MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91
SHA3-384 hash: 71c9cfa130d499a18c8b608a762a900f9c71d76d27ce2185dc56932cce6be57c6057c343a83848ca4d8ad0ef85cf8b3b
SHA1 hash: b609a4d2dd5297b65da6e22002924304dacbf2fb
MD5 hash: 9b1d51520fe82868b7ee96721fc8120c
humanhash: stairway-foxtrot-seventeen-nebraska
File name:9b1d51520fe82868b7ee96721fc8120c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'055'232 bytes
First seen:2021-10-07 09:02:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:CpyC4C5eooptieYcMFoxJMwDZgNz7zkrdpzpnQj1:NClAtiemWZgaZ3n
TLSH T1AB25110295445F3FF2BD63758859F6012326AD32C75023F6C6D9B5994FF00D32968EAB
File icon (PE):PE icon
dhash icon c0b64d96b2964db2 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b1d51520fe82868b7ee96721fc8120c.exe
Verdict:
No threats detected
Analysis date:
2021-10-07 10:13:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/555f8b27-457e-4f48-a442-a7fb4cbff31a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195741/
Detection(s):
SecuriteInfo.com.BACKDOOR.Trojan.2860.9358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Searching for the window
Creating a file in the Windows subdirectories
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615eb7ceb95458900cddf6e3/reports/f5546e58-d0d1-4b97-a45b-d63da054a942/overview
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/866283
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498711 Sample: M5SReBv6fN.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 84 49 clientconfig.passport.net 2->49 61 Found malware configuration 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected RedLine Stealer 2->65 67 Machine Learning detection for sample 2->67 12 M5SReBv6fN.exe 1 6 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 cmd.exe 1 12->16         started        19 dllhost.exe 12->19         started        signatures6 55 Submitted sample is a known malware sample 16->55 57 Obfuscated command line found 16->57 59 Uses ping.exe to check the status of other devices and networks 16->59 21 cmd.exe 3 16->21         started        24 conhost.exe 16->24         started        process7 signatures8 73 Obfuscated command line found 21->73 26 Pel.exe.com 21->26         started        28 findstr.exe 1 21->28         started        31 PING.EXE 1 21->31         started        process9 file10 33 Pel.exe.com 1 26->33         started        45 C:\Users\user\AppData\Local\...\Pel.exe.com, Targa 28->45 dropped process11 dnsIp12 47 wpYnEmGJczI.wpYnEmGJczI 33->47 43 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 33->43 dropped 69 Writes to foreign memory regions 33->69 71 Injects a PE file into a foreign processes 33->71 38 RegAsm.exe 15 3 33->38         started        file13 signatures14 process15 dnsIp16 51 195.133.40.201, 16808, 49802 SPD-NETTR Russian Federation 38->51 53 52vn.ckauni.ru 81.177.141.85, 443, 49807 RTCOMM-ASRU Russian Federation 38->53 41 conhost.exe 38->41         started        process17
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-07 04:17:49 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkxrvlmuqs6h2l5sj5hzu5uhxdmbv4skewwreiylwodutbn2j6iq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:huesosy discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/211007-kz4wascbb3/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
195.133.40.201:16808
Unpacked files
SH256 hash:
6bec97032576177f5018e4cf03847739f1170bdb638e2bd9fa3827d43b493b1a
MD5 hash:
560609c29dd40bd80ce37c708f0e7cad
SHA1 hash:
fc7e2fe69135ea7cc8e5f62ffba0c7f4368b6380
Link:
https://www.unpac.me/results/385f23a8-a255-4019-b02d-7b55f36946c6/
SH256 hash:
1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91
MD5 hash:
9b1d51520fe82868b7ee96721fc8120c
SHA1 hash:
b609a4d2dd5297b65da6e22002924304dacbf2fb
Link:
https://www.unpac.me/results/385f23a8-a255-4019-b02d-7b55f36946c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1aaf1aad9484/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1aaf1aad9484bc7d2fb24f4f9a7687b8d81af24a25ad12230bb3874985ba4f91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1656211/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195741/

Comments