MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9eada32c618b3d4a5038df5c82579a96af13b19d9da995c46153d1a3253825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	1d9eada32c618b3d4a5038df5c82579a96af13b19d9da995c46153d1a3253825
SHA3-384 hash:	b74dbc7eb03eb1f4ef9c929be1fd9245c194da9b50eafe377a3ecfcd574ba2ded50614fb338b3bc75cd747c0e0926396
SHA1 hash:	901e31decec262d23b3765ac95fb9191f6a781d1
MD5 hash:	8f49f9693b38e5365cb7e0681da47e75
humanhash:	lamp-video-oregon-romeo
File name:	8f49f9693b38e5365cb7e0681da47e75.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	607'232 bytes
First seen:	2021-08-05 18:31:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e905b204d022a4a3f9803ba3895bcbd4 (3 x RaccoonStealer, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep	12288:GyIxmAXyMUQbGR/OH+pOCcKwaN8DtNzjMHJHFiPH+:VIwPM7b2EKwTrXWCH+
Threatray	580 similar samples on MalwareBazaar
TLSH	T178D402953081CC77F0A276B3DC15CA51563AF824D829DA4B7B859BAE6F317E2AF30341
dhash icon	1036787c727e7636 (2 x Smoke Loader, 1 x RaccoonStealer, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8f49f9693b38e5365cb7e0681da47e75.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 18:34:19 UTC

Tags:

evasion loader trojan rat redline stealer

Link:

https://app.any.run/tasks/c587a474-bb09-4ca8-876a-328a727d95ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/176799/

Detection(s):

Win.Dropper.Ursnif-9884013-0

Win.Dropper.Ursnif-9884016-0

Win.Dropper.Ursnif-9884018-0

Win.Dropper.Ursnif-9884040-0

Win.Dropper.Ursnif-9884041-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Sending a UDP request

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e71c716-3bf5-47b8-a2c0-3ac522aacb90

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827628

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d9eada32c618b3d4a5038df5c82579a96af13b19d9da995c46153d1a3253825/

Threat name:

Win32.Trojan.MintTitirez

Status:

Malicious

First seen:

2021-08-05 18:32:10 UTC

AV detection:

23 of 46 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dwpk3izmmgft2ssqhdpvzasxtklk6e5rtwo2tfoemfj5dizfhasq._file

Verdict:

malicious

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

a26803d8e53b6a759a71245e8b973ac9c8eaf9ebfe7356d7e4b4cd5e03bb5414

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a

RedLineStealer

b3c8e26b99261ebbda8111d45cf333b28bbde4ac32ff8e750f538dd998fcf858

RedLineStealer

ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14

RedLineStealer

d87caaaf87e2d97b1b336a0c1bb01369da3d27bca6495efa4c20966880bf12c1

RedLineStealer

e9e058a97ae8281cf6435c759d712e14f91640aff79cc8a39dc605c46c042c60

RedLineStealer

+ 570 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 04.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210805-59p6jp3xcj/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/f0c0cab3-1a87-4e4d-b0bf-d4669373d089/

SH256 hash:

1d9eada32c618b3d4a5038df5c82579a96af13b19d9da995c46153d1a3253825

MD5 hash:

8f49f9693b38e5365cb7e0681da47e75

SHA1 hash:

901e31decec262d23b3765ac95fb9191f6a781d1

Link:

https://www.unpac.me/results/f0c0cab3-1a87-4e4d-b0bf-d4669373d089/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d9eada32c618b3d4a5038df5c82579a96af13b19d9da995c46153d1a3253825

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer