MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368
SHA3-384 hash:	0263cb4e786379f93c786f6336af79a9deb931df19ac84e04a4e8bc10bff127a834ec8438d0bfc2b764d9da31b4ec3ce
SHA1 hash:	3525ff473d458e691e81d76ab1695afcc1af410e
MD5 hash:	a254855fb792d662ba0f0cfd32454b4d
humanhash:	yankee-july-blue-michigan
File name:	a254855fb792d662ba0f0cfd32454b4d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	682'496 bytes
First seen:	2021-08-14 07:18:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	190d5a02f848e469f132ecd2e2b26b09 (2 x RaccoonStealer, 1 x RedLineStealer, 1 x CryptBot)
ssdeep	12288:u7OE3qvBePQpWKuhHPes0Ll+vdEdXV99PZLg08kFMlQ5snVQVT5ozeFf+:utqvB6msmhdT9xLg0riyCah5IeFf+
Threatray	610 similar samples on MalwareBazaar
TLSH	T106E4E1F0E790C439E5F211F8496A93F9A82D7E619B2450CBE2E125FE5A3C1E49C31397
dhash icon	d824e7d0c4e72158 (6 x RaccoonStealer, 5 x Stop, 2 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a254855fb792d662ba0f0cfd32454b4d.exe

Verdict:

Malicious activity

Analysis date:

2021-08-14 07:19:35 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/ac8249a1-b550-410e-8c3e-2b30c1d36f29

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179194/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.11497.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/371c91f1-c6ed-40cf-a3a6-25f68bd41bc7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/832812

Signature

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-14 07:19:05 UTC

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

571b3f0b4685473b424f7fb3b67344cd1441930fa7f966e3a4cd41875fde8de3

RedLineStealer

5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32

RedLineStealer

6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e

RedLineStealer

88efccdbd18a8f217304c67114fba6c25e329e9da1fedbae6e10974980946a2c

RedLineStealer

c3ffdf4610bd08751b16fd31959ab8b1b2ba312a80e556a15ecdb22b9332c20e

RedLineStealer

e8cb78d559909b23edb3a7f7c62cc9028444cc932773a873ab3f10be4f3449a5

RedLineStealer

+ 600 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210814-rvyedfc2sj/

Behaviour

Checks processor information in registry

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Unpacked files

SH256 hash:

6024a410129497ebff3f98c4a761d20724a0ba82cde2428c16848b147c90fecc

MD5 hash:

7d37f6b0a78179b3ad6f86d9058d62b4

SHA1 hash:

aa3acc9e9822af99a7eff7020be106693da727e3

Link:

https://www.unpac.me/results/0617b599-4eef-4a90-a57d-eb18601a2394/

SH256 hash:

2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368

MD5 hash:

a254855fb792d662ba0f0cfd32454b4d

SHA1 hash:

3525ff473d458e691e81d76ab1695afcc1af410e

Link:

https://www.unpac.me/results/0617b599-4eef-4a90-a57d-eb18601a2394/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer