MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ac87f553cfa5064f5842f568f2ceb249c3b68b5e743f10ab4455cbde7c7395b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	0ac87f553cfa5064f5842f568f2ceb249c3b68b5e743f10ab4455cbde7c7395b
SHA3-384 hash:	7bd8f433fef82bc4cfda7dd063d95fcb1718d051cde05a8472d217f1d6478dcc2a94fefe111292e6e23d5af1b3da95f6
SHA1 hash:	420fe472a9d15c28806130a17f5feb258964956a
MD5 hash:	1af9273b51d818f56e9b2442d27ae8c1
humanhash:	bravo-indigo-charlie-gee
File name:	SecuriteInfo.com.Trojan.GenericKD.48421112.31829.17902
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'155'632 bytes
First seen:	2022-03-09 21:50:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep	98304:u/Tdbg8K6VID8cOLfthn5FXHcVZnSqJq8aa94BPVS7GRVQcVJ/hXZ765CJdTSckC:EtgYuKLVhn59cT74BdS7GRVQaTJdTNkC
Threatray	5'100 similar samples on MalwareBazaar
TLSH	T1283633E7C2B08CA7C76AB174005B21B97AC26301495391B3A81CD53E5BBF59ADE72C27
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/248925/

Detection(s):

PUA.Win.Packer.Asprotect-3

SecuriteInfo.com.Trojan.GenericKD.48421112.31829.17902.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6229214fdfdfa8501c828a72/reports/bde77eb8-440a-46b9-b135-dd2b888075a6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/692c29d4-ca2f-472b-b1a6-b5e3f3689f00

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/953760

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ac87f553cfa5064f5842f568f2ceb249c3b68b5e743f10ab4455cbde7c7395b/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-02-22 18:00:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bleh6vj47jigj5mef5li6lhlesodw2fv45b7ccvuivol3z6hhfnq._file

Verdict:

malicious

RedLineStealer

44da6217702a77c01ed9735e67d6fffee11de2298aaaea899ddbc39da26460e0

RedLineStealer

9c126bfde9969c0d34230993dc33d233ac66eec831fd35204d4b7faf1f7af990

RedLineStealer

d37f2546cea1ed8a8f85d1f6274f7a59869ded7f56ecc6af9c123dd76fd10d70

RedLineStealer

f171414a07b968fde0474e2f9d7898221c62fb63ce5ec555efa6391e5ab3e840

RedLineStealer

+ 5'090 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220309-1qg8yabge9/

Behaviour

Program crash

Unpacked files

SH256 hash:

74adc51057ea4e2c6869be31d2ebe38c1fea225ad80a97e222445164ff058543

MD5 hash:

8d61b6c1c1c5fccd3c79ad961971359c

SHA1 hash:

b670236d1c88a79bdda79b07ff0bed17b6e6540f

Link:

https://www.unpac.me/results/80d08128-84c4-4d81-933a-676afcc9d848/

SH256 hash:

5ba1862224ab54d539a823a64847f83b0743535404b7249b187be27dd0717b70

MD5 hash:

b19ef4748b0ade88ba89d837f8149dc2

SHA1 hash:

0fb8d9ba16aab7b38efbd49dfa205015532f4f33

Link:

https://www.unpac.me/results/80d08128-84c4-4d81-933a-676afcc9d848/

SH256 hash:

0ac87f553cfa5064f5842f568f2ceb249c3b68b5e743f10ab4455cbde7c7395b

MD5 hash:

1af9273b51d818f56e9b2442d27ae8c1

SHA1 hash:

420fe472a9d15c28806130a17f5feb258964956a

Link:

https://www.unpac.me/results/80d08128-84c4-4d81-933a-676afcc9d848/

Malware family:

RedLine.D

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0ac87f553cfa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0ac87f553cfa5064f5842f568f2ceb249c3b68b5e743f10ab4455cbde7c7395b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/