MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 724476a16a9f3e69126468764f2f146bc4b7b38576b33e5e4dd5cb4bd97b8c2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	724476a16a9f3e69126468764f2f146bc4b7b38576b33e5e4dd5cb4bd97b8c2d
SHA3-384 hash:	6ba1725d4ea8af0676377c56d1917bf516574813f71ec6483fad404e3b2e94aaf89490fe51c69302b0e2dece966fe9ba
SHA1 hash:	2df1e210821a116f178da3e74d725b7eaa5ed6f0
MD5 hash:	425f35f28e52165875432253e165db3a
humanhash:	fifteen-lemon-timing-bulldog
File name:	425f35f28e52165875432253e165db3a
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	675'840 bytes
First seen:	2021-12-25 17:41:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	20bc16f8c11d4af8d5161e49cc4a77e7 (2 x RedLineStealer, 1 x RaccoonStealer, 1 x CoinMiner)
ssdeep	12288:6fkdRoHsZcRDjQ0QFRGavYH/XOusvrg1actuCh9fws:ldR4sKsvGeu14ux9R
Threatray	856 similar samples on MalwareBazaar
TLSH	T191E4F010B7A0C035F1B726F84979A368793EBCA25B24A1CB63D027EE56356E0DD7071B
File icon (PE):
dhash icon	b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Download+file+Арифметико+{Alawar}.exe+(7,57+Mb)+In+free+mode+_+Turbobit.net.zip

Verdict:

Malicious activity

Analysis date:

2021-12-25 15:39:11 UTC

Tags:

evasion trojan loader rat redline stealer vidar opendir amadey

Link:

https://app.any.run/tasks/9a430f4c-986d-40e5-8dd9-688adc8af2f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/216389/

Detection(s):

Win.Packed.Ulise-9917518-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3232/overview

Behaviour

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/61c757b0ec6c6c14a9f23f87/reports/7103aba2-5116-4dfa-ae22-952de1950d96/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8d70559-0ff9-4c99-b098-5e7e2018a2f7

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/912809

Signature

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/724476a16a9f3e69126468764f2f146bc4b7b38576b33e5e4dd5cb4bd97b8c2d/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-25 15:38:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojchnilkt47gsetenb3e6lyunpclpm4fo2zt4xsn2xfuxwl3rqwq._file

Verdict:

malicious

RedLineStealer

652d426c966ce5b82149b86593f0b8224044796ca670c0c80036aea58d343343

RedLineStealer

96a0b09a49fb70ec9283e9d892bdb21c5b5907906982eff2f6cc738c2e20f735

RedLineStealer

a6b6b2b7bf57f168500bf2267dcad1e37877620071432ef38d11265a49c0dbfb

RedLineStealer

e3b6a660fbacbea49c7da301f2eadae99a5f1889858fff7e7378c508e286580f

RedLineStealer

ed9ec6594cdb7b034643ec06adcbf86c7124ac81805e0f48f655f389492ee9a5

RedLineStealer

ffbb9cbfc1d209d6a3f4c835ecb844b8ab585a4834511613d34191165a3feb61

RedLineStealer

+ 846 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/211225-v9ez2aagd7/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Unpacked files

SH256 hash:

86d5b41e2ea3f6d3b016068574bb64323a4f9b82464737318b5c8cb512b9060b

MD5 hash:

08670dc295c9a103c799a3331d8dcd5a

SHA1 hash:

3e02b80efc3812d188895d067e44868f582f5732

Link:

https://www.unpac.me/results/1aedba2e-c281-4118-a868-0dc8b46fe27d/

SH256 hash:

724476a16a9f3e69126468764f2f146bc4b7b38576b33e5e4dd5cb4bd97b8c2d

MD5 hash:

425f35f28e52165875432253e165db3a

SHA1 hash:

2df1e210821a116f178da3e74d725b7eaa5ed6f0

Link:

https://www.unpac.me/results/1aedba2e-c281-4118-a868-0dc8b46fe27d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/724476a16a9f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/724476a16a9f3e69126468764f2f146bc4b7b38576b33e5e4dd5cb4bd97b8c2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers