MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87a643f05a4a942da305e22222193770bee9ecee4f7f0442408445336bf1c8ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	87a643f05a4a942da305e22222193770bee9ecee4f7f0442408445336bf1c8ef
SHA3-384 hash:	eb597a8dbf0115b5e377e5f1ad2f8b6efb9d973a275a89c81f972846505c6e7992ba5ac6580ff55826b01819f5e007f6
SHA1 hash:	f531072ea44f2ddbff5670b9c47030a235aaa97b
MD5 hash:	e01e4ebdceade8f7f9e29a3c8bceb7a9
humanhash:	eight-bravo-cat-avocado
File name:	e01e4ebdceade8f7f9e29a3c8bceb7a9
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	342'016 bytes
First seen:	2022-05-29 21:02:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	04acecae68698df6c0d2bfb43d12a27e (1 x RedLineStealer, 1 x Smoke Loader)
ssdeep	3072:4ZA3LP/8lKwd/VXV41N3QPjeoWKLgajNib2CIA6dnarCVu3MX6ZKH0KTPkZsGfwl:qA75w9FV41O68gajjLnar6CIH01sG
Threatray	6'355 similar samples on MalwareBazaar
TLSH	T15B74F1C575A4CC32E5B34A380875C2746FB7BD32B974C54B3780233D6F712A1AAA57A2
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

629

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e01e4ebdceade8f7f9e29a3c8bceb7a9

Verdict:

Malicious activity

Analysis date:

2022-05-29 21:04:16 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a06526b2-9fc4-42b6-8878-b75b99a55007

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275276/

Detection(s):

SecuriteInfo.com.Variant.Jaik.77338.28675.24983.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Query of malicious DNS domain

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/20445/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed

Link:

https://www.filescan.io/uploads/6293df99054dcf0eca01a0cc/reports/784be0ae-07da-49ce-9473-5fc25392c7c9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb269db3-f07a-4ce3-9bc8-62b2dec41497

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003315

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87a643f05a4a942da305e22222193770bee9ecee4f7f0442408445336bf1c8ef/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2022-05-29 20:13:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6teh4c2jkkc3iyf4ircegjxoc7ot3hoj57qiqsaqrctg27rzdxq._file

Verdict:

malicious

RedLineStealer

38fe361584100f7ba0fd1391f4ac535543bb72c5dfd5dda045f35eb657871cd6

RedLineStealer

959c0ef7180f57d3159570b691671e9a51833c193d9727d374d7965740fb0b57

RedLineStealer

a3cb769c3ad5de51f6bd90efb7022ba10c8d89b8d9d276f34343b36f73a00732

RedLineStealer

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

RedLineStealer

bab1f30a726af13b0834d93f505d9331ab10d5735cdc818c0140a3f07ac93b66

RedLineStealer

+ 6'345 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:top discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220529-zv1emsabc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.75:81

Unpacked files

SH256 hash:

1399553fb5de96887f6f98ef5f100ea90fd1a8cb26fab0dc2d173406e1469dbd

MD5 hash:

63343c20e59d69e875c6438520beee4b

SHA1 hash:

e7586b4ad9d04224dd71f64f5b6ce402a5157f74

Link:

https://www.unpac.me/results/d62bd9aa-8a3b-4983-9bd7-1480d332befa/

SH256 hash:

7790633e87a2859058722cd3832cd48673764662c42843b571ef7b23d42d6af5

MD5 hash:

ac4b533abcac25825d105557228c179c

SHA1 hash:

a49cb09b05116cfd23f94f9feaeab8dbe8bc8b1d

Link:

https://www.unpac.me/results/d62bd9aa-8a3b-4983-9bd7-1480d332befa/

SH256 hash:

c8f30471b80bfda9ef30da1d9ad3ed392a5f2ac01154dd31595efd520c5f8640

MD5 hash:

447622168d44082180805aa7ff673f81

SHA1 hash:

08efebddfa7efb874fdcfbfaa70f447ff3a3fdc4

Link:

https://www.unpac.me/results/d62bd9aa-8a3b-4983-9bd7-1480d332befa/

SH256 hash:

87a643f05a4a942da305e22222193770bee9ecee4f7f0442408445336bf1c8ef

MD5 hash:

e01e4ebdceade8f7f9e29a3c8bceb7a9

SHA1 hash:

f531072ea44f2ddbff5670b9c47030a235aaa97b

Link:

https://www.unpac.me/results/d62bd9aa-8a3b-4983-9bd7-1480d332befa/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/87a643f05a4a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/87a643f05a4a942da305e22222193770bee9ecee4f7f0442408445336bf1c8ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.