MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f
SHA3-384 hash:	78cbb7fdd5de3b7001372e96fffe225fb7ff3e7ad18213ee7fe24b0a8dc1c634647fb6b8a92047ae132c5b8132af5d35
SHA1 hash:	93c069362d05e82f9f273b8ce9a878ff85ec93bc
MD5 hash:	a1a42afb2f1c3bd8712afc75994dbf59
humanhash:	winner-muppet-pluto-charlie
File name:	a1a42afb2f1c3bd8712afc75994dbf59.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	623'104 bytes
First seen:	2021-08-05 18:43:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7d2c4701a9e00af48c63738cadcb0b55 (2 x RaccoonStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep	12288:/lCjdB49pVPgGCXUiKZad6glSisBi4eqQOC0ELrFaEZe1W3OiP8DrxY/:/z9fPgGuhK86glBL4eq+0ELQAe1WeCWI
Threatray	581 similar samples on MalwareBazaar
TLSH	T1D3D402123640CC77F6607AB18D55C7B14A7BFC79D82A9A9B3B85534E2F212E29F31306
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a1a42afb2f1c3bd8712afc75994dbf59.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 18:47:25 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/4aa2f39a-1844-4676-aff5-b43ee5134bf2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176817/

Detection(s):

Win.Dropper.Ursnif-9884016-0

Win.Dropper.Ursnif-9884041-0

Win.Dropper.Titirez-9884070-0

Win.Dropper.Titirez-9884078-0

Win.Packed.Filerepmalware-9884083-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Sending a UDP request

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1d7b63f8-4b3d-4244-bf8c-ec15ff65d566

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827642

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f/

Threat name:

Win32.Trojan.MintTitirez

Status:

Malicious

First seen:

2021-08-05 18:44:08 UTC

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rjwrmjmba6zdkjpuxtctgdor4dlk6lqzy3rr2uxkfh4f3wqz6pq._file

Verdict:

malicious

RedLineStealer

7c0bada1ef977f7b158ffa9ba3f761ca3c0b2cd169730b7c7ba0344fa4e32ae9

RedLineStealer

9fb05ed05f0830bedc12c15e3432870a6751334ef5b18af9770b3ee4f0e9e037

RedLineStealer

a0c0c84c50b9cbb46063016dbfb74a83fb26a604a0bd5def3141b7bddd005818

RedLineStealer

af3f767e38f4115339fdd61f3f3b878a1335e2201eb5b88e041cb47b1d0a7f46

RedLineStealer

d17f19f350e918c1d6558606fb28b06361e772514a3b0428635c31e9b7e0b098

RedLineStealer

df28d049b131a8dec56e3bbfff4ca4b419a0a04a41af70b5fce5be80b10385a3

RedLineStealer

f1b072a4977439e50f66ceaa57528f53227d95fe762d0cd5250c45ed59e3ee9b

RedLineStealer

+ 571 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix 04.08 discovery infostealer spyware stealer suricata

Link:

https://tria.ge/reports/210805-z8j2tztwr2/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

Malware Config

C2 Extraction:

185.215.113.17:18597

Unpacked files

SH256 hash:

b3ba65424f7c39e87701dcac9047de407825528d09d236e66de2c25937ecf87d

MD5 hash:

9376b7133674bfb3e0350df0ad90eb76

SHA1 hash:

e191eef5acfeb42bd8431ad7ff7ecc9bedc6c250

Link:

https://www.unpac.me/results/6c8f8371-1385-4611-86d6-ffb17598eaf6/

SH256 hash:

f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f

MD5 hash:

a1a42afb2f1c3bd8712afc75994dbf59

SHA1 hash:

93c069362d05e82f9f273b8ce9a878ff85ec93bc

Link:

https://www.unpac.me/results/6c8f8371-1385-4611-86d6-ffb17598eaf6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f45368b12c083d91a92fa5e629986e8f06b57970ce3718ea97514fc2eed0cf9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer