MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 2


Intelligence 2 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13
SHA3-384 hash: c75a458fbb63eea7a3037bcde87f1d3ee2411438aad58c59842199ef4904ec289a18d2b9a602c4e4cb99fc853530d521
SHA1 hash: 61075c39e3047ef29115fd4fa27234014434b1cc
MD5 hash: a1fea1f7d47132731128994f796bc5b5
humanhash: harry-pip-coffee-happy
File name:Miner Tool.zip
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'902'928 bytes
First seen:2023-04-13 13:09:32 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: minertool2023
ssdeep 196608:qW976cqc6kGiXeTdZL/WnpZ5t2PI1/Q6xoESoyIA97aqmO:qWUGBXeTdQnpZOPI1xNvyIAtaqmO
TLSH T11996335A263375FBD44F9AFA2AEF0532824D12C3C4A3685F4DC022C944B5EEB575DE88
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter iamdeadlyz
Tags:37-220-87-78 exe file-pumped pw minertool2023 RedLineStealer zip


Avatar
Iamdeadlyz
From miner-tool.com (impersonation of grinpro.io)
RedLineStealer C&C: 37.220.87.78:25387

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.220.87.78:25387 https://threatfox.abuse.ch/ioc/1103291/

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'869
Origin country :
SG SG
File Archive Information

This file archive contains 39 file(s), sorted by their relevance:

File name:System.Composition.Runtime.dll
File size:29'928 bytes
SHA256 hash: c419e3d51f9eefb1f6fc0fb7ccf9b5ac5cc4b75fa75131d4af0c74252914eb10
MD5 hash: d18c354a78688d6a3cf68a0567af40e3
MIME type:application/x-dosexec
Signature RedLineStealer
File name:appsettings.Development.json
File size:140 bytes
SHA256 hash: 7ddaabba3c4935d80f0e4d549e42a127bcc0e94143f9d522c9837166eddb7e51
MD5 hash: 23d5d8cea83b849c060927b187000a81
MIME type:application/json
Signature RedLineStealer
File name:Master.dll
File size:102'912 bytes
SHA256 hash: 013f06d4f6aa119f69b6d4deec12fdef8cb8b6dfb59a61912f09334dbd2bbad7
MD5 hash: 8193b4b11a9802fa535f892d5c86fc8e
MIME type:application/x-dosexec
Signature RedLineStealer
File name:SharedSerialization.dll
File size:31'232 bytes
SHA256 hash: e3081352a0d002e29cb28d6feef5c0163261f9dddbb0db955e8408e09ac0c1f5
MD5 hash: 930963786e4f43df059dca81b667ffdb
MIME type:application/x-dosexec
Signature RedLineStealer
File name:CudaSolver.runtimeconfig.dev.json
File size:228 bytes
SHA256 hash: e54ec18a230676f4e7003c7d3b1433256241bd4c74391bcd9e9451978a0c2c8d
MD5 hash: ebf55ea3ea38bf42a6dfcc22cc94532f
MIME type:application/json
Signature RedLineStealer
File name:appsettings.json
File size:105 bytes
SHA256 hash: 63fe4d7ae255c8fb22883e09e34a4cc850de6cc82ee4c91bf758ce6cfe956102
MD5 hash: afbe02855e1923ce0ce05d12d9dcda4c
MIME type:application/json
Signature RedLineStealer
File name:CudaSolver.dll
File size:1'075'712 bytes
SHA256 hash: b3966ba8f172a71a6073970b65f69de86f6096d1238e34c2b86f0b680f1330c7
MD5 hash: d507b0cb0ad49594fee1ca1e2e475ae4
MIME type:application/x-dosexec
Signature RedLineStealer
File name:OpenCl.DotNetCore.Interop.dll
File size:33'280 bytes
SHA256 hash: 0ca4b8e406def4eb0ff8138f39165880fa18d86dd5fd8370ea431f56982cae4f
MD5 hash: 29e6721d8ea17341309743ef79115b20
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Newtonsoft.Json.dll
File size:669'096 bytes
SHA256 hash: 04f79700c4d9291f2927b2e9400f3ec38b28245195d532edd8f3e99e6a4151e1
MD5 hash: b5ccbedf93f9fec636ce9fe8b331712e
MIME type:application/x-dosexec
Signature RedLineStealer
File name:web.config
File size:537 bytes
SHA256 hash: 863721857d65cad07856eaf96d0872f6287724b4e66410924f19356368618d9a
MD5 hash: 3909ccf00e822fa4823d50fcad2906e8
MIME type:text/xml
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGenerators.Mvc.dll
File size:182'648 bytes
SHA256 hash: 796e4dd9648b2909a0f3ec6ee4ecd9bb3d5a97c8db9ee49749cf97f07a5fb50f
MD5 hash: 2b374a087652e178358346aefcae6503
MIME type:application/x-dosexec
Signature RedLineStealer
File name:hostfxr.dll
File size:402'496 bytes
SHA256 hash: aa502daef11f4eb17b638c80d7f1222a6a41846f5e7ea3961eb4e10f2dd4fa19
MD5 hash: e957b17084c3b72bebebc124be0220fb
MIME type:application/x-dosexec
Signature RedLineStealer
File name:CudaSolver.deps.json
File size:1'467 bytes
SHA256 hash: 80c78e6dc5d03b4e1c3c127cf13713677d073597d2a13472003b8954b2a543e0
MD5 hash: 2bbeff5229a6e109973654ad77a2cc56
MIME type:text/plain
Signature RedLineStealer
File name:Miner Tool v1.7.0.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:1'417'964'544 bytes
SHA256 hash: 522e441c59088cb4599fc588d88d61240c460012fd1f9c293ffca14b6e626e22
MD5 hash: 55a52562b9f5f26832d3fc216dea3411
De-pumped file size:2'386'944 bytes (Vs. original size of 1'417'964'544 bytes)
De-pumped SHA256 hash: 25abc25a488468887ae9b909116f16841a6be0948c5d2b9240f64be0761653de
De-pumped MD5 hash: 962342c13fb8f413492e6a8be894ab55
MIME type:application/x-dosexec
Signature RedLineStealer
File name:CudaSolver.exe
File size:137'728 bytes
SHA256 hash: ef39c98d282f8cb1eef421fedbb68ac181a1b5aae65c7652f6b9b74155a95241
MD5 hash: 7d0167609c652f5f26a07181d4297b16
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.CodeAnalysis.Workspaces.dll
File size:2'624'944 bytes
SHA256 hash: 6977a79f315ed53bb749f432608cdd9008e6b30eb3acbcfc21d074d98b4be0fd
MD5 hash: 75668a786f139cc19cafa833ab947139
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.EntityFrameworkCore.dll
File size:68'984 bytes
SHA256 hash: 4a0b73b22069a2c11c023e1613692167904585bdbf5ae550f0cac298620de3e6
MD5 hash: 6176c612006ca538881a008a0fdda8c2
MIME type:application/x-dosexec
Signature RedLineStealer
File name:_README.txt
File size:1'501 bytes
SHA256 hash: 7ec9dcc00bc14490f58eac131a7fedc408c07af525417a6168cebe67e63555f6
MD5 hash: bc96bd3b3760f0b5cdf0c5738c9f1f88
MIME type:text/plain
Signature RedLineStealer
File name:OpenCl.DotNetCore.dll
File size:36'864 bytes
SHA256 hash: 984c99ed5c2c50753b9fe4591ab34d5efda2be24f552cee53a5dc82d94a903eb
MD5 hash: c41e775573af5b952ab687acd38b75b0
MIME type:application/x-dosexec
Signature RedLineStealer
File name:OclSolver.exe
File size:137'728 bytes
SHA256 hash: 318b6fd48900242354ce69d53155f97334e8758ee2e0c00b6434166c60ea3e94
MD5 hash: 1593ca23ac1fda958e812e681e777b96
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.Contracts.dll
File size:23'416 bytes
SHA256 hash: f16d58aa62e020ec01af3652c4154931a72394fb5d24d3af98481b4f6268b754
MD5 hash: d261765b9dbcf46a947efff66e4d87b9
MIME type:application/x-dosexec
Signature RedLineStealer
File name:System.Composition.Hosting.dll
File size:62'184 bytes
SHA256 hash: 7a26e95e0f75e803adb555ecfd02bca59a533a4855db6c861a3defb619dce813
MD5 hash: d84515ee702052020eaab048c0c221e3
MIME type:application/x-dosexec
Signature RedLineStealer
File name:CudaSolver.runtimeconfig.json
File size:154 bytes
SHA256 hash: 5a0da2eb30caaee4a09a1915fc4d6b863a6b08a76d0d29ea03004799e9fe8fa5
MD5 hash: 9a57eb2b2732869e3073c9adac67af8d
MIME type:application/json
Signature RedLineStealer
File name:Ellesmere_amd.bin.dll
File size:1'318'784 bytes
SHA256 hash: e8a7b7c89e77e14b81d46283507903654106ae57cc326f93b826fc3641296762
MD5 hash: 675aeb9b1fa0d0d2fba5a39f26690390
MIME type:text/plain
Signature RedLineStealer
File name:Microsoft.CodeAnalysis.CSharp.Workspaces.dll
File size:689'584 bytes
SHA256 hash: db85b7150ed7a68a485e76f37df2699db9868d808bc2d5906586d029977745bd
MD5 hash: e2d321cf74550c9a74c83121bf97853a
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.Core.dll
File size:73'080 bytes
SHA256 hash: 1db7164e2c622de8cb0ede459b10a288dcdf4fb5a7bdef59449a39aca4f12316
MD5 hash: acfcce6ad9ca4b6200cafa90f3ba7218
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.Utils.dll
File size:34'896 bytes
SHA256 hash: 3a9fa2a522b0d9469861d868326d9ae859cba82977f01b15d2290fc3bed95822
MD5 hash: 2f79c25ec227a3cbbadba8b86aa4b983
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.Templating.dll
File size:28'536 bytes
SHA256 hash: de7d2844010d0d545876bd719875f43ee8a4bcfba1a1e6903e6fd4796d79ec3c
MD5 hash: 044ba500a4a699dd0f632a097a23642b
MIME type:application/x-dosexec
Signature RedLineStealer
File name:dotnet-aspnet-codegenerator-design.dll
File size:53'320 bytes
SHA256 hash: 004963d9985d1a049f27e9cef5145d08893ba6f9f2a8b6eb4d852a3a05bd0b64
MD5 hash: 03c0634ff00a460eca1786481dd12402
MIME type:application/x-dosexec
Signature RedLineStealer
File name:System.Composition.AttributedModel.dll
File size:24'840 bytes
SHA256 hash: 04d8eb1419e053fb7502dd952f3977f75b27dede5418d5f87d21de16adbd8313
MD5 hash: 24a0c8cce8c132df82c9b9c1ae834d05
MIME type:application/x-dosexec
Signature RedLineStealer
File name:hostpolicy.dll
File size:585'784 bytes
SHA256 hash: 8460a2394e020481c8ea5111f97b4d9a79d392ead00f475f435e9c171c0556e9
MD5 hash: fb20a72ca2a0c97ace32337bb8d1c6f9
MIME type:application/x-dosexec
Signature RedLineStealer
File name:Microsoft.VisualStudio.Web.CodeGeneration.dll
File size:35'912 bytes
SHA256 hash: 1e22288e8854428ed9b2ab2b2317ef3b9a5ffd5ac8c62644ba1dfb1926956370
MD5 hash: 539e073ceb067af93642ccdd76e40a69
MIME type:application/x-dosexec
Signature RedLineStealer
File name:gfx900_amd.bin.dll
File size:1'036'608 bytes
SHA256 hash: 8887b83722fa5524ebd12d72e6b930ac25fe4751ebac70958aebdae84c484c97
MD5 hash: d09c80ad69afb30d5db00e1f612c36d5
MIME type:text/plain
Signature RedLineStealer
File name:System.Composition.TypedParts.dll
File size:64'760 bytes
SHA256 hash: 2c609bed3bbd2be810471e31e36b12cb321a50fc2541e8f29c1f59c8cf869c41
MD5 hash: b91887bfca35e50cce9f2d7102c88706
MIME type:application/x-dosexec
Signature RedLineStealer
File name:OclSolver.deps.json
File size:1'563 bytes
SHA256 hash: 110624df26c8781f7c088e03575bc3e9f2ae947a18822130f9c6d9aa35536d16
MD5 hash: 2cc5f28074652b678ce754dc4a78c4b1
MIME type:text/plain
Signature RedLineStealer
File name:NuGet.Frameworks.dll
File size:108'688 bytes
SHA256 hash: 9c021fbbdf0c763f5743c010f9634caf36b54224965265ee8dc42c8b538dc180
MD5 hash: 7212779d5f18755ea60cc192fabbd7d0
MIME type:application/x-dosexec
Signature RedLineStealer
File name:System.Composition.Convention.dll
File size:59'128 bytes
SHA256 hash: 0bd24c729772169c995590d0faa92ffd428a9e17c41845c614c4afba5b0c787f
MD5 hash: 8246fe61081b4c23ffd9c45dd0e4b15b
MIME type:application/x-dosexec
Signature RedLineStealer
File name:ManagedCuda.dll
File size:1'773'568 bytes
SHA256 hash: 23327daf569e0df2cd8498f3df0158f9bf2f09110241161dfa85c483702331b5
MD5 hash: 9fad2e92a9f860719cd9a03950a15d1b
MIME type:application/x-dosexec
Signature RedLineStealer
File name:OclSolver.dll
File size:137'728 bytes
SHA256 hash: 31cde0581a82e89333c379da072272a93d5520ec27abc2b953077790b8ff8cb4
MD5 hash: 8ab079a3c61ec553ff0173073381f1f6
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.decompression.bomb.16000.25556.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdecm3nur352qtombz23q4gnkaapdd35xp3ixyviszajranwtmjq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230413-rwaavadd2z/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip b0c8266db48efba84dcc0e75b870cd5000f18f7dbbf68be2a896409881b69b13

(this sample)

522e441c59088cb4599fc588d88d61240c460012fd1f9c293ffca14b6e626e22

  
Dropping
SHA256 522e441c59088cb4599fc588d88d61240c460012fd1f9c293ffca14b6e626e22
  
Dropping
SHA256 25abc25a488468887ae9b909116f16841a6be0948c5d2b9240f64be0761653de
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2608516/
  
Dropping
MD5 962342c13fb8f413492e6a8be894ab55

Comments