MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fa4d5f66d88e34f8086398f2e1ec7ac11f81f1e12bdd94022a90b3f6a760e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fa4d5f66d88e34f8086398f2e1ec7ac11f81f1e12bdd94022a90b3f6a760e8d
SHA3-384 hash: f869fcb5ddf4bc61129c843a345400cd0a57d60c304a17f5efbb8359601fef8fbe26cc663e1aab25b0a55e3cea3992a3
SHA1 hash: e8cc3ccc0a608d6949231d49db3ef3c295f6e545
MD5 hash: 7174237a3b199710097000bc7ef40702
humanhash: failed-venus-thirteen-cardinal
File name:7174237a3b199710097000bc7ef40702.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:310'784 bytes
First seen:2021-07-24 17:50:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c53e08bb6beec713632928ff71fb4e4b (7 x RedLineStealer, 6 x RaccoonStealer)
ssdeep 6144:cZqvpwpkxA4HfS9kH4SLzIJLyXHQRlrFz:cQS+A4/Sy4Sn4y4L
Threatray 3'498 similar samples on MalwareBazaar
TLSH T14564E1207651DC73C052193148D3CB616BAEBD31AE7C96036BA42FEF6F312D2626E356
dhash icon 08b9b2b0e8c18c90 (11 x RaccoonStealer, 3 x RedLineStealer, 2 x DanaBot)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.114:8887

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.114:8887 https://threatfox.abuse.ch/ioc/162768/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7174237a3b199710097000bc7ef40702.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 17:53:25 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/c097f2b2-0b90-4849-b31c-32c32116fdeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173929/
Detection(s):
Win.Malware.Generic-9880784-0
Create hunting rule

Win.Malware.Generic-9880785-0
Create hunting rule

Win.Malware.Generic-9880807-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edf6f516-1989-467e-9e4a-cbbb31c2b79e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821296
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fa4d5f66d88e34f8086398f2e1ec7ac11f81f1e12bdd94022a90b3f6a760e8d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 04:46:06 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6snl5tnrdru7aeghghs4hwhvqi7qhy6ck65sqbcveft62twb2gq._file
Verdict:
malicious
Similar samples:
0e8e4a8f9a4e2c2523d1a2e37c799f0b8faa2705204d207261948a13312247a1
RedLineStealer
22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f
RedLineStealer
4871df59eb4440514615fa7ef4a9f1bdfeb7e47a0d622ff354d89363cc3622d6
RedLineStealer
5a7ee4cb1dccb84bc40cd076d86a4b97e67776cd7b7ff6c2ed8816bd4046a4e5
RedLineStealer
6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e
RedLineStealer
873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff
RedLineStealer
c96acaf883bfc4039ba9fcf98e46e35497aabecc4154bcdc795dc27208239815
RedLineStealer
df15d40ac6ba9f2b529e924a36fd7d55c855935dfc28a210e39ca688bac0131b
RedLineStealer
ef9df1e65fc9a387616096d78fa43ebea1229f48c5b96814eed2396c6fdb3dbd
RedLineStealer
f80044762635fc93a0b1f612664bd9b0b21fa0e88fd473b8f298d9726c43f9a8
RedLineStealer
+ 3'488 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210724-sp3y5f5nsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.114:8887
Unpacked files
SH256 hash:
896327f3b8ffb0108da0ba4bb4177ecf34b2b537c70ba775f3b8d05f7337e480
MD5 hash:
9ef3832f3b00631ed09c7931e494e3e5
SHA1 hash:
bffc8ce4c382f443820d1d089db72c267090bb3d
Link:
https://www.unpac.me/results/78587550-01ec-45f6-b78e-0405a0454e05/
SH256 hash:
5a9bcd47b183892a42b3b68a53e442a93c0bb016fb94abbd8d42b6477e982194
MD5 hash:
9d700a739ff25fd446ab24994185abd7
SHA1 hash:
73eaeff4f6ec5d342f9c5ccf045eab616281d7d0
Link:
https://www.unpac.me/results/78587550-01ec-45f6-b78e-0405a0454e05/
SH256 hash:
98a398c51f219ad1ad34f1190a276355212cd4228797708ee2fae4c43b1186cf
MD5 hash:
8cf1348cb3c4ea66ef1664c23478b56c
SHA1 hash:
5e79ef8bfed82f2713b589c7cd24b2e241b2a16d
Link:
https://www.unpac.me/results/78587550-01ec-45f6-b78e-0405a0454e05/
SH256 hash:
8fa4d5f66d88e34f8086398f2e1ec7ac11f81f1e12bdd94022a90b3f6a760e8d
MD5 hash:
7174237a3b199710097000bc7ef40702
SHA1 hash:
e8cc3ccc0a608d6949231d49db3ef3c295f6e545
Link:
https://www.unpac.me/results/78587550-01ec-45f6-b78e-0405a0454e05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fa4d5f66d88e34f8086398f2e1ec7ac11f81f1e12bdd94022a90b3f6a760e8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173929/

Comments