MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961
SHA3-384 hash: c706d92e4abe08c3a8b86cc7a8282e1cbe0352ebaf21c28d3009ea8844336d358209f9cf2eaf5c7cd8b665e97fe51180
SHA1 hash: 19ff0f5c5f286f340908e1fab796e10d2fd6c53a
MD5 hash: ef831cda67e20d628912577e57e26c6b
humanhash: monkey-ink-delaware-three
File name:Pluxo.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'280'157 bytes
First seen:2022-01-07 16:07:00 UTC
Last seen:2022-01-07 18:20:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 196608:8pYbFPeyQQUk76r7qnSuGGDlh6adk2xBpLWJ9pMh2YFPQbj7:8abFWH9S6fbElQviBEXQxFPQz
Threatray 166 similar samples on MalwareBazaar
TLSH T134963394E4E5033BCF280FB6050DB9AE961BDB4A74188D6D5F80312B95FEEB2DE04395
File icon (PE):PE icon
dhash icon 70c4829ac66c68b2 (5 x RedLineStealer)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pluxo.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 16:06:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/94be4f2a-0712-49f9-ab68-5706b82326da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217754/
Detection(s):
SecuriteInfo.com.Heur.Mint.Porcupine.@xZabiXPABkig.27085.15435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d8652902e388f9fdb3701b/reports/89a8dfad-51fa-4a11-9163-c179fd30e428/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba76129f-a408-4b11-814e-deba1937dab7
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916919
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549397 Sample: Pluxo.exe Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected Phoenix Miner 2->103 105 Yara detected RedLine Stealer 2->105 107 3 other signatures 2->107 9 Pluxo.exe 10 2->9         started        12 RegHost.exe 2->12         started        15 RegHost.exe 2->15         started        17 RegHost.exe 2->17         started        process3 file4 79 C:\Users\user\AppData\...\onyxx0_build.exe, PE32+ 9->79 dropped 81 C:\Users\user\...\g3Checker_crypted.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\Roaming\d.exe, PE32+ 9->83 dropped 19 onyxx0_build.exe 1 2 9->19         started        24 g3Checker_crypted.exe 9->24         started        26 d.exe 9->26         started        141 Antivirus detection for dropped file 12->141 143 Multi AV Scanner detection for dropped file 12->143 145 Detected unpacking (changes PE section rights) 12->145 159 2 other signatures 12->159 28 explorer.exe 12->28         started        36 2 other processes 12->36 147 Injects code into the Windows Explorer (explorer.exe) 15->147 149 Writes to foreign memory regions 15->149 151 Allocates memory in foreign processes 15->151 30 explorer.exe 15->30         started        32 bfsvc.exe 15->32         started        34 conhost.exe 15->34         started        153 Modifies the context of a thread in another process (thread injection) 17->153 155 Hides threads from debuggers 17->155 157 Injects a PE file into a foreign processes 17->157 38 3 other processes 17->38 signatures5 process6 dnsIp7 85 185.137.234.33 SELECTELRU Russian Federation 19->85 75 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 19->75 dropped 109 Antivirus detection for dropped file 19->109 111 Multi AV Scanner detection for dropped file 19->111 113 Detected unpacking (changes PE section rights) 19->113 125 4 other signatures 19->125 40 explorer.exe 19->40         started        56 3 other processes 19->56 115 Machine Learning detection for dropped file 24->115 117 Writes to foreign memory regions 24->117 119 Allocates memory in foreign processes 24->119 42 AppLaunch.exe 15 5 24->42         started        46 WerFault.exe 23 9 24->46         started        87 142.250.186.174 GOOGLEUS United States 26->87 89 172.217.16.141 GOOGLEUS United States 26->89 91 8.8.8.8 GOOGLEUS United States 26->91 121 Tries to harvest and steal browser information (history, passwords, etc) 26->121 48 RegHost.exe 28->48         started        50 RegHost.exe 30->50         started        77 \Device\ConDrv, ASCII 32->77 dropped 123 Hides threads from debuggers 32->123 52 conhost.exe 32->52         started        54 conhost.exe 36->54         started        58 2 other processes 38->58 file8 signatures9 process10 dnsIp11 60 RegHost.exe 40->60         started        93 185.255.134.22 SUPERSERVERSDATACENTERRU Russian Federation 42->93 95 104.26.12.31 CLOUDFLARENETUS United States 42->95 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->127 129 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->129 131 Tries to harvest and steal browser information (history, passwords, etc) 42->131 133 Tries to steal Crypto Currency Wallets 42->133 97 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 46->97 135 Modifies the context of a thread in another process (thread injection) 48->135 137 Hides threads from debuggers 48->137 139 Injects a PE file into a foreign processes 48->139 63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        99 149.154.167.220 TELEGRAMRU United Kingdom 56->99 67 conhost.exe 56->67         started        69 conhost.exe 56->69         started        71 conhost.exe 58->71         started        signatures12 process13 signatures14 161 Modifies the context of a thread in another process (thread injection) 60->161 163 Hides threads from debuggers 60->163 165 Injects a PE file into a foreign processes 60->165 73 conhost.exe 60->73         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961/
Threat name:
Win32.Infostealer.BroPass
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 16:07:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aeroj5jdi7mb74quextdilb4mst3olymasw7awznl3aufadxxfqq._file
Verdict:
malicious
Similar samples:
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
RedLineStealer
0bb2a624381f00f9b81dea228893195798d1de203c0289637b140bdfeb9fc85a
RedLineStealer
213fce24e326925749adebaff2d85e23bba2b616c872e2089b23fa231f18756e
RedLineStealer
3980a26f3644a2e8749461e88bfa44849557613bdd9b27656a5cec2cd5122527
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
a16e7379dfd435c1b99183299ecbdb3b468e47cc68bb9a14bef5fda17bb2e942
RedLineStealer
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
RedLineStealer
f95825c13bfccaa3bffe49f65d584cd015ce109b265df7bc75ace85c72ce7435
RedLineStealer
+ 156 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer upx
Link:
https://tria.ge/reports/220107-tkmsxacdf7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
185aa00a1650a656c7c3a59f60ef6aed6656b111869652586cd9557adabe905a
MD5 hash:
b8200f7b74349a1975b057c058323587
SHA1 hash:
a99fb682bb0ef6a9d3cb383cbbd3df56ccced0f1
Link:
https://www.unpac.me/results/bc020270-dd11-4374-9582-ae0cec8bae10/
SH256 hash:
0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961
MD5 hash:
ef831cda67e20d628912577e57e26c6b
SHA1 hash:
19ff0f5c5f286f340908e1fab796e10d2fd6c53a
Link:
https://www.unpac.me/results/bc020270-dd11-4374-9582-ae0cec8bae10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217754/

Comments