MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 870084efc29a20a3033bc76a61ab401448ba3c589492375f765c9dd517048db2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	870084efc29a20a3033bc76a61ab401448ba3c589492375f765c9dd517048db2
SHA3-384 hash:	26a44b97a4be7517dac6481d32b2585e1baef94b5db7e8d84defd886c28f76aa4d130177f1d872dac3dbf59dda5dedd2
SHA1 hash:	103d730c0995a9e6006cf19449c221a67533765e
MD5 hash:	caf42cf2ccbed198ea52fa1e38257d49
humanhash:	earth-asparagus-wisconsin-foxtrot
File name:	caf42cf2ccbed198ea52fa1e38257d49
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	546'304 bytes
First seen:	2021-09-27 08:58:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3cd0350cb20713093b4eb51a8785dabd (3 x ArkeiStealer, 2 x RaccoonStealer, 2 x Stop)
ssdeep	12288:BoVyBThk0HcBG3aWHeCRbEYYyU34PVUOntWUs79T3Vq:BoVuThtcY3aW+CRbEHI2OEUU9T3U
Threatray	751 similar samples on MalwareBazaar
TLSH	T175C4121CAA119272F50A1B364949C3D1A12A7CD77E51CC4377643B6E2EF62709E3B3A3
File icon (PE):
dhash icon	fcfcb4f4d4d4d8c8 (8 x RedLineStealer, 6 x RaccoonStealer, 4 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

caf42cf2ccbed198ea52fa1e38257d49

Verdict:

Malicious activity

Analysis date:

2021-09-27 09:00:29 UTC

Tags:

evasion opendir loader trojan rat redline stealer

Link:

https://app.any.run/tasks/6f9d9ad8-1f9b-4778-8181-8728a3ad2671

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/192002/

Detection(s):

Win.Packed.Filerepmalware-9897102-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/abe1891b-bc94-4f7e-9f98-3204b11a7521

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858766

Signature

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/870084efc29a20a3033bc76a61ab401448ba3c589492375f765c9dd517048db2/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-27 08:59:06 UTC

AV detection:

19 of 45 (42.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q4aij36ctiqkgaz3y5vgdk2acrelupcyssjdox3wlso5kfyerwza._file

Verdict:

malicious

RedLineStealer

0f2e6968f4354610048786db7d9a98b62bf759c46f9922152ea14ab5fe880e33

RedLineStealer

3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea

RedLineStealer

5342ae888cfa86f63f7fc07cfc613871e323106764d2b5c495aa1946800e49bd

RedLineStealer

57016c84e1c008db532f1c977fe608a767cdfc4a19f8619cbfdd82fe82a2aeae

RedLineStealer

7341c40c1693ae8350ec3eb83cce1d9e0744340b3dde2241e146b410f54c191b

RedLineStealer

90823e9bf099b873263241a2a7c3435b85fe6480ecb4fff4da9563ba95e7b31e

RedLineStealer

c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

ed3f452a9fed41f5d3dfb528d6c05a53298b559775eeec46eda50ad42a714b28

RedLineStealer

+ 741 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:27.09 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210927-kxqwnagbem/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

185.215.113.17:48236

Unpacked files

SH256 hash:

ad3261564eefaaed387fa30c95d6bca14c4b61b07d8b8022fd9ee2e7c73325b8

MD5 hash:

34ff1c9b00578927310ccfecdcd2a649

SHA1 hash:

a181f05233005c6a9f33c60526629b8b36994c75

Link:

https://www.unpac.me/results/e972d6ac-b320-4028-9bf7-74035879c88b/

SH256 hash:

870084efc29a20a3033bc76a61ab401448ba3c589492375f765c9dd517048db2

MD5 hash:

caf42cf2ccbed198ea52fa1e38257d49

SHA1 hash:

103d730c0995a9e6006cf19449c221a67533765e

Link:

https://www.unpac.me/results/e972d6ac-b320-4028-9bf7-74035879c88b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/870084efc29a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/870084efc29a20a3033bc76a61ab401448ba3c589492375f765c9dd517048db2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer