MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1aecbd4a04e57f71d4f4ad42f54ccc36e01ae91051ef0ccc254534977f3e762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	b1aecbd4a04e57f71d4f4ad42f54ccc36e01ae91051ef0ccc254534977f3e762
SHA3-384 hash:	e569580faf97cdfec0e30ea2b46d40f1be7bd2d97915dc75ed37e5f483038c3cea9e676d3acb3fdd5b7bc0d0e6ac0854
SHA1 hash:	fe3ecab7afb29f56c4ce5d05fa63ca9ddccc3289
MD5 hash:	e455f89ab212f639a54a37c7c645d251
humanhash:	foxtrot-red-lemon-mississippi
File name:	e455f89ab212f639a54a37c7c645d251.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	559'616 bytes
First seen:	2021-09-25 21:46:04 UTC
Last seen:	2021-09-25 23:10:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4243f00363439be8c6e25a231537571b (23 x RedLineStealer, 5 x RaccoonStealer, 2 x CoinMiner)
ssdeep	12288:azHmT5Htg61U1zO0YoRnvqH57SZIgnT0Rg0T1FuaPSQQ:ajA1y61UE0NRI9KhT0l1PKQQ
Threatray	746 similar samples on MalwareBazaar
TLSH	T10CC4123576B1C972F7E631314A6AD2A0322AFC765D378106F10C136E5E232956EF731A
File icon (PE):
dhash icon	fcfcd4f4d4d4d8c0 (23 x RedLineStealer, 21 x RaccoonStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.15:6043

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.15:6043	https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e455f89ab212f639a54a37c7c645d251.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 21:46:34 UTC

Tags:

evasion opendir loader trojan rat redline stealer

Link:

https://app.any.run/tasks/1fc87b2c-a45d-45bf-85f7-29efa6eeb3e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191616/

Detection(s):

SecuriteInfo.com.Packed-GDTE455F89AB212.9571.10344.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fe4cac26-553b-4809-a0bb-57bb7d831408

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858167

Signature

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1aecbd4a04e57f71d4f4ad42f54ccc36e01ae91051ef0ccc254534977f3e762/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-09-25 21:46:10 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wgxmxvfajzl7ohkpjlkc6vgmynxadlurauppbtgckrjus57t45ra._file

Verdict:

malicious

RedLineStealer

3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea

RedLineStealer

7872580d5105bd09cf386f9713b28854711d356fae34118bd855a9a694da4f1e

RedLineStealer

811b982a5a257a2a9acd46bbf0f68a166470726017e60bb752410ece2cf01ef5

RedLineStealer

85319a895ef7414542ec5644cee12c52caf913c875498fc4764ae25e5861b9b3

RedLineStealer

a4260ab00a78d568cc36ad8a43cff5633bfd365e34d2378ccc11f42a56067f76

RedLineStealer

ae81c091b4bdee9fe4c7708f7cfeccb0273aa51346aad7318061388a5ca3ee3d

RedLineStealer

c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

f3ed4402ee977b3d921bfd3432eaa62bf713fbb4407fcbdd5ccf8b8d89856d78

RedLineStealer

+ 736 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix26.09 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-1mnasadhh8/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:6043

Unpacked files

SH256 hash:

2bbeecfa8ee3a33b653e73f2a143b36945013635a74e04729a2d32246382f958

MD5 hash:

4799d84cc8575635168d024baf104a8b

SHA1 hash:

6f920803dd8839fffe1c16dc78f1bddf02cd518e

Link:

https://www.unpac.me/results/0fd8c6b7-011e-4003-aef4-6762a05a0804/

SH256 hash:

b1aecbd4a04e57f71d4f4ad42f54ccc36e01ae91051ef0ccc254534977f3e762

MD5 hash:

e455f89ab212f639a54a37c7c645d251

SHA1 hash:

fe3ecab7afb29f56c4ce5d05fa63ca9ddccc3289

Link:

https://www.unpac.me/results/0fd8c6b7-011e-4003-aef4-6762a05a0804/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1aecbd4a04e57f71d4f4ad42f54ccc36e01ae91051ef0ccc254534977f3e762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer