MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e250e9f527cd7d6075d73b52ea7c9ef2fbd121c8284e10e8e2aadde09584b7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	8e250e9f527cd7d6075d73b52ea7c9ef2fbd121c8284e10e8e2aadde09584b7c
SHA3-384 hash:	daa00f2e23fcd58464a48f0f0edfcca991779a88eddaf9d4e0d358d62f45264c247324db4d22409e33654d8ba40aa970
SHA1 hash:	49d56952fcbaccb583b31bb7444bb1d020b54ecf
MD5 hash:	7249109c542dc988fbbb997678eaab71
humanhash:	beryllium-diet-lake-pluto
File name:	7249109c542dc988fbbb997678eaab71.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	453'120 bytes
First seen:	2021-12-27 07:39:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e4b8a20830d5d5ec659fda08d2e209e3 (10 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	6144:wCW9oncbQtS1jzza4IPWMXxR85teVquqVph9vHFM4LLBQcC:dWqkeS1HzLEzXxR85teVzqVpvlM4PBw
Threatray	4'316 similar samples on MalwareBazaar
TLSH	T159A4AE10F7A1C034F2B766F849B59274A62E7EA16B2491CB53D12BEE97346E0ED30707
File icon (PE):
dhash icon	badacabecee6baa2 (28 x RedLineStealer, 19 x Stop, 13 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7249109c542dc988fbbb997678eaab71.exe

Verdict:

Malicious activity

Analysis date:

2021-12-27 12:02:46 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d6bf73c1-5ede-4602-b7f8-828cb831bb43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/216507/

Detection(s):

Win.Packed.Generic-9918587-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3321/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61c96dd7ec6c6c14a9f62464/reports/df3b5ded-f958-4be8-abb7-40da73904893/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f8eec18-3983-4985-9c00-a4acf920d909

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/913041

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e250e9f527cd7d6075d73b52ea7c9ef2fbd121c8284e10e8e2aadde09584b7c/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-12-27 07:40:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rysq5h2sptl5mb25oo2s5j6j54x32eq4qkcocduofkw54ckyjn6a._file

Verdict:

malicious

RedLineStealer

380cd876dd3a7dbe477ea7ceaa47e6c72e53a762f0e5e14aabf8c71702325fdd

RedLineStealer

61012d16ce5716684e6755935387994e4916d3fcdc295d2ac8f02e688581c2ed

RedLineStealer

7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

def1c6c0f612e6c8f33b57ff702fa14c8c36ca1fad55a00bd2f18789401c236d

RedLineStealer

e5127a9ede19896dc5b7d164dc332251b03e3189ba66a972ac47f74b4402399d

RedLineStealer

+ 4'306 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/211227-jhj9wsahcq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

91df0d77d4d0028bd5930c8550a8b330a355f3fa524c254226377efd1e884f40

MD5 hash:

71573520048ef86308ebf0bd87855553

SHA1 hash:

b8cfd64d323899a304d43ae80374fc918e7d279e

Link:

https://www.unpac.me/results/270b6258-5021-49f2-9ce5-3a2bf9d996a7/

SH256 hash:

be026055f79b1a0cc7cc40649dccd9117f49045d64aea5014774b84b7f453e11

MD5 hash:

bdceb449c081d20384cbd5f122cf4e67

SHA1 hash:

ab2d5317d10a25bef7acc6c05855134008ede7c4

Link:

https://www.unpac.me/results/270b6258-5021-49f2-9ce5-3a2bf9d996a7/

SH256 hash:

b696a116f1955982df56a4ac4eed6c91fe6839742eade0805733cf94022a62ca

MD5 hash:

fff2a80da07d1ec6891f8ecca7616369

SHA1 hash:

15263b4c110a01297d9d8523a3e5320f8eb75f5f

Link:

https://www.unpac.me/results/270b6258-5021-49f2-9ce5-3a2bf9d996a7/

SH256 hash:

8e250e9f527cd7d6075d73b52ea7c9ef2fbd121c8284e10e8e2aadde09584b7c

MD5 hash:

7249109c542dc988fbbb997678eaab71

SHA1 hash:

49d56952fcbaccb583b31bb7444bb1d020b54ecf

Link:

https://www.unpac.me/results/270b6258-5021-49f2-9ce5-3a2bf9d996a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e250e9f527cd7d6075d73b52ea7c9ef2fbd121c8284e10e8e2aadde09584b7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216507/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample