MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86b71e78c90c404f96e91fdf3f6394d2cec47b4da41e9f6c99c9c23af37a92c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	d86b71e78c90c404f96e91fdf3f6394d2cec47b4da41e9f6c99c9c23af37a92c
SHA3-384 hash:	0e7bf2ab490f585de59e382c8c0813a998be3ac5b7af4bebafaab292b9591ea19232479407654a4a190394dbf4a3b866
SHA1 hash:	c530ac91aa237258140b92cbe7cd30232c85af8e
MD5 hash:	236daa15aad3ad556c93e51ab43c6eae
humanhash:	wolfram-mike-quiet-winter
File name:	Install_GPro.zip
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'134'395 bytes
First seen:	2023-01-03 07:26:56 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:Zxlys57J38kjE49FR96jnBaXcUKeL/P5ElVbQuRxYJNjS4do8XMB1eY6u:Hlys5t3vz6jnBodPMY24do8X8sS
TLSH	T10135EF29F4553662EC4EC9F005B02DB003E96E70226F97C82235B52FA767F6E9B34935
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	JAMESWT_WT
Tags:	file-pumped RedLineStealer zip

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Install_GPro.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	691'748'864 bytes
SHA256 hash:	a71b1ab45acd00316341eb0d8e97e9f96005559dfe8080b889e88c426e4a42f3
MD5 hash:	898cb26f23ed3376b01d45eeaf8a0a22
De-pumped file size:	753'664 bytes (Vs. original size of 691'748'864 bytes)
De-pumped SHA256 hash:	0dd8686c9c753b97f1004c90de645a782ac9801935dd3f5f46c0ae1e80bf87f2
De-pumped MD5 hash:	2672f76c93e4ff318122049d83c0d0b0
MIME type:	application/x-dosexec
Signature	RedLineStealer

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Redline-9938775-1

Win.Packed.Lazy-9958163-0

Gathering data

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d86b71e78c90c404f96e91fdf3f6394d2cec47b4da41e9f6c99c9c23af37a92c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d86b71e78c90c404f96e91fdf3f6394d2cec47b4da41e9f6c99c9c23af37a92c/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2023-01-03 08:11:14 UTC

AV detection:

6 of 40 (15.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3bvxdz4msdcaj6losh67h5rzjuwoyr5u3ja6t5wjtsochlzxvewa._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5844778753_99 infostealer spyware

Link:

https://tria.ge/reports/230103-jgdeysea4z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

Malware Config

C2 Extraction:

themocca.xyz:3306
themocca.xyz:28786

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d86b71e78c90c404f96e91fdf3f6394d2cec47b4da41e9f6c99c9c23af37a92c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample