MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd6a0c050b89a0517a5e36e60facb074a13f76571f1e17f037ece228e4805205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	dd6a0c050b89a0517a5e36e60facb074a13f76571f1e17f037ece228e4805205
SHA3-384 hash:	911ef18efb5e408856b0bb6d2720e12d804ac40dbd179ab9c736bfabc9cfdd5d9f5277d7335fd81491c986482367f9b9
SHA1 hash:	6a9ca82887573a6acf3061b368a3aed227bd7556
MD5 hash:	c3e646b19e8d5bb0eea327276994c75a
humanhash:	sodium-moon-happy-carpet
File name:	c3e646b19e8d5bb0eea327276994c75a.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	688'640 bytes
First seen:	2022-02-19 15:56:42 UTC
Last seen:	2022-02-19 17:51:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2c3d21882f5ca8acb29bf5dc0942efbd (2 x ArkeiStealer, 2 x RedLineStealer)
ssdeep	12288:YauQXhHv2Nv8S1VOIWKK/JFFxzYTfF6g1ByBgQllz9nv1:YhQ0Nv117WKMF3zgFv1ByBggxv1
TLSH	T161E402117595CC36E1B24F741921C3F50BFBB8A59828A786FF84AF1E6F323D19A61306
File icon (PE):
dhash icon	81bcdcac9c8cb48c (3 x RaccoonStealer, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/242677/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.1545.22149.26743.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6682/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62111350a2660f3bb9077ee9/reports/7a6d9d77-165b-457f-a001-6eda3a6294ae/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FickerStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6006115b-6adb-4747-805c-b9a53395872e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/942637

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd6a0c050b89a0517a5e36e60facb074a13f76571f1e17f037ece228e4805205/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-19 15:57:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3vvaybilrgqfc6s6g3ta7lfqosqt65sxd4pbp4bx5trcrzeakicq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/220219-tdxpjabedm/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Drops file in Windows directory

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Unpacked files

SH256 hash:

86cec2665ff431668f274fecddf883fb5b532c06ee1a495ce60d5fbbb90c3a33

MD5 hash:

f7246b8631cad60d643fe3625a823397

SHA1 hash:

3aabf69029480970b338bb37a511d307aaf40c79

Link:

https://www.unpac.me/results/4966f10b-96d6-4b6a-b498-a7206281b8ed/

SH256 hash:

dd6a0c050b89a0517a5e36e60facb074a13f76571f1e17f037ece228e4805205

MD5 hash:

c3e646b19e8d5bb0eea327276994c75a

SHA1 hash:

6a9ca82887573a6acf3061b368a3aed227bd7556

Link:

https://www.unpac.me/results/4966f10b-96d6-4b6a-b498-a7206281b8ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd6a0c050b89a0517a5e36e60facb074a13f76571f1e17f037ece228e4805205

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers