MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a382e1b0b337dbc31c8de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a382e1b0b337dbc31c8de
SHA3-384 hash: 50e7f6ccd20c4b6a97a87dce909dbe8b8ef220b20d2cddc8e5ad4e14fd28aa8e50c532a43a92c9c1d6faf5012a870904
SHA1 hash: c679872fd4271d32f48d31585eb82baac27c4315
MD5 hash: 8d89e8b5060fe84f7d3a19b8c117816c
humanhash: fifteen-mountain-snake-sierra
File name:fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:420'352 bytes
First seen:2021-07-08 20:20:32 UTC
Last seen:2021-07-08 20:36:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f49bd1461bc5e7aca624c8f26bf5840 (2 x RedLineStealer)
ssdeep 6144:JybDsTHrqkl7l7NXZKwPYCi57+EvxOq1KBDJgy33FkR5cgRZNq9Bdg6B:JGIOkl7l7NXTAh74DJgyZoqBz
Threatray 1'042 similar samples on MalwareBazaar
TLSH T19D949E10BA90C035E2F366F54A7A93B9643D7AB15F2041CBF2D46AEE17346E0ADB1317
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.21.122.45:8085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.122.45:8085 https://threatfox.abuse.ch/ioc/158437/

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a3.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 20:22:54 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/8dac74de-5778-4274-a934-9a2a8d1b32ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170560/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.30527.28535.29584.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c18021df-aab3-40a2-9ec4-fde73000413d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813753
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a382e1b0b337dbc31c8de/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 20:21:05 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7shxvijuwn3rx4zi47k25wnxxwwc4b4uyyfdqlq3bmzx3pbrzdpa._file
Verdict:
malicious
Similar samples:
114858da0fd1b5ea7a2d05d6dbd8d6d752926a4bc912a297d97b5776746a31bc
RedLineStealer
12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362
RedLineStealer
1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04
RedLineStealer
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
RedLineStealer
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
RedLineStealer
9cda98989c3b49da5566c23722e52231ecf25934e12e81c09bc845312f6a86d9
RedLineStealer
a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5
RedLineStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RedLineStealer
f77ee607590d0eea0340f732222a78f3ffdb990c45796075071b051aeb83afbe
RedLineStealer
+ 1'032 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cryptor.biz discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210708-z7xm1sdjdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.21.122.45:8085
Unpacked files
SH256 hash:
a8d8c87558d2ae99ec4e391b7bd4b6804bce492f5623f113f853223eefbd9edd
MD5 hash:
aa23f5c37a9e4cfb208fc3f6e2268773
SHA1 hash:
f12be20df8e5f55c6b893e0e5f8d93e68fc6eaa3
Link:
https://www.unpac.me/results/94fa09c8-7f6f-4920-88d2-e40e213da6bc/
SH256 hash:
8b3e42c78d2f0be99b9dbea583578d9408ae167ad5ae83809e66a019a37d5194
MD5 hash:
24bda62f020ef4bee68239354883ccd3
SHA1 hash:
47d6ea25b2cc17b0bf57dd26639bba66a7a89eda
Link:
https://www.unpac.me/results/94fa09c8-7f6f-4920-88d2-e40e213da6bc/
SH256 hash:
b4942e05d1a60f0d69f637e5148f0d10918167e2311aef03370c364f71d269e3
MD5 hash:
f51dd85733bc60aa9d58b880c665d4a3
SHA1 hash:
043c509028438d593d7b8d922c5b4b36ca1b2e32
Link:
https://www.unpac.me/results/94fa09c8-7f6f-4920-88d2-e40e213da6bc/
SH256 hash:
fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a382e1b0b337dbc31c8de
MD5 hash:
8d89e8b5060fe84f7d3a19b8c117816c
SHA1 hash:
c679872fd4271d32f48d31585eb82baac27c4315
Link:
https://www.unpac.me/results/94fa09c8-7f6f-4920-88d2-e40e213da6bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc8f7aa134b3771bf328e7d5aed9b7bdac2e0794c60a382e1b0b337dbc31c8de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170560/

Comments