MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c
SHA3-384 hash: b1da8f88c3b6a5b9a6ab3ab4504290296e84a79f4e602dc460d718083a5744a57eace952cfce8e47119e0ffeb771d97e
SHA1 hash: 79763331ed98bba231bff43aa27868983aecee8e
MD5 hash: 1a3def9d727857f76b63bbfec1578da2
humanhash: bacon-bluebird-thirteen-illinois
File name:1a3def9d727857f76b63bbfec1578da2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:246'784 bytes
First seen:2023-01-01 14:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dc952aad89199c54629c246576ee419 (15 x Smoke Loader, 4 x RedLineStealer, 2 x Amadey)
ssdeep 3072:n8XZ8IZhq4L9wxmzn245hZTkOXfsTFUm4UygmDfpRR5vnIWkYmTeWbM2nvQGW7ih:4Zrq4Lv2YZdXfazT5mXR5lmaWbV4b7i
TLSH T13134AD6D36ADD771C1D31930883DFAA41A7ABCB19B3C4A4B37953B4F2D732908626706
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6cae6 (4 x Smoke Loader, 4 x RedLineStealer, 3 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.15.157.136:7429

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
1a3def9d727857f76b63bbfec1578da2.exe
Verdict:
Malicious activity
Analysis date:
2023-01-01 14:36:36 UTC
Tags:
trojan loader smoke rat redline
Link:
https://app.any.run/tasks/c46394aa-8757-4947-94c7-1b870a0a448d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL-21.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63b19a53bf1064ac5b2d50aa/reports/e22d5b2d-6313-4350-84c0-cb4a17f29c93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80db81a2-2cf9-4327-bbcc-de81428d78fc
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143882
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 776612 Sample: nbiYG8GrzK.exe Startdate: 01/01/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 8 other signatures 2->51 8 nbiYG8GrzK.exe 2->8         started        11 sjsujga 2->11         started        process3 signatures4 65 Detected unpacking (changes PE section rights) 8->65 67 Maps a DLL or memory area into another process 8->67 69 Checks if the current machine is a virtual machine (disk enumeration) 8->69 13 explorer.exe 17 8->13 injected 71 Machine Learning detection for dropped file 11->71 73 Creates a thread in another existing process (thread injection) 11->73 process5 dnsIp6 39 paris.newemprirez.com 194.110.203.101, 49740, 80 KMBBANK-ASRU United Kingdom 13->39 41 raw.githubusercontent.com 185.199.108.133, 443, 49747 FASTLYUS Netherlands 13->41 43 5 other IPs or domains 13->43 31 C:\Users\user\AppData\Roaming\sjsujga, PE32 13->31 dropped 33 C:\Users\user\AppData\Local\Temp\FFDA.exe, PE32 13->33 dropped 35 C:\Users\user\AppData\Local\Temp\F1CF.exe, PE32 13->35 dropped 37 6 other malicious files 13->37 dropped 75 System process connects to network (likely due to code injection or exploit) 13->75 77 Benign windows process drops PE files 13->77 79 Performs DNS queries to domains with low reputation 13->79 81 4 other signatures 13->81 18 EB95.exe 13->18         started        21 F1CF.exe 2 13->21         started        23 BECF.exe 1 13->23         started        25 14 other processes 13->25 file7 signatures8 process9 signatures10 53 Multi AV Scanner detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 57 Contains functionality to detect virtual machines (IN, VMware) 18->57 63 4 other signatures 18->63 59 Detected unpacking (changes PE section rights) 21->59 61 Detected unpacking (overwrites its own PE header) 21->61 27 conhost.exe 23->27         started        29 WerFault.exe 23->29         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-01 14:36:08 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5ib4vpddljaoib66n3ulx25itlakfgwv77fjsr63kkamdt3bvwa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:@zallllis backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230101-ryj8tsbh92/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
RedLine
SmokeLoader
Malware Config
C2 Extraction:
45.15.157.136:7429
Unpacked files
SH256 hash:
57d57c0a8564dec73c5dfde1d20eb1c412eae4d69ff9b6c13164d2598c635319
MD5 hash:
728cbb098020dfae32eef9756b17b4a9
SHA1 hash:
4ce2b91287009490ad2573346aedeb60cd9ca33e
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/530eacf4-2045-4e3e-9f38-87ae43150081/
Parent samples :
9bde4566e2d4a14db5f7f185261c4a42cb54606220ef8fc6e3ca4014307ec6e1
27af32a0fb394c5def392f654d808fd6d70965f69f8d7864b47d86f09323e9e5
56391ef80a41fa12a0488f69af8f55765a5066f681c317cfc159fadd3558f076
76484f37eec1f39bdee7340357196dab1092024b62e35cffda65b79071990a89
fc9b641b739432101f1d21c296e4791ad4e09a5712ecc47a82f99b1f6588c675
f5f8bc4de709b8e087d07dffb4b166fc74b6f94573b9e155047ab8cf3bc9a9f0
39bcef72c1d63be1b223247807de8e81dc5735163100427b4626510167922c2f
cf51bc057f6b5faae5eef862759fc80d999e0b48da5d123cd65d9f5bcf06c7b5
ecf497b7117deebe7847f7b308a00684738319c774304c36621188f1964e1ce3
6777fb49f3b7b0683745801508d19f792715107d8bbb6e2c9b77e3b6dd90cdad
92f7063fc037fc2b18f0c78afd4463734ebf43dd2936b2b4398cab47da7ab1e5
d469d2a733240cf3839366dd1c0ec57ae6b218304894afa7236606d8cedf488b
3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182
08f5ac47b3775e23096ed6113a609fd46971e2f3ffc9d97c7f28a93fa446987c
b9d500089d2b663cc2a61c85ef3ea3320dc7cc90f6cf82983e72d3ad1f433b2c
83b6484009cd1bd51d0163b1a322221b0eac4639c103bcde811d98ced952a40c
4753b1d055e7872c58c94c05598ce16f0556365b1b6fb86d71b9bd7eda59b523
b40cf8e538f2c6e214fd1393f9fc5d556a91e6e49d7fc3a855e10b29c69fb185
b0aaaed2223c561040ede536bd6ac63a4910f7f231c3be0f0a909f1a80defc51
e7c3cff0ae5c18797117676076ccd7c501fc47d2e0da7e61826ed234eb4bed43
4de83560a88904770daab30fd5a2892f60d95c48f5db331499981489ee03ab57
c73ef09e477da35d5bb45f38f95cdda7f55f3ecd1b70bbd44bd21821cfd04a9c
cff9384543d02b9b90491d23ea9d3cb4a19416f8994176e82463787a9810257a
6675b1544041573e945a32a1e25cc7f72324daeacaca978702f1b3e4f15444b0
646d5f8716f7b3877f744a3087fb8b04dd2259ca386047292134d7a372b8b5ee
c48b6c5b3bad17a697498863f33b6d468a77af2b9cab8b9c3896f8b074ff8ea5
253c30cb71da9048557691a67f05e87c83c103c691b27e17674805eb0aa08aed
cee9ac5b2939194b5e86eb7e3cf1bbbf47999cfc10d5759eea3924f11d35b50c
871b6be06ffa50dba84271d72417b99ba67b701d773cac304138bca582e0f1b9
d1d6cb926e13808764271dbc10680e34ab3665997731a8b650c6e8fa27a24097
a0c596054ba3c272a4138874f918347bc9d3d67370a66fc1f1152cee60ae9546
680ba889fe8404eae74f3b037e9acc69703c8d96f311314d25f9e04e6177cc3d
27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c
2654475cea33d0b2cdec44ffff6290b987d5de1d0be3fa7a53bbd93b6bce28c9
1748f1b8ff48ebe68d7bc6e2864424f6c4af667a73b6d18861b76aa9771ccb6b
43a9f0409fde0327f0182a3973c267743c5619ffc985c9952457d972eea7a506
4d79b7488391f7d95b18e48aa1fcb8a4a659607a79b42856220430dcbda10ed7
9de08a9d6131e56db8e1f67f14d4f5374a29d5afac971eac4afd66ec3ecbebfc
45f4b6f04bd3858d8f2c6ae699d9c38828aadcb56c2cdb4c24cbdfe8590c88a8
1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
70f8c2ea59d53f53e787ab22e60128f1bc3aba6c85e3cb413e69ff2fb5aad129
116d2a223334379de7387f0d5026b99ca8fb93231a69dc9f45c2fb1c73800e0c
df25912c1ea938ce4084ca5a0bd710fd636353f47f4ed45e12a7b2218dc3691e
46763a6c69ef95bcb1e5f62b7d2cfbfe60c26df1b65a0731a3b3050d85229660
8a29e1c6c28c4124ac50b1dd1424ad8e7316eff59cb4b9a6dcafb9556aee4d64
a108cb7fb55413596c27e5c26ab7504de599e3887fc89270d0d3610ac3c81c7a
0cb4087b8d532e5fae9ff5d39815fd9b394f9e12cbf783a32329f925022350bc
20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6
cb0f791c1ccc430d02b0e951a689b4a34f6823d1097fef5e81d3099a2851c731
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
af1c47083cde473c274f24477088df0084cbfd82bd90b64fb67b5aaee4dca820
ffbd7d675bcd4f230a06234d3d6b0121ed728e98ed60127c6bada7e1d4c1afba
edd4bdbdd4718c8e28c0e35043c199a4beed017857aa8add3d3079e7ffdc5b4d
5c4e05a0c7fcaa16fdcb3ce45e19b5706197d53bcc92329f883a0da3ddcbde9c
c765c5eff31e5a55a24fc3b5a9ae0ff6e3b8d73f4ae863f3177e99e9b32a3d9a
e0e3705c5fcef8f160ebe209e6f5e2e872f6168b80634ba50cf0bd940f130267
32b2911f42f6973883ef52d8d56cafc12aa01e38142782f3c5a54f3c4b5b5320
58c5bdd58725bde8e93de886595b457295582fdd1848838741ec5461c8cdef49
050c2acd0f467ab6089c32fa9b0921bb1685ef697b6ef2ed7509db4e18eaff9e
853b424c47207c0f989bddab7a6ea8774e25126229bbaa122ea455612d652ef9
f8280593a2b0675b0cf5ab201457706593cc5fb6c6c789632825e578db8acd50
f4f641ef6dfb91df7d7071e7338ada9383ed6e0f1fd8df388fd8e2c1a54a98cc
c4c7dc85ff835323b9f3c0a41cc8a84c14731142ec23d161f90f90ee32058aff
91771c60412e06e8057a051502c45554b7ff66ab283b7e82065d863eec5d94c2
0d2740b8702d1908d1d5ff4055adde8cbf6199c34542c2522159622a4b6df1e6
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
a018d20dcabdca669d01a163c095b08d24dfd05f0c092776f8e938ec32141fbf
f26f96e09abbc77ca03bf7c1b884e455eb68f53c02854410ab5904802c92fed1
3d1c1f4d43e235a0803bf3c690c0db4a82c84efce9d842cd93dbdb335fa1d493
ea4e804e68f2593d3ada18fe9e5cf26754e6a5349e862d77028911d3ac613333
47a20ebc7f81cc8b99991644291d40b89c376f8fb820099317f6dca973f74063
274d76cc5803e8fd71f122659f2d0498ae4a85abeb201fe960bba4354975c426
8c5716696984dedf4f11e3c3aae1b86e94aec2594587a168a14d3d7032170135
2d1a40a6d316ad3ed0426cc17848db9f70664a7e63397308a8946d9de079d1f2
a19e2b87b1938f3e5282a63d510073f4264feb7d9e1763626dd9038db0c95d89
fd7d1eafb3ae05eb88577044b394b8cb58d3a0ae5e6d5a1bc935f7e0bd7ecc18
9f0d0d42b8c5d14f1cd98e79edafa729daca05eaae7dbdcfe940f19b83430e2a
b386457fb2917a1e71aa8f8e24ce577984a2679d518cf0c098d6175f6410b569
6a70bacccaa2d9ccc6f5320da5de46bf6cb9b1e23a22fd6fc0a7e59ce10eee25
bb1c58e417728f1e7c4e57eca95644744868b75145124123114a45652f8361fe
15177b57aeee8322fd44fda943d9224bee553c9517c9a8955c08f3d80682bb4c
971ea7e0b272253b8902258a426e1a532bcebe740060889860424068d088e0aa
2568be086143b8b0226d938449f3563e90d2ee0ef0b3370966c01df9c8f1143f
928b339a13c0dcfbaae8b9fc1d0489de4795a0f6c21b6d94832b30c31bf10907
2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea
52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb
21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273
87e2ac245b2276d84c64ce5b1694c10b76176580978c98cfcd8a9f1832409513
afdba8818e9f4f43f1cfb47544f26522aa5f0d9573248a6b9fde2a39666524ec
35d7bfaa55b73ca97da12fba7a06328783358576034ed126c1f727ed34effb68
0a25ac441bb2adabe39c3349c625f2fa673ba097747f593bd1d5bad65217d8c8
4c5e2a7c5a9f5bc9ead0796915e4aabd5e0019740adb6285fb069e7f7d87d752
ad6f723c0a7f57f859fef6843560ed080145964eb0625a716dc0f8424887dfab
41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6
d17f888c333bda95a3ced58ab0abc8b3a238bca5035855afaf3a2d7dfc977312
e7d5602c5cf9c13c2dcae7dca51bbcfcba3366066e7a31e007d7e3c28e1819db
f2f4ea45f2fc943f867edcff5f7395d9565d951310d74f050c2decbd0ef3a8e0
c1f74a63a2a09105ea6edc097da6bda018a24eb223d9007d65d4ee6963dd6c14
f4470e707ade0ff091f079efb030b6a503951dc13196d29878ff6922ae659064
1e0ad8cf6e716ae54e58580a9a9a97bc131f3131723cc0b80f85163943ed8ad9
b45d683efd7ec95afd23317e2c0e9ca178b16c0d9f4f3c2363035dd10e24698a
60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224
2055132738e70e6401b812697c3111beb6a7e091e1cbb29b5cd7dbe23f7df068
84e51ffdf5d7d5804fa4777ecbe8e92ef95b7137298237c5b28b83061a5d4dd5
b06b1b4d5a9dddb0d067a38fdf2b3b872d974ce1379c4101ab13aa1a6f143b13
091dbad724980aa725a71055aee69323fb38d2e67a4ac37d823ea54680055ceb
30bf64e341bea879fd1230840a4e85fb1419631f45ad94c8d44cf46422cb417b
554ada736c1aff6b50950b1a8588faaa4b67f1732620aa57afcc8f580477523a
c6ac58a817fe096250fff6b25e2f93dcd8266876cf81652d340e29e00ee5fa28
2aa56a2670c094df927e727f7f6ea08e075ea7960d02c4299c97c29843337b95
5079d940ab2475a812aae6ca021a2e6879304ab1ebd2fdbabb693271180c6578
19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290
98fcd30002462d9efb03f43cac3994b62c60f393a7b1bd039103d46f34612ffe
c1790a04ef26812df41cf7e74d73bea3d4cdccca2358e75efcffc0d0bea93c3b
1cfcab2db6eb7dce5af3f5845d592fe72d5be1e517d8832311dbe551e4d751e0
ac450054f847ade7afbcc10f52ab7378d3451cf96785a6a4fb1c5fe36c4beb3d
1fa3662c1da1480b05b0e7ff9d80b9b233401a4925da59f62c4313b21468cb44
d91dc1d99dc2e79cc4fac2ab1a9a3d69626cb566b619998206154bf0d128bf64
4164dd0414e1609215a9855e2f58ef204883de1f467f4c0708cae439f70b1f0e
3334d21a0b380c527cf62e681719e35f80b43c0ac7da1b1ae5f07785f437621d
80b0b7d673a4ea4590edc5a52092751f61871ab72a8d3a4087c85b2e929dd6aa
1609bd4206060111c2bfcb349fbe71c2bd4d6ad2a99b5d9c393c49444e9ea751
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f
b2259d7d5ddf3a60edaa2c0029bef3d639278866a8e0871cd9aa2cf6c7e8885f
0de527b77059d353497e0e6918dd6130dd63ee0ace25a50eff57eb2bbbe075c4
50302a76db54396b6775562edd8a67932ffa653cbdc40ce17910278f51f80db0
3950204208a195a37353f75b060a38cf17e2591e0fdf2855607eb5dad4e22c0e
6b2b19e169923a9765c225d8904983a3b7421e0d7c0e8df299721e55dbe8c01a
c8a5519db64b4918c2e21b13c8fd75ea10ab0d05d49b241807e881dac9ef05a1
7eb599e27373d4eb4a852426a0935cd04baebaa77d21007be744fcdf5a5a0922
7dc4b1f8a0ed5aafe220796b0edec7e53f1d9fc06b6c356e3cd967dcd2beb366
98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209
35d9ebbf77018a3e27069deb7dd9742eb632da1e89f9ba8d484a49ad6ad497bf
ea7923417b3cc0114c8c46cef7e2a797eb2ee978a0350a0d95a784ff151ca0f4
c6df64c1c448ccfccd92366ee2bdbb28c413fda5ba9aaaad1648caf76d6950fb
SH256 hash:
27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c
MD5 hash:
1a3def9d727857f76b63bbfec1578da2
SHA1 hash:
79763331ed98bba231bff43aa27868983aecee8e
Link:
https://www.unpac.me/results/530eacf4-2045-4e3e-9f38-87ae43150081/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/27501e55e31a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2489627/
  
Delivery method
Distributed via web download

Comments