MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a
SHA3-384 hash:	fd870458d4345bc34f8c29037962820889fbba4475c101afb935421c473ebf50fb39fcc51545e38a62d847862dab3852
SHA1 hash:	7390a3641b56469f617445731e3eb50b610a738f
MD5 hash:	9116c0c63254b0950fbbc63c70feded7
humanhash:	robert-carolina-fish-pasta
File name:	9116c0c63254b0950fbbc63c70feded7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	718'848 bytes
First seen:	2021-12-23 08:43:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	95d45e77143988fbcae4ec8ca9a8169e (4 x ArkeiStealer, 4 x RedLineStealer, 2 x RaccoonStealer)
ssdeep	12288:j88doC5ReVvyWlzQsYhKM863O1nM+6std:jbJDKZ6gM+Ntd
Threatray	850 similar samples on MalwareBazaar
TLSH	T11FE412757A808B7BE4B714B2653D0791DD3AFD0616F4D4AB7280AF6F8FB22818E12315
File icon (PE):
dhash icon	480c3c4c4f590b14 (23 x Smoke Loader, 16 x Amadey, 15 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9116c0c63254b0950fbbc63c70feded7.exe

Verdict:

Malicious activity

Analysis date:

2021-12-23 08:48:12 UTC

Tags:

evasion loader trojan rat redline

Link:

https://app.any.run/tasks/86dc48ab-63bf-4815-be73-5ddf01041738

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215917/

Detection(s):

Win.Packed.Generic-9917126-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2990/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/61c436d5ec6c6c14a9ec13fe/reports/a850a1f8-f8aa-4af6-a921-f2a7285e24e8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36dcf19f-9ac3-4d74-aea8-a9f5f0ea7ab3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/911917

Signature

Antivirus detection for URL or domain

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-12-23 08:44:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vadfrfdyhpafxfq3jttkbwfd3ugr5xgihmuuwgg7plynvmg3imfa._file

Verdict:

malicious

RedLineStealer

571174b8ae101207a90c2a1033716cedf4dcc5fddcd8e6e506133f4a1b79bb91

RedLineStealer

a769514eb7d1363570d3e05161e8e51485ad353464f142bdd94a854cd2e93d50

RedLineStealer

ab4589cf2650c1ae3e7a3b8dcf7749f46b81231f4f116fe15b0871ca366267c7

RedLineStealer

d1439d1a3c8bd8495a07ea2d22e4480b7cd837deb3b6c5576e98592de7f67996

RedLineStealer

e3b6a660fbacbea49c7da301f2eadae99a5f1889858fff7e7378c508e286580f

RedLineStealer

ed9ec6594cdb7b034643ec06adcbf86c7124ac81805e0f48f655f389492ee9a5

RedLineStealer

ffbb9cbfc1d209d6a3f4c835ecb844b8ab585a4834511613d34191165a3feb61

RedLineStealer

+ 840 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:23.12 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211223-km6jcshdc4/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.17:7700

Unpacked files

SH256 hash:

eb2c7700298be8f46128126c2ec508cca8d0fe1882f3e00ce9512c8813a9796c

MD5 hash:

ae291d1a0d59bbab64c2c4463413dc42

SHA1 hash:

423af2a598feda789a3914acdf36427b3fb65673

Link:

https://www.unpac.me/results/dc31def2-9e80-4811-91ee-567234142916/

SH256 hash:

a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a

MD5 hash:

9116c0c63254b0950fbbc63c70feded7

SHA1 hash:

7390a3641b56469f617445731e3eb50b610a738f

Link:

https://www.unpac.me/results/dc31def2-9e80-4811-91ee-567234142916/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a8065894783b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8065894783bc05b961b4ce6a0d8a3dd0d1edcc83b294b18df7af0dab0db430a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.