MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
SHA3-384 hash: 1b0c07b5c15b528a14b047632bb9285630d95a8472d9bbc0d2194ec620da5ce075fcd2330b823af718635ee586e57dd2
SHA1 hash: 1fdeb7ea4527b902e43cdac7cf733865513e570e
MD5 hash: b00dc98331daf06c9fdd3ac0eb5ca802
humanhash: tennessee-undress-batman-yankee
File name:KRAKEN.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:14'450'849 bytes
First seen:2022-01-12 09:57:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 393216:8bxZIjT3QFJjoijlvZPuVb3ChJy7NSXSwo4ZT4rv:8bxZI3gFJjFZ2Vb3Ch87U7TMv
TLSH T19FE63380DFD8E650EF0E7AFD6C75E0D5815BACBE0024A77B92083CD69361BBD648C619
File icon (PE):PE icon
dhash icon 8686b2e8e8b2cccc (11 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KRAKEN.exe
Verdict:
Malicious activity
Analysis date:
2022-01-12 09:44:24 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/cac7e435-5519-42e3-a401-077c46e32190

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13962c1e-7da9-4f23-88af-c618c63b1a38
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919172
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551648 Sample: KRAKEN.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 126 Antivirus / Scanner detection for submitted sample 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 Yara detected Phoenix Miner 2->130 132 4 other signatures 2->132 11 KRAKEN.exe 10 2->11         started        14 RegHost.exe 1 2->14         started        process3 file4 90 C:\Users\user\AppData\Roaming\3.exe, PE32+ 11->90 dropped 92 C:\Users\user\AppData\Roaming\2.exe, PE32+ 11->92 dropped 94 C:\Users\user\AppData\Roaming\1.exe, PE32 11->94 dropped 17 3.exe 1 2 11->17         started        21 1.exe 11->21         started        23 2.exe 11->23         started        180 Detected unpacking (changes PE section rights) 14->180 182 Detected unpacking (overwrites its own PE header) 14->182 184 Machine Learning detection for dropped file 14->184 186 6 other signatures 14->186 26 explorer.exe 14->26         started        28 bfsvc.exe 1 14->28         started        30 conhost.exe 14->30         started        signatures5 process6 dnsIp7 86 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 17->86 dropped 134 Detected unpacking (changes PE section rights) 17->134 136 Detected unpacking (overwrites its own PE header) 17->136 138 Machine Learning detection for dropped file 17->138 152 3 other signatures 17->152 32 explorer.exe 1 17->32         started        34 curl.exe 1 17->34         started        37 bfsvc.exe 1 17->37         started        40 conhost.exe 17->40         started        140 Multi AV Scanner detection for dropped file 21->140 142 Writes to foreign memory regions 21->142 144 Allocates memory in foreign processes 21->144 42 AppLaunch.exe 15 5 21->42         started        102 accounts.google.com 142.250.203.109, 443, 49743 GOOGLEUS United States 23->102 104 youtube-ui.l.google.com 216.58.212.142, 443, 49739 GOOGLEUS United States 23->104 106 www.youtube.com 23->106 146 Antivirus detection for dropped file 23->146 148 Tries to harvest and steal browser information (history, passwords, etc) 23->148 44 RegHost.exe 26->44         started        150 Hides threads from debuggers 28->150 46 conhost.exe 28->46         started        file8 signatures9 process10 dnsIp11 48 RegHost.exe 32->48         started        96 api.telegram.org 149.154.167.220, 443, 49751 TELEGRAMRU United Kingdom 34->96 51 conhost.exe 34->51         started        154 Hides threads from debuggers 37->154 53 conhost.exe 37->53         started        98 185.255.134.22, 49752, 80 SUPERSERVERSDATACENTERRU Russian Federation 42->98 100 api.ip.sb 42->100 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->156 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->158 160 Tries to harvest and steal browser information (history, passwords, etc) 42->160 162 Tries to steal Crypto Currency Wallets 42->162 164 Injects code into the Windows Explorer (explorer.exe) 44->164 166 Writes to foreign memory regions 44->166 168 Allocates memory in foreign processes 44->168 170 2 other signatures 44->170 55 explorer.exe 44->55         started        57 bfsvc.exe 44->57         started        60 conhost.exe 44->60         started        signatures12 process13 file14 108 Injects code into the Windows Explorer (explorer.exe) 48->108 110 Writes to foreign memory regions 48->110 112 Allocates memory in foreign processes 48->112 116 2 other signatures 48->116 62 explorer.exe 51->62         started        64 bfsvc.exe 51->64         started        67 conhost.exe 51->67         started        69 RegHost.exe 55->69         started        88 \Device\ConDrv, ASCII 57->88 dropped 114 Hides threads from debuggers 57->114 71 conhost.exe 57->71         started        signatures15 process16 signatures17 73 RegHost.exe 62->73         started        76 conhost.exe 64->76         started        118 Writes to foreign memory regions 69->118 120 Allocates memory in foreign processes 69->120 122 Hides threads from debuggers 69->122 124 Injects a PE file into a foreign processes 69->124 78 conhost.exe 69->78         started        80 bfsvc.exe 69->80         started        process18 signatures19 172 Writes to foreign memory regions 73->172 174 Allocates memory in foreign processes 73->174 176 Hides threads from debuggers 73->176 178 Injects a PE file into a foreign processes 73->178 82 conhost.exe 73->82         started        84 bfsvc.exe 73->84         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683/
Threat name:
Win32.Trojan.Suloc
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 09:58:25 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=adfkkstemi346ahtavqtzxm6b2g5rzg43fygxpp4ohrc63thg2bq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer upx
Link:
https://tria.ge/reports/220112-lzhthacbhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
cc03653485a68335748cadae5ea3f4457162ede3a02c5c8acf92aee9cb493d4d
MD5 hash:
3b3020136d02f5736ec658e78767c989
SHA1 hash:
f7171363f2ba7edb72eae4aa63e649c1c49d1747
Link:
https://www.unpac.me/results/211aa47a-22c4-4b9b-a26d-befe09b87373/
SH256 hash:
6eec9eeb5d48f3a94a7f4ece71f16cf1370842d8812f8ce23902ce9bb63041e3
MD5 hash:
e4d8c90bbc35446d31e2ec12033e3672
SHA1 hash:
2c1374471fb91e81bbdd81e828004fbc600e30ed
Link:
https://www.unpac.me/results/211aa47a-22c4-4b9b-a26d-befe09b87373/
SH256 hash:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
MD5 hash:
b00dc98331daf06c9fdd3ac0eb5ca802
SHA1 hash:
1fdeb7ea4527b902e43cdac7cf733865513e570e
Link:
https://www.unpac.me/results/211aa47a-22c4-4b9b-a26d-befe09b87373/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/00caa54a6462/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments