MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c80e786edd67d443ed55ec6f2f4a1946d7bfa99040795443fb36265fbb211d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	0c80e786edd67d443ed55ec6f2f4a1946d7bfa99040795443fb36265fbb211d3
SHA3-384 hash:	3d08c897cc1b5c06d2a3313cececff7d2f02981363c4afac40431ebc1fc98747856f82ae1b4d7168a98aa86988055546
SHA1 hash:	317582b4d42e03f8d45832dd293f1d5b65f994ac
MD5 hash:	0d47cc517737bf9021c0b9796de7bb97
humanhash:	violet-equal-oregon-ack
File name:	0d47cc517737bf9021c0b9796de7bb97.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	659'968 bytes
First seen:	2022-02-24 08:58:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	917b0dc587f632b60bbe39ab8c418265 (2 x RedLineStealer, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep	12288:P6zDgCDSY+GttD0Oa75Z8GbRBulO/GhKbhV7kj:P6z0kP4maBuCYKbh6j
TLSH	T1D7E412E03490A831C045F5309426FEE15AAEBC75C9529A83B7B83B8E7E723C1677594F
File icon (PE):
dhash icon	327e7c7f767e6e76 (4 x RedLineStealer, 4 x ArkeiStealer, 4 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://downshiftingrace.top/work/mix.exe

Verdict:

Malicious activity

Analysis date:

2022-02-26 20:00:36 UTC

Tags:

opendir loader trojan rat redline evasion

Link:

https://app.any.run/tasks/0b9f3a4b-9f14-45ce-b5fb-4df82af9095a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/244175/

Detection(s):

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7286/overview

Behaviour

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/621748b7a6f52d32f17f3659/reports/f9cffe9b-ba7d-45b6-9818-3e7be1596561/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a0f0728-6825-4033-b757-9a6f784f45f5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/945506

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample or dropped binary is a compiled AutoHotkey binary

Yara detected Autohotkey Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c80e786edd67d443ed55ec6f2f4a1946d7bfa99040795443fb36265fbb211d3/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-02-24 08:59:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsaopbxn2z6uipwvl3dpf5fbsrwxx6uzaqdzkrb7wnrgl65schjq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/220224-kxr4qadgfm/

Behaviour

Checks processor information in registry

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Unpacked files

SH256 hash:

86cec2665ff431668f274fecddf883fb5b532c06ee1a495ce60d5fbbb90c3a33

MD5 hash:

f7246b8631cad60d643fe3625a823397

SHA1 hash:

3aabf69029480970b338bb37a511d307aaf40c79

Link:

https://www.unpac.me/results/64b7d1c9-e9db-44eb-873b-476b2d1870f5/

SH256 hash:

0c80e786edd67d443ed55ec6f2f4a1946d7bfa99040795443fb36265fbb211d3

MD5 hash:

0d47cc517737bf9021c0b9796de7bb97

SHA1 hash:

317582b4d42e03f8d45832dd293f1d5b65f994ac

Link:

https://www.unpac.me/results/64b7d1c9-e9db-44eb-873b-476b2d1870f5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c80e786edd67d443ed55ec6f2f4a1946d7bfa99040795443fb36265fbb211d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers