MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdfae3451c12f795220273c0bd12c8eca0255ee08cfa1ac0caf62d2ac2ff8447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	bdfae3451c12f795220273c0bd12c8eca0255ee08cfa1ac0caf62d2ac2ff8447
SHA3-384 hash:	29812700e50c8a65f256b06b834ada0843ee88e9114a31a03b5b60e2f292b928d4006be3287a60a6488918fec01e1ad9
SHA1 hash:	86cdcb27f420699d2825174d2415ed54d6b6ee4a
MD5 hash:	5d64b51cb684335cd6032c38b5d4c2d1
humanhash:	mississippi-blue-nebraska-sierra
File name:	5d64b51cb684335cd6032c38b5d4c2d1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	722'944 bytes
First seen:	2021-05-26 06:02:47 UTC
Last seen:	2021-05-26 07:07:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	23a77f1d99ca6e5aff045e04254be800 (4 x RaccoonStealer, 1 x RedLineStealer, 1 x DanaBot)
ssdeep	12288:VZQ6T4QIFlgX8iVEdOjE42SKuzhrYwAG9ciFdr50S6Z3JcrbvGzXeCYF:c6SeKAJfKuzhrYwACckv0hZ3oXF
Threatray	2'080 similar samples on MalwareBazaar
TLSH	DAF4E12076A1C834F0F315B445B6D2B4A43ABDB1EB3650CF62D42AEE76385E4AC31787
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5d64b51cb684335cd6032c38b5d4c2d1.exe

Verdict:

Malicious activity

Analysis date:

2021-05-26 06:26:12 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/0f2df647-7f3f-48e9-b9ec-6b88b7e38aaa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/162222/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46361117.3681.3005.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Searching for the window

Creating a window

DNS request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/792260

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdfae3451c12f795220273c0bd12c8eca0255ee08cfa1ac0caf62d2ac2ff8447/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2021-05-26 00:47:50 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xx5ogri4cl3zkiqcopal2ewi5sqckxxart5bvqgk6ywsvqx7qrdq._file

Verdict:

malicious

RedLineStealer

82b71a1fc1c575129b572ee2ec5f20e7008e373400b8f0ada298e073fe3d5112

RedLineStealer

8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9

RedLineStealer

a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b

RedLineStealer

aa85a5081ef2ce80f679434d5b50856898f0fa1bdb29a07876bc6ac23aee6773

RedLineStealer

bd7c41dee6aba2b2d13e5ae39169242ed463a43366eec28a438f74db717d15f4

RedLineStealer

c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4

RedLineStealer

d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2

RedLineStealer

f3ed4402ee977b3d921bfd3432eaa62bf713fbb4407fcbdd5ccf8b8d89856d78

RedLineStealer

fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172

RedLineStealer

+ 2'070 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 25.05 infostealer

Link:

https://tria.ge/reports/210526-f9xlegkh6n/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

xisolenoy.xyz:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdfae3451c12f795220273c0bd12c8eca0255ee08cfa1ac0caf62d2ac2ff8447

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer