MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956
SHA3-384 hash:	9cd564bd677579eef664a2c2ea0dc7f6e2f88de260b4343f715171a9f221918f2d5b7d840d91b05bacce25740dfc4bca
SHA1 hash:	d6ce02c821960b6bf596b1e59b14e87f20bc9537
MD5 hash:	1ebf2aa3579c344a377d33b54fb99545
humanhash:	bacon-twelve-avocado-mike
File name:	1ebf2aa3579c344a377d33b54fb99545.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	631'296 bytes
First seen:	2021-08-09 18:44:16 UTC
Last seen:	2021-08-09 20:00:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d007788623d69514f22ced610d164ef (3 x RedLineStealer, 2 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	12288:baELbH9HU7HmkjEdxNyMmcuVf4WzC55JW:ba4bq7GE2EMmcuVNzmJW
Threatray	672 similar samples on MalwareBazaar
TLSH	T157D402713A40FD72E9AB0530359E97D1FB2ABC105B62020727543F6D5E3F7922B2A3A5
dhash icon	10367c7872767e36 (3 x RedLineStealer, 1 x Heodo, 1 x Loki)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1ebf2aa3579c344a377d33b54fb99545.exe

Verdict:

Malicious activity

Analysis date:

2021-08-09 18:45:09 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/f9703a42-6d2e-4f40-9807-4a24e8638f2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177743/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.8036.32317.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2301f3fa-67f3-4d16-ac95-64c0deecf028

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/829578

Signature

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-09 18:45:08 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

unknown

RedLineStealer

3842802e7361274e141d7b500af86e3835472e3cae874bb9e36a5c5d6216e330

RedLineStealer

4319f1c762d767ad43a05956036dce2dc6588f8a356f35103ec80fdf7b19105c

RedLineStealer

775a8a9950d455ac43d21fe1038119e46b942deab354a68447e035086668b899

RedLineStealer

96a1db9bd739ffcc097a408fee67929b677a74f889876ab90bc8643e555e8e98

RedLineStealer

9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321

RedLineStealer

b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005

RedLineStealer

b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a

RedLineStealer

ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14

RedLineStealer

ecfdae094a54934410a15735998ff611d5b5a6bffc93d969c6a1acc3735cd73c

RedLineStealer

+ 662 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210809-cdvltqjywe/

Behaviour

Checks processor information in registry

Legitimate hosting services abused for malware hosting/C2

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/59a9ab50-3b66-499d-be00-d37f1b8af869/

SH256 hash:

a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956

MD5 hash:

1ebf2aa3579c344a377d33b54fb99545

SHA1 hash:

d6ce02c821960b6bf596b1e59b14e87f20bc9537

Link:

https://www.unpac.me/results/59a9ab50-3b66-499d-be00-d37f1b8af869/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer