MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25abaf64209dd04a95795a8040ff3104802ef3959b277616aa4054f0bde86d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	25abaf64209dd04a95795a8040ff3104802ef3959b277616aa4054f0bde86d7d
SHA3-384 hash:	69561a1d455018f3092386ddc2ee2b5eb0adb76de3919481988dbfce024aedd61be0f208da620a438971969a6f3df72a
SHA1 hash:	fc9e1b8c3a56ab686c75280cd5a94c8c146ca870
MD5 hash:	750e9be2e713fed3222f9eae83578d59
humanhash:	illinois-romeo-berlin-asparagus
File name:	750e9be2e713fed3222f9eae83578d59.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	653'824 bytes
First seen:	2021-09-25 20:46:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d0a8c3f24685503ba25bd76f34c13b9e (8 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep	12288:a3qGlOD4r+rGPX+Z+66+ef78sqxXajaFq0r6yf87tZ1CxHD+CtG:a3tODhrkKmvqZFq0WdHsj+Ct
Threatray	745 similar samples on MalwareBazaar
TLSH	T13DD4E120B69CC0F9F5B701F4557697A8A93DBDB05B3091CB32E626EE6538AE58C30743
File icon (PE):
dhash icon	9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.15:6043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.15:6043	https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

750e9be2e713fed3222f9eae83578d59.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 20:48:34 UTC

Tags:

evasion opendir loader trojan rat redline stealer

Link:

https://app.any.run/tasks/0a6d28cf-8ed3-467b-adbd-613b6aa7cfd0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/191607/

Detection(s):

Win.Malware.Generic-9895371-0

Win.Malware.Generic-9895401-0

Win.Malware.Generic-9895402-0

Win.Packed.Generic-9895599-0

Win.Malware.Fragtor-9895683-0

Win.Packed.Fragtor-9895692-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Deleting a recently created file

Forced system process termination

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Connection attempt to an infection source

Sending a TCP request to an infection source

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c8673d5a-a62c-49e0-8c04-c7e5db2f183a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858146

Signature

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25abaf64209dd04a95795a8040ff3104802ef3959b277616aa4054f0bde86d7d/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-20 15:43:57 UTC

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ewv26zbatxievflzlkaeb7zrasac544vtmtxmfvkibkpbppinv6q._file

Verdict:

malicious

RedLineStealer

7872580d5105bd09cf386f9713b28854711d356fae34118bd855a9a694da4f1e

RedLineStealer

811b982a5a257a2a9acd46bbf0f68a166470726017e60bb752410ece2cf01ef5

RedLineStealer

85319a895ef7414542ec5644cee12c52caf913c875498fc4764ae25e5861b9b3

RedLineStealer

90823e9bf099b873263241a2a7c3435b85fe6480ecb4fff4da9563ba95e7b31e

RedLineStealer

a4260ab00a78d568cc36ad8a43cff5633bfd365e34d2378ccc11f42a56067f76

RedLineStealer

ae81c091b4bdee9fe4c7708f7cfeccb0273aa51346aad7318061388a5ca3ee3d

RedLineStealer

c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

f3ed4402ee977b3d921bfd3432eaa62bf713fbb4407fcbdd5ccf8b8d89856d78

RedLineStealer

+ 735 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix26.09 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210925-zkwnpsdhaq/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

RedLine

Malware Config

C2 Extraction:

185.215.113.15:6043

Unpacked files

SH256 hash:

2bbeecfa8ee3a33b653e73f2a143b36945013635a74e04729a2d32246382f958

MD5 hash:

4799d84cc8575635168d024baf104a8b

SHA1 hash:

6f920803dd8839fffe1c16dc78f1bddf02cd518e

Link:

https://www.unpac.me/results/a7b9c7ae-92fd-4e02-8e8d-775859fc9d95/

SH256 hash:

25abaf64209dd04a95795a8040ff3104802ef3959b277616aa4054f0bde86d7d

MD5 hash:

750e9be2e713fed3222f9eae83578d59

SHA1 hash:

fc9e1b8c3a56ab686c75280cd5a94c8c146ca870

Link:

https://www.unpac.me/results/a7b9c7ae-92fd-4e02-8e8d-775859fc9d95/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/25abaf64209dd04a95795a8040ff3104802ef3959b277616aa4054f0bde86d7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191607/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample