MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d
SHA3-384 hash:	e5a87dccf6971e7e21dcbb6c6a0a6668d397f32ff1d0d7cdf06d46281d4a4833c3df2ad9bf1eed7bf0092c63cb8d2534
SHA1 hash:	cfa0f304a45741c26576d2008385d8e81c457150
MD5 hash:	81571a28b21cab8c74c722efa2f29962
humanhash:	apart-batman-berlin-carolina
File name:	rrmix.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	446'976 bytes
First seen:	2022-05-18 10:27:24 UTC
Last seen:	2022-05-18 11:58:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	151adccff5e70213fb31de55ca880f7e (6 x RedLineStealer, 2 x Smoke Loader, 1 x Amadey)
ssdeep	6144:p3ZS1o3m5g2uFDKvj77qlV5rcMxdcFv+srufcT33iga3wVfNX:VZS1ovRQvPG5cAdbg3S0
Threatray	6'329 similar samples on MalwareBazaar
TLSH	T11694F101F790C470E1951D7048B5F7B1177BB86265B0991BEF906B9F0EB33A18ABA31E
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer teambot dropped

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e.exe

Verdict:

Malicious activity

Analysis date:

2022-05-18 09:50:14 UTC

Tags:

evasion trojan socelars stealer loader rat redline amadey ransomware stop

Link:

https://app.any.run/tasks/202fc8db-3346-41fa-95ab-51f6e9c5ec1f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/272049/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.6138.7569.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/18700/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6284ca3d22b733139c28d7ee/reports/12601d21-7b11-4446-b010-d4edbaea3046/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f551e10-921b-45f3-8c7b-d93d549b1ff5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/996687

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d/

Threat name:

Win32.Trojan.RelineStealer

Status:

Malicious

First seen:

2022-05-18 10:28:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q5qkavood4y7jfaomadib4y5qdrx2qbafuoxdkziiyek77xksfwq._file

Verdict:

malicious

RedLineStealer

7971b8802f097e62e712558e0bea53360c9df9417647058583f10d5e7cf208f1

RedLineStealer

7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e

RedLineStealer

afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420

RedLineStealer

e30916bb0f93ecd9ecc2e065e313c3d6933b7616208a88e91f6061d7cccdc309

RedLineStealer

e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e

RedLineStealer

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555

RedLineStealer

+ 6'319 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220518-mhm8bsbdfq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

588f4411103884021efa84dee24dbe00effadfe358250d0fec5fb02e6dda6d96

MD5 hash:

3e52defcd4517fc3a5c4f65226a3004b

SHA1 hash:

65e96cb9495b34e897bcddac3ef3450089f19d83

Link:

https://www.unpac.me/results/e17807d1-b756-4964-9aa9-4041eaff6fe0/

SH256 hash:

8bb0caa8f111512d3ebb4c5f427f287a8e69c7b465fef0e46e5741c7489a3d3e

MD5 hash:

b37cb4b6fd8f51e3f8919135227e3d0f

SHA1 hash:

4edea527bea1443ee4f51a5a612ac85274177992

Link:

https://www.unpac.me/results/e17807d1-b756-4964-9aa9-4041eaff6fe0/

SH256 hash:

2df7a7002a267b6d0b340c0fde2afd381d52643ff07af36d5fbe994622538075

MD5 hash:

a47d3e754c705300595d1f62f2d81332

SHA1 hash:

0d4fd94ad4b2e5444ad130b3675469477d3c1c99

Link:

https://www.unpac.me/results/e17807d1-b756-4964-9aa9-4041eaff6fe0/

SH256 hash:

8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d

MD5 hash:

81571a28b21cab8c74c722efa2f29962

SHA1 hash:

cfa0f304a45741c26576d2008385d8e81c457150

Link:

https://www.unpac.me/results/e17807d1-b756-4964-9aa9-4041eaff6fe0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8760a055ce1f31f4940e600680f31d80e37d40202d1d71ab284608affeea916d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.