MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b
SHA3-384 hash:	155284647f81143e7ec71205b5a9c46974842f96300dab50b688f643c447ace98a7745c8e986021e827e0099c84cee50
SHA1 hash:	86718c37bb8e7782e12ee577de095738c1dd7a69
MD5 hash:	0b24028737fa029d0c75ec0195cd60ce
humanhash:	november-thirteen-cat-princess
File name:	file
Download:	download sample
File size:	3'935'232 bytes
First seen:	2023-06-04 21:09:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	98304:PjYWYwhbmTmf0uldA6pK5offSMsMc7CUMqNYGNWP4NeFB:PMWJhm6lq6pKKWMkCXwwpB
Threatray	13 similar samples on MalwareBazaar
TLSH	T18B063317AC721264EADB73B50CFAC6E678FC996596841D09F09240B3603F45244FF6BE
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe

andretavare5

Sample downloaded from http://163.123.143.4/WW/1.exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

339

Origin country :

US

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-04 21:09:50 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/bb6c16da-8cd9-414a-aff5-f9bb45832cc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/395661/

ClamAV Detected

Detection(s):

SecuriteInfo.com.W32.Themida.S.gen.Eldorado.12842.1836.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Creating a file

Stealing user critical data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/647cfdabb9a56224720b4cb6/reports/0fae2f96-1459-475b-a39a-587c207e9d18/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Suspicious

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/316e0b36-7975-4bca-82b3-14c3ccef6a56

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1248466

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b/

ReversingLabs TitaniumCloud Win32.Spyware.RedLine

Threat name:

Win32.Spyware.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-04 21:10:06 UTC

File Type:

PE (Exe)

Extracted files:

1

AV detection:

17 of 24 (70.83%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qdfas2qnekmqbjuxxz2zlvsxgcuop6q54o64afkxr2d6zgloxvfq._file

Threatray unknown

Verdict:

unknown

Similar samples:

1bdbc0c9494df38a4ed2fcc05ae5a70daa8a48f2407383d77359d4b5638fde19

4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd

71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80

8ced69a3c6796be12a0433300b9935b4c63fe4817b0830e1965b07fffaa360df

9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e

b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2

b4bbdadeb876d22140beabe77e143cd74871461c0823f9f9ba79b41106386d26

d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274

+ 3 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:yg muar discovery evasion infostealer spyware stealer

Link:

https://tria.ge/reports/230604-zz1k7sed3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Malware Config

C2 Extraction:

80.89.229.34:21712

UnpacMe

Unpacked files

SH256 hash:

80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b

MD5 hash:

0b24028737fa029d0c75ec0195cd60ce

SHA1 hash:

86718c37bb8e7782e12ee577de095738c1dd7a69

Link:

https://www.unpac.me/results/4f5ed36d-354b-4dfe-ba30-d3fd47b89efe/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

  

Dropped by

PrivateLoader

  

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/395661/

  

URLhaus

https://urlhaus.abuse.ch/url/2653014/