MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908
SHA3-384 hash: 2d5a70861ca043f8e43d747e5f5315596d6139de322e0ee333627045a652d654eed826a27d93828876fe8b9bf1070819
SHA1 hash: c44cf66def6b31829dd68db55792bd947b07aa54
MD5 hash: f75bbc3a02c7ae376c6e21bb58d70224
humanhash: friend-nevada-mars-sodium
File name:f75bbc3a02c7ae376c6e21bb58d70224
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:16'009'216 bytes
First seen:2022-12-20 13:49:08 UTC
Last seen:2022-12-21 12:42:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 393216:WdS4GVROtz8ZOv/4+sPpAsL3UgX0QTrD3RTck9yPpsAm7OUs:QVGVR4v/4vPp1PXrvNcWHAmR
Threatray 260 similar samples on MalwareBazaar
TLSH T1B2F633912BFD127DD4380BF880BA4517F437BDC152ED5AAB6B44BA5C891A7B36938F00
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f75bbc3a02c7ae376c6e21bb58d70224
Verdict:
Malicious activity
Analysis date:
2022-12-20 13:51:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/31afd840-ee76-492d-970f-07ac84aa260d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Gathering data
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae4bb355-8fb0-4386-a7f6-ac7f10621670
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1137964
Signature
Multi AV Scanner detection for submitted file
Registers a new ROOT certificate
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770694 Sample: ccshmE0GvY.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 7 ccshmE0GvY.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        process3 file4 17 C:\Users\user\AppData\Local\...\certutil.exe, PE32+ 7->17 dropped 12 certutil.exe 3 1 7->12         started        process5 signatures6 21 Registers a new ROOT certificate 12->21 15 conhost.exe 12->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 13:50:25 UTC
File Type:
PE+ (Exe)
Extracted files:
78
AV detection:
18 of 26 (69.23%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vr6rydae2vbqhxshl4iitsjxhnw45wzhleb3uo52cz5nbg5b7eea._file
Verdict:
unknown
Similar samples:
36abe27bcbb62b55ae16b931477592c389a138d4cceea546b4ab80addaf9c4ac
RedLineStealer
6623eeecc865ae7bc0d797bd65a1c6000f1d1d070b6129e1bf7a487e6d629dfe
RedLineStealer
7edc26186653f757d8f98864f2a491823db5d576a2d76a3464ec51f46672d438
RedLineStealer
81030aadc3f378dde4902c73470dc954995589ff41b956db797d64c009857aa6
RedLineStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RedLineStealer
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
RedLineStealer
94c64f12afd02a13f709021efe6a3676f92ee6ea68ea91b67e476ba603c0b79b
RedLineStealer
9579f141b148827a8307419bfe076a7e9ab2f21665b8dd8467ca480be1365d49
RedLineStealer
d313b8135e205855351aaac9bbf73299973bb82caa43ab9862838d07926bf740
RedLineStealer
+ 250 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221220-q49j8shf94/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908
MD5 hash:
f75bbc3a02c7ae376c6e21bb58d70224
SHA1 hash:
c44cf66def6b31829dd68db55792bd947b07aa54
Link:
https://www.unpac.me/results/177edf26-1d15-4bd4-aaa5-8a6264c92eed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ac7d1c0c04d54303de475f1089c9373b6dcedb275903ba3bba167ad09ba1f908

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2474386/

Comments


Avatar
zbet commented on 2022-12-20 13:49:20 UTC

url : hxxp://37.77.239.239:8752/crypted/ransom.EXE