MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1659a495f138b63f88811224783a82f96af6f37e6b3df0a8aa771e946a26a7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	c1659a495f138b63f88811224783a82f96af6f37e6b3df0a8aa771e946a26a7d
SHA3-384 hash:	a938d8f577f24de1651e368f275d194683781b696b8704adf7e22e733c29d5b9a8418e9618dc133d294c608fecdd2eea
SHA1 hash:	40f3a3c88ad85d793d729a782a333a51e597f784
MD5 hash:	454c19e2bb2b52b74fce8a789e827309
humanhash:	stairway-ack-triple-fish
File name:	454c19e2bb2b52b74fce8a789e827309.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	660'480 bytes
First seen:	2021-08-21 06:31:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ad1c5bf15a899fcfef408e3485448e67 (11 x RedLineStealer, 2 x StealthWorker, 2 x Smoke Loader)
ssdeep	12288:l5K3Skk1D7LtU6sNtefo9m1mWid96KgxsDiXwl1cvIDblDfgL8JIsnS3mn:Qk1D7Nfo81mWibb+scg3ZLZIF3mn
Threatray	623 similar samples on MalwareBazaar
TLSH	T15DE4F120B5A0D134E4F322F558BDE3AC69297DB06B2450CB73D62ADE96371E4DC7068B
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
31.44.3.73:60798

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
31.44.3.73:60798	https://threatfox.abuse.ch/ioc/192541/

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

454c19e2bb2b52b74fce8a789e827309.exe

Verdict:

Malicious activity

Analysis date:

2021-08-21 06:34:23 UTC

Tags:

evasion opendir loader trojan rat redline stealer

Link:

https://app.any.run/tasks/f20212da-ffc9-4eaf-99e4-bbb31b5c1970

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLineDropperAHK

Link:

https://www.capesandbox.com/analysis/181059/

Detection(s):

Win.Packed.Fragtor-9887574-0

Win.Dropper.Brook-9887577-0

Win.Packed.Generic-9887598-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a UDP request

Sending an HTTP POST request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ed32ec7-ac34-4639-ac83-ef3abc774822

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/836751

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1659a495f138b63f88811224783a82f96af6f37e6b3df0a8aa771e946a26a7d/

Threat name:

Win32.Trojan.Brook

Status:

Malicious

First seen:

2021-08-21 06:32:07 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yfszusk7cofwh6eicerepa5if6lk63zx42z56cuku5y6srvcnj6q._file

Verdict:

malicious

RedLineStealer

321df14ebddd1db4c4e91180ba3640dbb9e4a01b53244c6d176faeed6a62e6e9

RedLineStealer

3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea

RedLineStealer

5342ae888cfa86f63f7fc07cfc613871e323106764d2b5c495aa1946800e49bd

RedLineStealer

57016c84e1c008db532f1c977fe608a767cdfc4a19f8619cbfdd82fe82a2aeae

RedLineStealer

7341c40c1693ae8350ec3eb83cce1d9e0744340b3dde2241e146b410f54c191b

RedLineStealer

90823e9bf099b873263241a2a7c3435b85fe6480ecb4fff4da9563ba95e7b31e

RedLineStealer

c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72

RedLineStealer

ebed275eba9f8eddb2242c93732b7a213ede149bd79a792de9d6f8dda6d7f3a3

RedLineStealer

ed3f452a9fed41f5d3dfb528d6c05a53298b559775eeec46eda50ad42a714b28

RedLineStealer

+ 613 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:21.09 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210821-s2lbpyssms/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

31.44.3.73:60798

Unpacked files

SH256 hash:

18088a14c9c8f034cc88b312212aba30fc3c2b8390baa63a3735777101ba70cd

MD5 hash:

7b652e7ae62d486faf745287d4b4cdb2

SHA1 hash:

0bf34e685b9677c355c5f40cc940608625c4c53f

Link:

https://www.unpac.me/results/723937b7-edb4-4ea3-8543-e37cb8528fca/

SH256 hash:

c1659a495f138b63f88811224783a82f96af6f37e6b3df0a8aa771e946a26a7d

MD5 hash:

454c19e2bb2b52b74fce8a789e827309

SHA1 hash:

40f3a3c88ad85d793d729a782a333a51e597f784

Link:

https://www.unpac.me/results/723937b7-edb4-4ea3-8543-e37cb8528fca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c1659a495f138b63f88811224783a82f96af6f37e6b3df0a8aa771e946a26a7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer