MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438
SHA3-384 hash:	c85a61f0623f5bb1476a38e1f6d052269ea4e8a0b554e141b9eb779a17a5739161b81f180a2153a40c580ba952819ab2
SHA1 hash:	a9ab94f2d27ee8fb44893b83059d53ae063a6093
MD5 hash:	57b7bb4faf2eabffda8fd57de9642234
humanhash:	shade-connecticut-avocado-mobile
File name:	57b7bb4faf2eabffda8fd57de9642234.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	706'048 bytes
First seen:	2021-07-26 13:55:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4af0c4da1571e02aa1a31b1c0ae85007 (4 x RedLineStealer, 1 x DanaBot, 1 x RaccoonStealer)
ssdeep	12288:Q0RhfmDNrctqvxNvxj/cyVG5Jy2ngetmGgRu601077bAPhWSzDw13wEvayRb:FEDNrcAvlG5JltmDr010/cPhWS+gEvaw
Threatray	522 similar samples on MalwareBazaar
TLSH	T10CE4F120B6A1C435E1B215F855B593B9A83D7EB1AB3851CF52E13EEE12346E1EC31B43
dhash icon	ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

57b7bb4faf2eabffda8fd57de9642234.exe

Verdict:

Malicious activity

Analysis date:

2021-07-26 14:01:57 UTC

Tags:

evasion trojan rat redline

Link:

https://app.any.run/tasks/c602a8da-3356-458b-8ff7-10d695f0eb0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/174155/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.23221.17049.UNOFFICIAL

Win.Packed.Generic-9881377-0

Win.Packed.Generic-9881388-0

Win.Packed.Generic-9881389-0

Win.Packed.Generic-9881403-0

Win.Packed.Raccoon-9881528-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dfc4ad5b-2003-4e63-9010-87dd951300fe

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821843

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-07-26 01:13:00 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=doha227wxpd32mcmoljh62heaob2ged43uugzwxdvv347muhoq4a._file

Verdict:

malicious

RedLineStealer

4916a30cf95ce60d07010b22e47de85aa689352242556c6129e451cb6dd60037

RedLineStealer

56221114fabdd4c118e62f01ffb00cbd8cbb865c6786d5191579b765d2136a2e

RedLineStealer

5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32

RedLineStealer

6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e

RedLineStealer

79c4fe7ad05c4b6dbe384b5dc3c9b4e470b7d4e97dd0dd9116b032b61148f583

RedLineStealer

873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff

RedLineStealer

88efccdbd18a8f217304c67114fba6c25e329e9da1fedbae6e10974980946a2c

RedLineStealer

d828678d918a633c4961c98ef7a8c5620d0f63641a6fa5565a1e979a62af2e2d

RedLineStealer

+ 512 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 26.07 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210726-1269142xhe/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/c644f763-35b6-4c32-8f7f-4798a1574259/

SH256 hash:

1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438

MD5 hash:

57b7bb4faf2eabffda8fd57de9642234

SHA1 hash:

a9ab94f2d27ee8fb44893b83059d53ae063a6093

Link:

https://www.unpac.me/results/c644f763-35b6-4c32-8f7f-4798a1574259/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer