MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41fc0071b14fa3a5990852af374922d234be8404ad0179e205d69b5e80613066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	41fc0071b14fa3a5990852af374922d234be8404ad0179e205d69b5e80613066
SHA3-384 hash:	10939f89b9b2af1700ba619f3adbd3dabe666c0a831540962da0040c3f7ddbcb477e64a9a41435ff29f01b1ae59408f5
SHA1 hash:	4fc1081d614de271ede2e8f54b2149cc074b82c0
MD5 hash:	7aa21aecbdf633b2c535f267f4053f76
humanhash:	don-twelve-eleven-october
File name:	7aa21aecbdf633b2c535f267f4053f76.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	594'432 bytes
First seen:	2021-02-05 19:05:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	13735e2fa50463ef607625581d2f599d (1 x RedLineStealer)
ssdeep	12288:rJiikZ6MK1rVekgPX4i2b6MH/IOQdFFaLFtNZX4BOqyDmE+Sa:rBUBK14kgP4iW6MGFO/X4Bkyua
Threatray	480 similar samples on MalwareBazaar
TLSH	43C402113791C036E2B325324A24C7B20E7BB8363675A94F2FDA067D5F382D2DB6571A
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7aa21aecbdf633b2c535f267f4053f76.exe

Verdict:

Malicious activity

Analysis date:

2021-02-05 19:06:26 UTC

Tags:

evasion loader trojan rat redline phishing

Link:

https://app.any.run/tasks/c7c8c6f1-e2d7-4f9d-b70d-de31e9ec0ee2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/115806/

Detection(s):

Win.Malware.Gocloudnet-9829287-0

Win.Malware.Generic-9829424-0

Win.Packed.Trojanx-9829540-0

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending an HTTP GET request

Sending an HTTP POST request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/600659

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/41fc0071b14fa3a5990852af374922d234be8404ad0179e205d69b5e80613066/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-01-31 18:45:14 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

0d3d30c7dbe44c4a06d291d8b13ef9940035eece68f2530d66dede28cb2955fe

RedLineStealer

40ba9d771237508e4f0ea5d498a14a0345d802effc02317487256a1feff1dec1

RedLineStealer

56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1

RedLineStealer

7d957b25b466f6b1eca625ad56a3472a83b2efc825a5d056a7d11b1b74f17fa3

RedLineStealer

8499aa17997bfbe03592e33e82df1c674f1b57ba3d372355e690b9468ea6fea2

RedLineStealer

9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682

RedLineStealer

d740674533d5c0fb220dceec7eb0d440a1f01231a728030b355361b9f0aeff77

RedLineStealer

f8724be2161dfc04188b5203d9194c530a528cddbc380825258a0adb287e468a

RedLineStealer

fb89126a584d7c5f4051ea49ee0a03f18b3f08a9c9c165088cee1ceeb482e75d

RedLineStealer

+ 470 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery ransomware spyware

Link:

https://tria.ge/reports/210205-9nvbbs6wza/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

85d13af31a780c14f644dc8d37b10c1283cd4952e9a2996e54dacc115d4c3782

MD5 hash:

43f47f7767f2d7974edaa96c779e073d

SHA1 hash:

fcb29873a72549b4b442e068e196d1972e68b626

Link:

https://www.unpac.me/results/e444a309-47aa-476a-8029-a81112968bd6/

SH256 hash:

41fc0071b14fa3a5990852af374922d234be8404ad0179e205d69b5e80613066

MD5 hash:

7aa21aecbdf633b2c535f267f4053f76

SHA1 hash:

4fc1081d614de271ede2e8f54b2149cc074b82c0

Link:

https://www.unpac.me/results/e444a309-47aa-476a-8029-a81112968bd6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41fc0071b14fa3a5990852af374922d234be8404ad0179e205d69b5e80613066

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/115806/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample