MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cf7b44057a21a6c23a550108ffd5e0fcd997c44254b34caf30486f43bdf9123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 2 File information Comments

SHA256 hash:	8cf7b44057a21a6c23a550108ffd5e0fcd997c44254b34caf30486f43bdf9123
SHA3-384 hash:	0abdee78d159fec40aa0fc71e6d1aa757cf5bbc312b946c512066ed3703c21262f64a9af2f9ac95438c3bbaf6da3ec25
SHA1 hash:	2dc331e9cfc6c93d941b7e2c8f6d693eaa8d7499
MD5 hash:	73a7c33edf74031bf7c3e893215476eb
humanhash:	aspen-uncle-yankee-stairway
File name:	73a7c33edf74031bf7c3e893215476eb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	339'968 bytes
First seen:	2021-09-28 10:11:15 UTC
Last seen:	2021-09-28 11:17:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56c207817e66e7690a43bf97b1ee7374 (5 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	6144:3lwOABY+L3ya2z5xKWMEn/I7DMTnzSNi5TXmYcstmmK:3l5EYk3yV5xK/ADHs+Tvcr
Threatray	327 similar samples on MalwareBazaar
TLSH	T17274BF30A7E0C035F5B312B94ABA9378A62D7EB1673491CF62D126EA5774AE4DC30743
File icon (PE):
dhash icon	96714cb474dcf166 (2 x RaccoonStealer, 1 x GCleaner, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
87.251.71.44:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
87.251.71.44:80	https://threatfox.abuse.ch/ioc/227399/

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

73a7c33edf74031bf7c3e893215476eb.exe

Verdict:

Malicious activity

Analysis date:

2021-09-28 10:13:59 UTC

Tags:

trojan loader rat redline stealer opendir evasion

Link:

https://app.any.run/tasks/a1420bfd-48e1-42ce-b9d7-0f568ee16037

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Ulise.303597.28090.23135.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/44060172-2bd8-4442-bae0-2ce4bca64a98

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cf7b44057a21a6c23a550108ffd5e0fcd997c44254b34caf30486f43bdf9123/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-09-28 10:11:26 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rt33iqcxuingyi5fkaii77k6b7gzs7ceevftjsxtasdpio67serq._file

Verdict:

malicious

RedLineStealer

2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324

RedLineStealer

49113451c4baac2ee6b97486bd1f57dcf68891d55ff4782daa4d578e23e78d7c

RedLineStealer

71536640ec28b6c7f0e1d84b33099a780ccefa60f66a7fbf5c5794a676e36f47

RedLineStealer

79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a

RedLineStealer

9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467

RedLineStealer

ad8767331fa27d72ef724d50aaa1c982430b8602de5dc0c09daaea1c59e42bd2

RedLineStealer

b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b

RedLineStealer

d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548

RedLineStealer

e95fd4b1c20d7547466b404f5a9f00940e40e3c8421c3838b619adfa6bbcb4cb

RedLineStealer

+ 317 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210928-l8g9bsbffq/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Deletes itself

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M5

Unpacked files

SH256 hash:

74049e9cd40b591dad517c8d31df1d5d646c295a0f5fa7014619b0e78bc82d42

MD5 hash:

4c5dc3fac7db0aab74cdb983512a1b6f

SHA1 hash:

e3f76b0c2e3d6bfb77cf6437323a4124ef9a6f27

Link:

https://www.unpac.me/results/2946b857-0001-46c3-ad81-820994eaf372/

SH256 hash:

8cf7b44057a21a6c23a550108ffd5e0fcd997c44254b34caf30486f43bdf9123

MD5 hash:

73a7c33edf74031bf7c3e893215476eb

SHA1 hash:

2dc331e9cfc6c93d941b7e2c8f6d693eaa8d7499

Link:

https://www.unpac.me/results/2946b857-0001-46c3-ad81-820994eaf372/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8cf7b44057a21a6c23a550108ffd5e0fcd997c44254b34caf30486f43bdf9123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample