MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229da6f40dd9016d9fac16df6b8ed0ee108167263d2dc1fafe49bcc2593bf571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	229da6f40dd9016d9fac16df6b8ed0ee108167263d2dc1fafe49bcc2593bf571
SHA3-384 hash:	30bfc98443189bfa7fafa250c3d4148401732fe5e49d7ff3d012fcbf47e186cb6082c3fc2f80936d03510a5bec3badb7
SHA1 hash:	952cdae8ca7ad1c657911c30428813fe2651a2f3
MD5 hash:	69b49f1c3bb34ab930887347b0b11c75
humanhash:	golf-carolina-xray-dakota
File name:	69b49f1c3bb34ab930887347b0b11c75.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	705'024 bytes
First seen:	2021-07-26 13:56:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4af0c4da1571e02aa1a31b1c0ae85007 (4 x RedLineStealer, 1 x DanaBot, 1 x RaccoonStealer)
ssdeep	12288:PuRh2SjlzXCpIO8YBVWNpI9gEBNrl9Br+7md7QTrtKN+f+RD4MDkzTAmLw110iga:6TjlzXCpj2p0RBNBfddmW+fqkuqEWw1d
Threatray	524 similar samples on MalwareBazaar
TLSH	T1AFE4F020B7A1C435F6F611F814B68379A93E7AB19B3411CB62E43EEE16346E1AC31747
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://ijicrack.com/soundpad-crack-license-key-download/

Verdict:

Malicious activity

Analysis date:

2021-07-25 21:00:55 UTC

Tags:

evasion trojan stealer vidar loader rat redline phishing raccoon

Link:

https://app.any.run/tasks/d5f35a1c-7244-430a-8873-db8bab1174d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/174156/

Detection(s):

Win.Packed.Generic-9881377-0

Win.Packed.Generic-9881388-0

Win.Packed.Generic-9881389-0

Win.Packed.Generic-9881403-0

Win.Packed.Raccoon-9881528-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3b83467-49ff-4785-b4e2-b132dd67793e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821826

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-07-26 02:06:00 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eko2n5an3eaw3h5mc3pwxdwq5yiiczzghuw4d6x6jg6mewj36vyq._file

Verdict:

malicious

RedLineStealer

1b8e0d6bf6bbc7bd304c72d27f68e40383a3107cdd286cdae3ad77cfb2877438

RedLineStealer

2d1dea49f82e34123861cf36ae63704941b7e2351e84efa2736a57158c333507

RedLineStealer

56221114fabdd4c118e62f01ffb00cbd8cbb865c6786d5191579b765d2136a2e

RedLineStealer

5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32

RedLineStealer

6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e

RedLineStealer

873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff

RedLineStealer

88efccdbd18a8f217304c67114fba6c25e329e9da1fedbae6e10974980946a2c

RedLineStealer

d828678d918a633c4961c98ef7a8c5620d0f63641a6fa5565a1e979a62af2e2d

RedLineStealer

+ 514 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 26.07 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210726-8e4fj32gaj/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/5b0fb457-abe0-4558-9079-e430c7958358/

SH256 hash:

229da6f40dd9016d9fac16df6b8ed0ee108167263d2dc1fafe49bcc2593bf571

MD5 hash:

69b49f1c3bb34ab930887347b0b11c75

SHA1 hash:

952cdae8ca7ad1c657911c30428813fe2651a2f3

Link:

https://www.unpac.me/results/5b0fb457-abe0-4558-9079-e430c7958358/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/229da6f40dd9016d9fac16df6b8ed0ee108167263d2dc1fafe49bcc2593bf571

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer