MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
SHA3-384 hash: 62a0ce1beae638193ad92b8c6883fcc26bb47139bd3889820cd0fc9e0765cd7446172112a145dcfc1b604cf711148825
SHA1 hash: 0aaeb9da7af2d8917254a1d02bbb45b23ca56ded
MD5 hash: 7e1661bdc5e64cc1bcf62ce29b48f0b6
humanhash: twelve-tennis-nuts-social
File name:ValhallaDsp.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'399'104 bytes
First seen:2021-11-13 20:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e48cc266501c282987b27f2c1f654e2d (52 x RedLineStealer, 3 x RaccoonStealer)
ssdeep 98304:1FVySWe/aWDDOkHPtwsLw1Dl7JGY3K8ujThIOMsEXvsx6bCFFAn:1LySWePDDOkvXLw7cWejThIOMjXv9OK
Threatray 13 similar samples on MalwareBazaar
TLSH T18916332290D03869E2CB6A7D9D0BDAF78556C7F564E86C66734A028B9FFF0A33055138
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ValhallaDsp.exe
Verdict:
Malicious activity
Analysis date:
2021-11-13 20:30:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/db516546-ef2a-4f28-9afb-8477f7a5a4dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205548/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed yakes
Link:
https://www.filescan.io/uploads/619020883edf00a722d2817a/reports/381f1f51-1d41-448e-8d0c-35670f07a998/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edd9a466-797b-4bcb-a82f-4bb08fd9837f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888660
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-13 20:31:06 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rj3p2efephn7lo25md3o7fewihjo6tysmktntxjhht4tw67jgszq._file
Verdict:
malicious
Similar samples:
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
RedLineStealer
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
RedLineStealer
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
RedLineStealer
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
RedLineStealer
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
d8ce2e5613b91a46eb15835e6d2aac47a715e2ab55a97163bdf2ed8ac350f7a1
RedLineStealer
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
RedLineStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211113-zap36sceaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
c2bb4cf65832cf17ca8f8f9d5db5e3c5b049ac3c946ca85cb5e4b1c02c5b5538
MD5 hash:
7a1e3c36ffbf27cc58f91bbf247c5c7f
SHA1 hash:
07fab06d86e275a0d9b294bd09e92a1f1741c941
Link:
https://www.unpac.me/results/6eef767b-3a8d-40fd-9d1f-713329eeafa6/
SH256 hash:
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
MD5 hash:
7e1661bdc5e64cc1bcf62ce29b48f0b6
SHA1 hash:
0aaeb9da7af2d8917254a1d02bbb45b23ca56ded
Link:
https://www.unpac.me/results/6eef767b-3a8d-40fd-9d1f-713329eeafa6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205548/

Comments