MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44162c70a77cd897fec36313ee660ba4c4df34fb96e62d3a1a8b8ca0b26a9a3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	44162c70a77cd897fec36313ee660ba4c4df34fb96e62d3a1a8b8ca0b26a9a3e
SHA3-384 hash:	7d540fd1187948fcac7a08711cf7faf0aef1d8562444d514e2c650e7548a26b7b0a46e47fa7ffebaa04c2cfc3e5f069a
SHA1 hash:	ce7b77efe68d18ca4e859ed9a3dc3798cb73d781
MD5 hash:	0f6c6d0cc9e75accd654ba65d5a58f77
humanhash:	nevada-jig-princess-september
File name:	0f6c6d0cc9e75accd654ba65d5a58f77.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	693'760 bytes
First seen:	2022-02-03 14:41:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f6aeb6fc382a28ed1adc7823a20786d (1 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	12288:PWh5hln+pwC/F2DyxPvckMcakkodbmIkQqzJo0QEjdR52YiGZ6oFoKYtP:+fCN2DUsCeopfAJoDEB2Z06TKYtP
Threatray	890 similar samples on MalwareBazaar
TLSH	T188E4F110AF90C035E1B726F855BA9369B52E7EE1DB2060CF63D06AEE56786D0DC7130B
File icon (PE):
dhash icon	2dac1378319b9b91 (29 x Smoke Loader, 23 x RedLineStealer, 22 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/232261/

Detection(s):

Win.Malware.Dropperx-9938227-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5870/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61fc314e6d25ac9e7901e053/reports/c12b39fa-8428-4c88-8959-47198c786b5a/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLineStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2d4bb987-8fbb-4309-a733-cfcfb6d49fa2

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933572

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44162c70a77cd897fec36313ee660ba4c4df34fb96e62d3a1a8b8ca0b26a9a3e/

Threat name:

Win32.Downloader.Stralo

Status:

Malicious

First seen:

2022-02-03 14:42:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iqlcy4fhptmjp7wdmmj64zqlutcn6nh3s3tc2oq2rogkbmtkti7a._file

Verdict:

malicious

RedLineStealer

2c49fcbd5eda5275d8d2ef98ee7e0c63d978b6d904e3e750ea9d01e52fe16ce9

RedLineStealer

79fe7b201279d48039678693e3aa451ab846cc87a258746d5374963f4a76f065

RedLineStealer

96feb301b146625ffc5c397df1c72bc77c7f76e817f4adc294962a4d034841d9

RedLineStealer

a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a

RedLineStealer

bb57cf105b3589eae3a916d922eab0b3bad2672980700cfed98d5321084cf49a

RedLineStealer

fa38a8bfa024e668a67198bb86add37c4c3b080295b078f9b5e5fe92709b8adc

RedLineStealer

+ 880 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence suricata

Link:

https://tria.ge/reports/220203-r21pzsafej/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Enumerates physical storage devices

Drops file in Windows directory

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Sets service image path in registry

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Unpacked files

SH256 hash:

86cec2665ff431668f274fecddf883fb5b532c06ee1a495ce60d5fbbb90c3a33

MD5 hash:

f7246b8631cad60d643fe3625a823397

SHA1 hash:

3aabf69029480970b338bb37a511d307aaf40c79

Link:

https://www.unpac.me/results/be8564a1-d2e8-4eb3-917c-fb50f23203cf/

SH256 hash:

44162c70a77cd897fec36313ee660ba4c4df34fb96e62d3a1a8b8ca0b26a9a3e

MD5 hash:

0f6c6d0cc9e75accd654ba65d5a58f77

SHA1 hash:

ce7b77efe68d18ca4e859ed9a3dc3798cb73d781

Link:

https://www.unpac.me/results/be8564a1-d2e8-4eb3-917c-fb50f23203cf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44162c70a77cd897fec36313ee660ba4c4df34fb96e62d3a1a8b8ca0b26a9a3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers