MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4
SHA3-384 hash: 831055c82127b44ff4714083b7eb3a4fea70759d550017f2e1b805c9cd770d790e59ba10298d9edce1c1c5ad08170e75
SHA1 hash: 889b737bcf2a995269a3589c12dfe7fbe6b2f8eb
MD5 hash: bcb988eba382a97fd51bef9b1d0a3e8d
humanhash: crazy-iowa-mobile-eleven
File name:SecuriteInfo.com.W32.AIDetect.malware2.9153.2386
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:591'872 bytes
First seen:2021-08-14 00:53:17 UTC
Last seen:2021-08-14 03:39:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b09961d8006e7ff4bbe247dfce906b36 (5 x RaccoonStealer, 3 x RedLineStealer, 2 x Smoke Loader)
ssdeep 12288:SG7cB7Xbmhxun+8PgORFM3MD3FOaRb9Iy49ySTU3YOdiD:NwBbbmhxq+8PgOzX7F2BU3FiD
Threatray 608 similar samples on MalwareBazaar
TLSH T141C402D2BC93D97EC592D5F208609AB41B71BC219305148EA7643F6B2E331E718FE2D2
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.9153.2386
Verdict:
Malicious activity
Analysis date:
2021-08-14 00:54:36 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/21ad9b46-cd41-419d-9961-0643e2a5fc81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179108/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.9153.2386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f89718e-ac6d-4710-992e-927f30512a43
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/832712
Signature
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Yara detected Autohotkey Downloader Generic
Yara detected Evader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 22:49:20 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgesdl7achxli56yujquhyx4k5fsd4mufvgje4ykg7auacxdvtca._file
Verdict:
unknown
Similar samples:
1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6
RedLineStealer
5fc0c8bf9bac4e9321fee7fcf2f0fb6dadaeedc8d5ba6432961654f92fe5e58c
RedLineStealer
9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321
RedLineStealer
a26803d8e53b6a759a71245e8b973ac9c8eaf9ebfe7356d7e4b4cd5e03bb5414
RedLineStealer
b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005
RedLineStealer
b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a
RedLineStealer
ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14
RedLineStealer
d87caaaf87e2d97b1b336a0c1bb01369da3d27bca6495efa4c20966880bf12c1
RedLineStealer
ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72
RedLineStealer
ecfdae094a54934410a15735998ff611d5b5a6bffc93d969c6a1acc3735cd73c
RedLineStealer
+ 598 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210814-f281ejtqyx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
Unpacked files
SH256 hash:
6024a410129497ebff3f98c4a761d20724a0ba82cde2428c16848b147c90fecc
MD5 hash:
7d37f6b0a78179b3ad6f86d9058d62b4
SHA1 hash:
aa3acc9e9822af99a7eff7020be106693da727e3
Link:
https://www.unpac.me/results/24148132-e6ab-47ab-9637-a7279ed6369c/
SH256 hash:
818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4
MD5 hash:
bcb988eba382a97fd51bef9b1d0a3e8d
SHA1 hash:
889b737bcf2a995269a3589c12dfe7fbe6b2f8eb
Link:
https://www.unpac.me/results/24148132-e6ab-47ab-9637-a7279ed6369c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:MALWARE_Win_RedLineDropperAHK
Create hunting rule
Author:ditekSHen
Description:Detects AutoIt/AutoHotKey executables dropping RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 818921afe011eeb477d8a26143e2fc574b21f1942d4c92730a37c1400ae3acc4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1531796/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179108/

Comments