MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6
SHA3-384 hash:	93f9c86af2b88ab06f805c1d88ccb86dd30dcd2f3f16a7a95a143bfc076cd90b5ac52dcc58868f721e288e32c57618db
SHA1 hash:	99dfd7df8023d5db96c78357a5e75f064945379d
MD5 hash:	5bf412e5646f7f8097f1f2a9c349032a
humanhash:	mirror-robert-florida-jersey
File name:	SecuriteInfo.com.W32.AIDetect.malware2.26285.32343
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	584'192 bytes
First seen:	2021-08-03 14:45:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ecc36f6be970cd1f60fff6968abb9451 (3 x RedLineStealer, 1 x RaccoonStealer, 1 x TeamBot)
ssdeep	12288:AzBnI0SyhsaTOPehPr9BDoDsx3D7gqvTNBKSsVykxLzRcewKswoOc:wiUvNoaT1xBKS8qvK2P
Threatray	573 similar samples on MalwareBazaar
TLSH	T1ADC402203560C7B2C69255748471CE64772E7C325EF1DA9B33B4222AAE717D173B836B
dhash icon	1272d292105c5c01 (11 x RaccoonStealer, 4 x RedLineStealer, 3 x DanaBot)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware2.26285.32343

Verdict:

Malicious activity

Analysis date:

2021-08-03 14:46:27 UTC

Tags:

evasion trojan rat redline

Link:

https://app.any.run/tasks/a66fb67e-0a6d-41fd-a112-80bb3d78ffde

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/176085/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.26285.32343.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1fd2d4b9-f2cb-4406-872e-db4e09fae787

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/826271

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-08-03 14:46:07 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d5lwtf4mkfolwnoa5nbysl2ucvqrsgjrmxdlsabnusiken77ztla._file

Verdict:

malicious

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a

RedLineStealer

b3c8e26b99261ebbda8111d45cf333b28bbde4ac32ff8e750f538dd998fcf858

RedLineStealer

b437017fcf0a4f6444183cbe1533b1f0901b83b501ac190adc787de4cc7f11a6

RedLineStealer

ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14

RedLineStealer

ecfdae094a54934410a15735998ff611d5b5a6bffc93d969c6a1acc3735cd73c

RedLineStealer

+ 563 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 02.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210803-f3zfv3lhxx/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/4cf1448e-6330-4d96-8542-8c0be47480dc/

SH256 hash:

1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6

MD5 hash:

5bf412e5646f7f8097f1f2a9c349032a

SHA1 hash:

99dfd7df8023d5db96c78357a5e75f064945379d

Link:

https://www.unpac.me/results/4cf1448e-6330-4d96-8542-8c0be47480dc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer