MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4251c1dee8c3018c0fa6ab14f732b9acd34519f4fa37d9f1f8397533de7eece5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	4251c1dee8c3018c0fa6ab14f732b9acd34519f4fa37d9f1f8397533de7eece5
SHA3-384 hash:	4a3d9ec2d2431cf2f959933f3c16bf57a29c5cc67e58fbdd505bf285b448db265606f984d93176cf5e118b02652ab70f
SHA1 hash:	d2992b46d907d3e0b8b84b3d072e1250948a29b9
MD5 hash:	d7a9da857c47bd70f41028c2a29df802
humanhash:	oxygen-single-north-cup
File name:	d7a9da857c47bd70f41028c2a29df802.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	710'144 bytes
First seen:	2021-05-29 12:10:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	81b4229fe87c6f29363ad369204caedb (5 x RaccoonStealer, 2 x Stop, 2 x RedLineStealer)
ssdeep	12288:iWijlvmm4wOOQIQLgxkeCuWuL7/3tQMkyAvQynoTd1e/jSkQmN4pzRgU1XTYPYz:ClvcHpGkeCuWqFkKyohej7Qm63Bbz
Threatray	359 similar samples on MalwareBazaar
TLSH	54E4E07066A1C035F6B322B449B5C2B9683ABDB1AB3440DF62C43BED86345E4ED31797
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.15:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.15:80	https://threatfox.abuse.ch/ioc/66770/

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d7a9da857c47bd70f41028c2a29df802.exe

Verdict:

Malicious activity

Analysis date:

2021-05-29 12:20:57 UTC

Tags:

evasion trojan loader rat redline

Link:

https://app.any.run/tasks/96923a4a-c3fc-4fef-b80c-9a0946703230

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/163161/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending an HTTP GET request

Launching a process

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/794228

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4251c1dee8c3018c0fa6ab14f732b9acd34519f4fa37d9f1f8397533de7eece5/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-26 18:33:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iji4dxxiymayyd5gvmkpomvzvtjukgpu7i35t4pyhf2thxt65tsq._file

Verdict:

malicious

RedLineStealer

58472769f4701ccaef3d6cb6e32317f49a680dfaf1dc7ac1e8de76a02b41c7f3

RedLineStealer

935d741a26dd18d1f300d3218823bcc84481017376e48693840853d7607f4e60

RedLineStealer

b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68

RedLineStealer

b3feea58dffddae3a837b055078d8a3ed2db731fd6c7d77aa1164a0185f3b169

RedLineStealer

d8271e3a38ba916aa701c5b4cb01eb75abface3d401e604248434d7f79ffaad0

RedLineStealer

e07e702d1247fd8b230d21bba94b581f65f27e811c59a28896fcea29ddb3d2de

RedLineStealer

fc75e0db35a8db7c56bc4c3e45532fc32293270ea477f891c7b0556f93a74b80

RedLineStealer

fc9c54b72323f2492fb6e22ce77628b7af0b349b6cb6030d55d1c40b35199e91

RedLineStealer

fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491

RedLineStealer

+ 349 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:28.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210529-tbvbhmadgj/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4251c1dee8c3018c0fa6ab14f732b9acd34519f4fa37d9f1f8397533de7eece5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample