MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164
SHA3-384 hash:	2d3b2ffc420e4b781e54407c2fce53734168da152e3fb220b1ab9c876455d8ecf2f9127a42ae7b796dafc81ed5c4ae21
SHA1 hash:	66a8e0848fd2b540fe93283c6c64d8eed1001d0b
MD5 hash:	ad755d05e481456303578e3a483792d7
humanhash:	wolfram-green-hot-august
File name:	ad755d05e481456303578e3a483792d7
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	708'096 bytes
First seen:	2021-10-09 16:23:59 UTC
Last seen:	2021-10-09 16:57:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d65c67dd6f4a95898a66b39f504dd200 (4 x RedLineStealer, 1 x CryptBot, 1 x RaccoonStealer)
ssdeep	12288:IQNKU7+Pyww2Eriz4u6v9dFN61q3k7zPB8SbeGkhdw8AFVcZMyCt:zKU7+P5w2ChvxN6nPBxeGkh5A8ZW
TLSH	T106E4E01066A0C034F6F725F448B98278A92E7EA15B2785CFD2E056EE56376E1ECF0313
File icon (PE):
dhash icon	9824e790e6e72158 (4 x RedLineStealer, 1 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ad755d05e481456303578e3a483792d7

Verdict:

Malicious activity

Analysis date:

2021-10-09 16:24:52 UTC

Tags:

evasion opendir loader trojan rat redline

Link:

https://app.any.run/tasks/292a6919-08db-43cc-abbb-218773380e87

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/196331/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.13702.3359.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Creating a process from a recently created file

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Sending a TCP request to an infection source

Query of malicious DNS domain

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed stop

Link:

https://www.filescan.io/uploads/6161c224334ba92bd92348ac/reports/d987f242-e320-4cfb-aa74-d5ee5b18c436/overview

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-10-09 16:24:10 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xpabpfdsin3em3vnschh764grf3yr6qygyjsoqmorzgjr3krafsa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix09.10 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211009-twcr3sfcf4/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.15:57055

Unpacked files

SH256 hash:

fa8954a9f9fe500ca14d4a2513f5bfb85747a37f12f79dbadacd816edd38f0b4

MD5 hash:

51a2828187c40e2136382840a4f4a065

SHA1 hash:

dd88a0c54239446abc3ec9140a27c48029ad362d

Link:

https://www.unpac.me/results/db220f30-9d65-4f66-82a3-9a182184e20e/

SH256 hash:

bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164

MD5 hash:

ad755d05e481456303578e3a483792d7

SHA1 hash:

66a8e0848fd2b540fe93283c6c64d8eed1001d0b

Link:

https://www.unpac.me/results/db220f30-9d65-4f66-82a3-9a182184e20e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bbc017947243/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbc01794724376466ead908e7ffb86897788fa18361327418e8e4c98ed510164

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer