MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2f9b93e95bc24840c0c007b8bad70f7b982af8f67c83430a2d0a54e84be83a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	d2f9b93e95bc24840c0c007b8bad70f7b982af8f67c83430a2d0a54e84be83a1
SHA3-384 hash:	62627882c5a8b0c712fd0bd2d2d25e50ef0e059b8d9c5420129260655e3bc7140e0b4bb8e619bf2a99b98b232dc57b92
SHA1 hash:	dc638b58ef7b4cd96deee432adee3d83cdc8adad
MD5 hash:	fa21cdbd9e28b398840ffa909f366c09
humanhash:	charlie-ten-pizza-maine
File name:	fa21cdbd9e28b398840ffa909f366c09.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	578'560 bytes
First seen:	2021-09-15 15:54:06 UTC
Last seen:	2021-09-15 17:22:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8291759aef0e46c8057b5d52bd12239f (3 x ArkeiStealer, 3 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	12288:c9uy70UW+aPAHKRfi2I6E7nQtMQn98ETM/TyUCSuL:ByB0AqR6QETQtLnJTCHC5
Threatray	722 similar samples on MalwareBazaar
TLSH	T12BC412353590C870C99B1934C979D7A06F3BBC2615AC91CBBB752B6E6F303A12E36319
dhash icon	b8b078cccacccc01 (6 x RaccoonStealer, 4 x RedLineStealer, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fa21cdbd9e28b398840ffa909f366c09.exe

Verdict:

Malicious activity

Analysis date:

2021-09-15 16:01:35 UTC

Tags:

installer evasion opendir trojan rat redline loader stealer

Link:

https://app.any.run/tasks/9da0ad6d-2ef4-4f7f-a386-99d22912bb28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/188241/

Detection(s):

SecuriteInfo.com.Variant.Babar.28598.13358.14600.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request to an infection source

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a process

Creating a file in the Windows subdirectories

Deleting a recently created file

Forced system process termination

Launching a service

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61751c48a9d585e6d5370ff0/reports/582ff5df-3669-41ad-968d-780ae91e8602/overview

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6cee105-9bd3-4d2a-8a20-2d591e292738

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/851563

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2f9b93e95bc24840c0c007b8bad70f7b982af8f67c83430a2d0a54e84be83a1/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-15 15:54:15 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2l43spuvxqsiidamab5yxllq664yfl4pm7edimfc2csu5bf6qoqq._file

Verdict:

malicious

RedLineStealer

2c542bafda9ae4a432772c615cdb5cbe12446574755adbab577fc34ab330c368

RedLineStealer

571b3f0b4685473b424f7fb3b67344cd1441930fa7f966e3a4cd41875fde8de3

RedLineStealer

5bddc130613ede4832dd4251843b168282b71c4eedfdb1772fd83bf08979ed32

RedLineStealer

c3ffdf4610bd08751b16fd31959ab8b1b2ba312a80e556a15ecdb22b9332c20e

RedLineStealer

e8cb78d559909b23edb3a7f7c62cc9028444cc932773a873ab3f10be4f3449a5

RedLineStealer

+ 712 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:15.09 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210915-tb9ajseabm/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:48236

Unpacked files

SH256 hash:

5a056314ead75c8d10137bc23e09f64c8ad21ba621b8dade700ddf07decaf2de

MD5 hash:

4368f6919a0dc5bcd49e1769f6fdd512

SHA1 hash:

8c2ab9ff100159ac4c2ad8b790a0cc997e3b5905

Link:

https://www.unpac.me/results/c8a0ddb3-09f7-4e8f-afbf-f829237b71b4/

SH256 hash:

d2f9b93e95bc24840c0c007b8bad70f7b982af8f67c83430a2d0a54e84be83a1

MD5 hash:

fa21cdbd9e28b398840ffa909f366c09

SHA1 hash:

dc638b58ef7b4cd96deee432adee3d83cdc8adad

Link:

https://www.unpac.me/results/c8a0ddb3-09f7-4e8f-afbf-f829237b71b4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d2f9b93e95bc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2f9b93e95bc24840c0c007b8bad70f7b982af8f67c83430a2d0a54e84be83a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer