MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b
SHA3-384 hash: 9a7288430ef8e142ea3e760fead20a0e0fee96b64f15591f6795c945e9ca669fd4730b21469a24657766875fbcf63204
SHA1 hash: 70c9ea62879084dbff0b60ddf15ff5e5f034cbed
MD5 hash: 086a83749f45bb6bd1c932912a7caada
humanhash: oregon-artist-beer-louisiana
File name:UNIXCHEAT 31.7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:498'288 bytes
First seen:2021-10-12 20:43:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 63ac7c2799723925dd310860701c20d0 (4 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:ilrwEdNnGmst+vUHbaBE+5So5D7XQRr1F0/YTlS:GrGmi+W2WmSoR2BFMYTlS
Threatray 2'055 similar samples on MalwareBazaar
TLSH T1D5B423706791982AD4CB1D3D1005DA191B380CBA2FF97B33FAB473A5C6B5EE1EC42A51
File icon (PE):PE icon
dhash icon f0e894aaaca4c8f0 (4 x RedLineStealer, 2 x RaccoonStealer)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UNIXCHEAT 31.7.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 20:39:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f5acfcc-713a-49f6-9e11-ce6e735d88c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197030/
Detection(s):
Win.Malware.Generic-9901230-0
Create hunting rule

Win.Malware.Generickdz-9901242-0
Create hunting rule

Win.Malware.Filerepmetagen-9901246-0
Create hunting rule

Win.Malware.Generickdz-9901302-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6165f3959fb4d8593d62d7d6/reports/f7fe845e-dd8a-4873-b540-c8d7351e2ea6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83f78cd7-534c-4bbc-a8c7-a0203c998dde
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/869048
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 20:46:51 UTC
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acgvretd67szdnx42flbkunfe3hv7oriimdjnqvi42yko5sadefq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
22c23de0a046b3652861d880ad53bbfca85448d0a6814d34151b1f359839dd37
RedLineStealer
4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
RedLineStealer
9896b4bf3012c8477faa6994da3dcf12b3a445359323d5a8ee697292d3be7545
RedLineStealer
a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f
RedLineStealer
cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
RedLineStealer
d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e
RedLineStealer
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
RedLineStealer
fad39635cac516fe112c996e7fe9fa7d09d4074f349f515626a758dbd38fd336
RedLineStealer
+ 2'045 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@lxxt3rx infostealer
Link:
https://tria.ge/reports/211012-zh6e5adacl/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.213.209.36:36533
Unpacked files
SH256 hash:
639eb48d1ab2d68a8edf5ef0c00a1bcbf274e2abb6bb4bb4e1e0ebca25603bde
MD5 hash:
df6a3cc770bfaea7a9daf8847a49e479
SHA1 hash:
058c6af151338330ccfb539331f4cee0a252ecbf
Link:
https://www.unpac.me/results/c210749e-4deb-4e69-aa74-9795196fafc5/
SH256 hash:
0d239c9afdb01450dc05c3a1cfac05e9408bb72beefb5c2fc7a477a22d2a83d8
MD5 hash:
0b3ac8792e43202ff5b41c300d7e9319
SHA1 hash:
6a9cd290c626e85600776f1b4631a930acc6ff53
Link:
https://www.unpac.me/results/c210749e-4deb-4e69-aa74-9795196fafc5/
SH256 hash:
008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b
MD5 hash:
086a83749f45bb6bd1c932912a7caada
SHA1 hash:
70c9ea62879084dbff0b60ddf15ff5e5f034cbed
Link:
https://www.unpac.me/results/c210749e-4deb-4e69-aa74-9795196fafc5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/008d589263f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 008d589263f7e591b6fcd1561551a526cf5fba28430696c2a8e6b0a77640190b

(this sample)

anyrun
any.run
https://app.any.run/tasks/4f5acfcc-713a-49f6-9e11-ce6e735d88c1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197030/

Comments