MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491
SHA3-384 hash:	69e182587e7a4aa41ca102e9eb14facaa3d6687f29134d7ce23ac1d4484415afe15841ec81d93c6f8b1d45a4f4bd50ed
SHA1 hash:	564f148ed9f35a36c0c97745f2a3a23c8e13077b
MD5 hash:	818b810a3762215a298405bfdc7666f1
humanhash:	lactose-social-massachusetts-mississippi
File name:	818b810a3762215a298405bfdc7666f1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	705'024 bytes
First seen:	2021-05-26 18:01:29 UTC
Last seen:	2021-05-26 19:12:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7907d026e3015515a96e4b848fd9161 (1 x RedLineStealer)
ssdeep	12288:tSNAooDlQcvaWAY0chmjPF77hrk8ie1bhMJeXBvXDz03gXsLx:CAkcEchwtXhQQhMEBv3VXsLx
Threatray	336 similar samples on MalwareBazaar
TLSH	59E4E190FFA2C035F1BF12BC597542A8953A7EA26B6450F752C2BBEA15705E0AC7031F
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
104.217.8.122:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
104.217.8.122:80	https://threatfox.abuse.ch/ioc/64483/

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

818b810a3762215a298405bfdc7666f1.exe

Verdict:

Malicious activity

Analysis date:

2021-05-26 19:16:44 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/8e426f65-0cd0-4f43-97aa-8d2b2e566558

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/162563/

Detection(s):

SecuriteInfo.com.Trojan.Siggen13.44940.4712.28044.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending an HTTP GET request

Searching for the window

Creating a window

Sending a UDP request

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/792794

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected Evader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2021-05-24 11:29:58 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7umvbae4ycgjbie26eujwyih2l4g6sdt5ssu2lxsxlz2awikksiq._file

Verdict:

malicious

RedLineStealer

58472769f4701ccaef3d6cb6e32317f49a680dfaf1dc7ac1e8de76a02b41c7f3

RedLineStealer

7ba598295df994536137bc987b00344e609035b56a40c93354cde719cd4a2989

RedLineStealer

935d741a26dd18d1f300d3218823bcc84481017376e48693840853d7607f4e60

RedLineStealer

b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68

RedLineStealer

b3feea58dffddae3a837b055078d8a3ed2db731fd6c7d77aa1164a0185f3b169

RedLineStealer

d8271e3a38ba916aa701c5b4cb01eb75abface3d401e604248434d7f79ffaad0

RedLineStealer

e07e702d1247fd8b230d21bba94b581f65f27e811c59a28896fcea29ddb3d2de

RedLineStealer

fc75e0db35a8db7c56bc4c3e45532fc32293270ea477f891c7b0556f93a74b80

RedLineStealer

fc9c54b72323f2492fb6e22ce77628b7af0b349b6cb6030d55d1c40b35199e91

RedLineStealer

+ 326 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:25.05 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210526-fd5zzrzxys/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

lanaky.xyz:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd1950809cc08c90a09af1289b6107d2f86f4873eca54d2ef2baf3a0590a5491

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_RedLineDropperAHK Create hunting rule
Author:	ditekSHen
Description:	Detects AutoIt/AutoHotKey executables dropping RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162563/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample