MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72
SHA3-384 hash: 1ae86891dcd058abdbe0387a8b4d8499392d350eee205a6dcba30aa2e73a0b61d78564b0861cac9c9481b13e689c6b1c
SHA1 hash: 207c586b0fe37addb0ad3706bb500470bee0608b
MD5 hash: b72a29ce0a458569568d3740452dda3d
humanhash: sixteen-queen-fillet-cat
File name:b72a29ce0a458569568d3740452dda3d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:624'128 bytes
First seen:2021-08-10 07:40:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97856e36aca27ff13ae687d21f9f6f5c (2 x CryptBot, 2 x Smoke Loader, 2 x RedLineStealer)
ssdeep 12288:dt2SjstJEy9ftjsD12ooCdFfkQqU7zAfDtYsD/pN7C5s:dt2kKJH9flsDRoCbkZfJY8L7L
Threatray 610 similar samples on MalwareBazaar
TLSH T1CFD402B17680F531E4A30530745E86A9FBB6BC10AB60424732497E6F5D337E12B793AE
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b72a29ce0a458569568d3740452dda3d.exe
Verdict:
Malicious activity
Analysis date:
2021-08-10 07:43:36 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/14238834-d938-4d32-9b04-9c1286d4df0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLineDropperAHK
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177838/
Detection(s):
Win.Dropper.Upatre-9884831-0
Create hunting rule

Win.Packed.Generic-9884888-0
Create hunting rule

Win.Malware.Generic-9884893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82f214b5-65c5-402b-9db0-1b8e6d47ec87
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/829971
Signature
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Yara detected Autohotkey Downloader Generic
Yara detected Evader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 01:12:49 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ko6zshz5y6lc6hrknryejr5s2na4o6l57rraphtzea4ce2e7rza._file
Verdict:
unknown
Similar samples:
1f5769978c515cbb35c0eb43892f54156119193165c6b9002da490a237ffccd6
RedLineStealer
5fc0c8bf9bac4e9321fee7fcf2f0fb6dadaeedc8d5ba6432961654f92fe5e58c
RedLineStealer
9cefdffb73daf4a060fd9b44803eec6795db46ed96d49e1c6cb34e4224979321
RedLineStealer
a1b3889d5188f03e432c1a423e1df600bccfc706351078e0d70adcf28056f956
RedLineStealer
a26803d8e53b6a759a71245e8b973ac9c8eaf9ebfe7356d7e4b4cd5e03bb5414
RedLineStealer
b00dc3b0fb77b5893417308a832cfaabd7440230a1800807444af33f0475b005
RedLineStealer
b3797279a41ef85e569ad1008788c9b53213e3f326ee2b39bdd0b81465a5046a
RedLineStealer
ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14
RedLineStealer
d87caaaf87e2d97b1b336a0c1bb01369da3d27bca6495efa4c20966880bf12c1
RedLineStealer
ecfdae094a54934410a15735998ff611d5b5a6bffc93d969c6a1acc3735cd73c
RedLineStealer
+ 600 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210810-s1fv27hj6n/
Behaviour
Checks processor information in registry
Legitimate hosting services abused for malware hosting/C2
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
Unpacked files
SH256 hash:
b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d
MD5 hash:
9376b7133674bfb3e0350df0ad90eb76
SHA1 hash:
e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250
Link:
https://www.unpac.me/results/ea42844b-8b4e-47c9-8b58-755bae7e8567/
SH256 hash:
ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72
MD5 hash:
b72a29ce0a458569568d3740452dda3d
SHA1 hash:
207c586b0fe37addb0ad3706bb500470bee0608b
Link:
https://www.unpac.me/results/ea42844b-8b4e-47c9-8b58-755bae7e8567/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:MALWARE_Win_RedLineDropperAHK
Create hunting rule
Author:ditekSHen
Description:Detects AutoIt/AutoHotKey executables dropping RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ea9decc8f9ee3cb178f1536382263d969a0e3bcbefe3103cf3c901c11344fc72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1502258/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177838/

Comments