MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aa76bdc54bdf4a5f8a4ce81a9bdd14e6789eb1cc1565d8cac67e101de4dae63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments 1

SHA256 hash:	2aa76bdc54bdf4a5f8a4ce81a9bdd14e6789eb1cc1565d8cac67e101de4dae63
SHA3-384 hash:	aac2296236144de381c369edc61114b077d8c9cc00142d3e48e738c6df6b10994e08cc0d652ffe8fcc9bad7ed5fd409f
SHA1 hash:	aa65bc5f88ea5aa118331ee4599a792351737604
MD5 hash:	52a85f92b9fc0a7560f10215719ddb8c
humanhash:	mango-neptune-hotel-lake
File name:	52a85f92b9fc0a7560f10215719ddb8c
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	575'488 bytes
First seen:	2021-08-06 12:02:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	38170c4d65ff42b014b27008b95c5de6 (4 x RedLineStealer, 2 x RaccoonStealer)
ssdeep	12288:XX4dhgc5I1MPRLBfjtHMmtiKxlKz/pcilye2AlRDdY/:XXShgc5FPRLBfjtH6Kx0ZXXY/
Threatray	582 similar samples on MalwareBazaar
TLSH	T190C4128235108F32E9A1BCB1249BA754566BF910D77401CB3A486BAE7F306E05F3E779
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

52a85f92b9fc0a7560f10215719ddb8c

Verdict:

Malicious activity

Analysis date:

2021-08-06 12:03:21 UTC

Tags:

evasion loader trojan rat redline stealer

Link:

https://app.any.run/tasks/73dceb8d-0953-45b1-a8f4-5bc9f84254c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/176979/

Detection(s):

Win.Dropper.Titirez-9884070-0

Win.Dropper.Titirez-9884078-0

Win.Packed.Filerepmalware-9884083-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Sending a UDP request

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e09d21e9-3634-4f3c-8ba0-6e98d6b54680

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/828254

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2aa76bdc54bdf4a5f8a4ce81a9bdd14e6789eb1cc1565d8cac67e101de4dae63/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-06 12:03:05 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fktwxxcuxx2kl6fez2a2tporjztyt2y4yflf3dfmm7qqdxsnvzrq._file

Verdict:

malicious

RedLineStealer

4a56daeca371b82d57331570066f794b8fa56c514c9ad9ec4ca2f6a2613e6516

RedLineStealer

9fb05ed05f0830bedc12c15e3432870a6751334ef5b18af9770b3ee4f0e9e037

RedLineStealer

a0c0c84c50b9cbb46063016dbfb74a83fb26a604a0bd5def3141b7bddd005818

RedLineStealer

af3f767e38f4115339fdd61f3f3b878a1335e2201eb5b88e041cb47b1d0a7f46

RedLineStealer

d17f19f350e918c1d6558606fb28b06361e772514a3b0428635c31e9b7e0b098

RedLineStealer

df28d049b131a8dec56e3bbfff4ca4b419a0a04a41af70b5fce5be80b10385a3

RedLineStealer

f1b072a4977439e50f66ceaa57528f53227d95fe762d0cd5250c45ed59e3ee9b

RedLineStealer

f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f

RedLineStealer

+ 572 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 05.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210806-w7r9blnt56/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/b6299157-d06d-455b-a5e7-10ed48456940/

SH256 hash:

2aa76bdc54bdf4a5f8a4ce81a9bdd14e6789eb1cc1565d8cac67e101de4dae63

MD5 hash:

52a85f92b9fc0a7560f10215719ddb8c

SHA1 hash:

aa65bc5f88ea5aa118331ee4599a792351737604

Link:

https://www.unpac.me/results/b6299157-d06d-455b-a5e7-10ed48456940/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2aa76bdc54bdf4a5f8a4ce81a9bdd14e6789eb1cc1565d8cac67e101de4dae63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer