MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
SHA3-384 hash: f823889bf36c533d51f87c1648eaad0be04cd2edc052ac2f8d24fa2c54e9ef74d3b3790f41799fbb21e474ca3e1c0918
SHA1 hash: 0dc2116d5634664f18f9530df0e68a7f4b93117c
MD5 hash: 1d012b9de099f3ade1c70ac9d084067c
humanhash: romeo-eight-bluebird-alpha
File name:1d012b9de099f3ade1c70ac9d084067c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'359'491 bytes
First seen:2023-06-28 16:25:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXVmlh6Bb024jC8TEa/oWV/XkM1KLtDW5C21dWTHknaW:IBJmloBo5jN/3/UMQLtDW4oW7KR
Threatray 38 similar samples on MalwareBazaar
TLSH T1175522427DD1A8B2D53308365A341721A83DBE306FB9CEDF63D46A5EDA215C1DA307B2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.249.153:15251

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1d012b9de099f3ade1c70ac9d084067c.exe
Verdict:
Malicious activity
Analysis date:
2023-06-28 16:26:03 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/616439db-7ed0-4e53-8277-66a62642f16e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403606/
Detection(s):
Win.Dropper.Nanocore-10001520-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/94002/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
anti-vm cmd greyware lolbin overlay packed replace setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/649c5f1c2aeaabaa7b7784db/reports/177128b1-7766-47b3-ac50-1acf0d8819a9/overview
Verdict:
Malicious
Labled as:
BScope.Trojan.VBS
Link:
https://www.hybrid-analysis.com/sample/acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3214121b-4d1c-49e4-a8ac-33020938a7e4
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1262820
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 895850 Sample: TN415iSuib.exe Startdate: 28/06/2023 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Found malware configuration 2->81 83 10 other signatures 2->83 11 TN415iSuib.exe 11 2->11         started        process3 dnsIp4 75 192.168.2.1 unknown unknown 11->75 65 C:\Users\user\AppData\Local\...\hozxq9.exe, PE32 11->65 dropped 67 C:\Users\user\AppData\...\9oce7uo13ciazk.exe, PE32 11->67 dropped 15 cmd.exe 1 11->15         started        file5 process6 signatures7 107 Encrypted powershell cmdline option found 15->107 109 Uses schtasks.exe or at.exe to add and modify task schedules 15->109 18 9oce7uo13ciazk.exe 1 15->18         started        21 hozxq9.exe 1 15->21         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        process8 signatures9 85 Machine Learning detection for dropped file 18->85 87 Writes to foreign memory regions 18->87 89 Allocates memory in foreign processes 18->89 27 AppLaunch.exe 1 18->27         started        30 WerFault.exe 23 9 18->30         started        91 Injects a PE file into a foreign processes 21->91 32 AppLaunch.exe 5 21->32         started        35 WerFault.exe 21->35         started        process10 dnsIp11 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->97 99 Injects a PE file into a foreign processes 27->99 37 AppLaunch.exe 27->37         started        42 conhost.exe 27->42         started        69 95.216.249.153, 15251, 49731 HETZNER-ASDE Germany 32->69 101 Tries to harvest and steal browser information (history, passwords, etc) 32->101 103 Tries to steal Crypto Currency Wallets 32->103 signatures12 process13 dnsIp14 71 github.com 140.82.121.4, 443, 49728, 49729 GITHUBUS United States 37->71 73 pastebin.com 172.67.34.170, 443, 49727 CLOUDFLARENETUS United States 37->73 63 C:\ProgramData\HostData\logs.uce, ASCII 37->63 dropped 93 Sample is not signed and drops a device driver 37->93 44 cmd.exe 37->44         started        47 cmd.exe 37->47         started        49 cmd.exe 37->49         started        file15 signatures16 process17 signatures18 105 Encrypted powershell cmdline option found 44->105 51 conhost.exe 44->51         started        53 powershell.exe 44->53         started        55 conhost.exe 47->55         started        57 schtasks.exe 47->57         started        59 conhost.exe 49->59         started        61 schtasks.exe 49->61         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 16:26:06 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsvia6tpxldveeswcfxvglifpik7bny5xbu3enkxnxpwe4sbldua._file
Verdict:
malicious
Similar samples:
274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
RedLineStealer
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9
RedLineStealer
d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687
RedLineStealer
dcbc00932f5016baaa92523df27c27a836f674381bb8a392f4f58781a483adbc
RedLineStealer
fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f
RedLineStealer
+ 28 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:2met infostealer spyware
Link:
https://tria.ge/reports/230628-txhpqaac77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
95.216.249.153:15251
Unpacked files
SH256 hash:
5ef7ff8bbe2b2a4cdd065c4c4e523636c3d1d737c9788832dd596055dc213264
MD5 hash:
ab7a2f384f47d2794f0905681e3a378e
SHA1 hash:
8fad67fd768086ed3feb0ed968e90ac28bd323d9
Detections:
redline
Create hunting rule
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
Parent samples :
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
SH256 hash:
138ca7e3988b6905e61540393f83b55d223c7ce683cccef0b9f937a7d325590b
MD5 hash:
c92bcbaec07a267353bda2be8b4dd79c
SHA1 hash:
2e415dde30e37023e05e778b302abd63e0ffc80a
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
795a55bb510edaf5f74b8f4dc836ed5d6a747af3ee3e2b099216f61bdf6bb8a8
MD5 hash:
de1c3b204a2f6770629c34b272a74ab2
SHA1 hash:
818d5bc208fad2e51135bf8baab48386c499e520
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
5ef7ff8bbe2b2a4cdd065c4c4e523636c3d1d737c9788832dd596055dc213264
MD5 hash:
ab7a2f384f47d2794f0905681e3a378e
SHA1 hash:
8fad67fd768086ed3feb0ed968e90ac28bd323d9
Detections:
redline
Create hunting rule
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
Parent samples :
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
SH256 hash:
5ef7ff8bbe2b2a4cdd065c4c4e523636c3d1d737c9788832dd596055dc213264
MD5 hash:
ab7a2f384f47d2794f0905681e3a378e
SHA1 hash:
8fad67fd768086ed3feb0ed968e90ac28bd323d9
Detections:
redline
Create hunting rule
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
Parent samples :
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
SH256 hash:
138ca7e3988b6905e61540393f83b55d223c7ce683cccef0b9f937a7d325590b
MD5 hash:
c92bcbaec07a267353bda2be8b4dd79c
SHA1 hash:
2e415dde30e37023e05e778b302abd63e0ffc80a
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
138ca7e3988b6905e61540393f83b55d223c7ce683cccef0b9f937a7d325590b
MD5 hash:
c92bcbaec07a267353bda2be8b4dd79c
SHA1 hash:
2e415dde30e37023e05e778b302abd63e0ffc80a
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
795a55bb510edaf5f74b8f4dc836ed5d6a747af3ee3e2b099216f61bdf6bb8a8
MD5 hash:
de1c3b204a2f6770629c34b272a74ab2
SHA1 hash:
818d5bc208fad2e51135bf8baab48386c499e520
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
795a55bb510edaf5f74b8f4dc836ed5d6a747af3ee3e2b099216f61bdf6bb8a8
MD5 hash:
de1c3b204a2f6770629c34b272a74ab2
SHA1 hash:
818d5bc208fad2e51135bf8baab48386c499e520
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
SH256 hash:
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
MD5 hash:
1d012b9de099f3ade1c70ac9d084067c
SHA1 hash:
0dc2116d5634664f18f9530df0e68a7f4b93117c
Link:
https://www.unpac.me/results/5985709e-6651-488e-86ff-830170ff6e41/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/acaa807a6fba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403606/

Comments