Tags:

evasion loader trojan rat redline stealer

Link:

https://app.any.run/tasks/6912cb24-1db2-4d68-9ca4-6bd5d41eb585

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/179169/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.11497.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Query of malicious DNS domain

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ec8fd51-7500-409d-a160-342b303879ba

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832817

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/176e3a00a71c689b8239689432f5420092df00e2f497146fc7a87bb029014a69/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-14 00:44:49 UTC

AV detection:

16 of 46 (34.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c5xduafhdrujxarznckdf5kcacjn6ahc6slri36hvb53akibjjuq._file

Verdict:

malicious

RedLineStealer

1a4296e844853895adc99e6b04afb221d9df29883de6f804588e838e5a69063c

RedLineStealer

8aaf65b0f9e9b3a932132671c338a1198d5b1104dd8f7499a1afec5309bae904

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

ab8c569869fe2fbb65e917a16d9294281bb0d092856a3f114ff1ee4750f599e1

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b437017fcf0a4f6444183cbe1533b1f0901b83b501ac190adc787de4cc7f11a6

RedLineStealer

c8c9ac9588a132bbff1ed31922a18b697d63581667232cfa71a551559ceb3324

RedLineStealer

df15d40ac6ba9f2b529e924a36fd7d55c855935dfc28a210e39ca688bac0131b

RedLineStealer

f83ff096f4980980eae6c666d70d49763f35e17980a231e7ceaea40f9615f5e1

RedLineStealer

+ 599 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 14.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210814-26fj2yhmae/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

50f735f32ff43d161de89ce9503047c3f54d7c3c798cc744a7af0f36dda5bcf5

MD5 hash:

80d910223dc9b23d15a268f835cdd7cf

SHA1 hash:

6c8fcc8b57c35ff1b3665bcc840a1fe557c6d36c

Link:

https://www.unpac.me/results/1ceb4ab1-78f5-4c30-821a-56a6e26bebe9/

SH256 hash:

176e3a00a71c689b8239689432f5420092df00e2f497146fc7a87bb029014a69

MD5 hash:

29873d5f4db7060243199e49d7af8930

SHA1 hash:

d8568a675e6eb74a2a2a45544c435d2e51fc6f53

Link:

https://www.unpac.me/results/1ceb4ab1-78f5-4c30-821a-56a6e26bebe9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/176e3a00a71c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/176e3a00a71c689b8239689432f5420092df00e2f497146fc7a87bb029014a69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.