MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c
SHA3-384 hash: 37592f537af0b205ad5fe20f292286c3ab7126603a027a340641817f8a46a7798af01ad32adf5d2e33ed5bcf8e0e9cf7
SHA1 hash: f392378a52d10c873755c8af24cf857b19e1cdf8
MD5 hash: bc10829568a731feee2b950a07ab1d0f
humanhash: april-bakerloo-yellow-lithium
File name:bc10829568a731feee2b950a07ab1d0f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'469'192 bytes
First seen:2023-11-04 10:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98cc3eb9c2d9aa3e8bedb67da2fea5c0 (1 x RedLineStealer)
ssdeep 12288:rhnW9rQ/AhxBJ3e4x6JXpguZmur9X6a9DhvhN00:rhyQ/Mf3R0ZRt6a9Dhvhh
Threatray 3'764 similar samples on MalwareBazaar
TLSH T17D65C80176F91B59F5F35FB86ABA6611087AFC6ADF11C2DF1261948E0C21BD08970B3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.10.205.17:8122

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Forced shutdown of a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/65461fbe993fbf888b640074/reports/a62f374b-f860-44dc-84df-c63a343640f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1227bdba-3615-44df-b176-bbdb792d8959
Result
Threat name:
Amadey, Glupteba, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337079
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337079 Sample: 6eiKgvOR9U.exe Startdate: 04/11/2023 Architecture: WINDOWS Score: 100 193 Multi AV Scanner detection for domain / URL 2->193 195 Found malware configuration 2->195 197 Malicious sample detected (through community Yara rule) 2->197 199 14 other signatures 2->199 14 6eiKgvOR9U.exe 1 2->14         started        17 svchost.exe 40 2->17         started        19 svchost.exe 2->19         started        22 swjrsta 2->22         started        process3 dnsIp4 269 Contains functionality to inject code into remote processes 14->269 271 Writes to foreign memory regions 14->271 273 Allocates memory in foreign processes 14->273 275 Injects a PE file into a foreign processes 14->275 24 AppLaunch.exe 14->24         started        27 WerFault.exe 21 16 14->27         started        30 conhost.exe 14->30         started        36 2 other processes 14->36 32 WerFault.exe 2 17->32         started        34 WerFault.exe 17->34         started        169 173.222.168.113 AKAMAI-ASUS United States 19->169 171 127.0.0.1 unknown unknown 19->171 signatures5 process6 dnsIp7 219 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->219 221 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->221 223 Maps a DLL or memory area into another process 24->223 225 2 other signatures 24->225 38 explorer.exe 24 30 24->38 injected 191 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->191 signatures8 process9 dnsIp10 179 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 38->179 181 185.196.9.171 SIMPLECARRIERCH Switzerland 38->181 183 7 other IPs or domains 38->183 123 C:\Users\user\AppData\Roaming\rajrsta, PE32 38->123 dropped 125 C:\Users\user\AppData\Local\Temp730.exe, PE32 38->125 dropped 127 C:\Users\user\AppData\Local\Temp5E4.exe, PE32 38->127 dropped 129 9 other files (8 malicious) 38->129 dropped 227 System process connects to network (likely due to code injection or exploit) 38->227 229 Benign windows process drops PE files 38->229 231 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->231 43 586A.exe 38->43         started        47 22B0.exe 4 38->47         started        49 7B86.exe 38->49         started        51 5 other processes 38->51 file11 signatures12 process13 dnsIp14 131 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 43->131 dropped 133 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 43->133 dropped 135 C:\Users\user\AppData\Local\Temp\kos4.exe, PE32 43->135 dropped 143 2 other malicious files 43->143 dropped 253 Antivirus detection for dropped file 43->253 255 Multi AV Scanner detection for dropped file 43->255 257 Machine Learning detection for dropped file 43->257 259 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->259 54 toolspub2.exe 43->54         started        57 31839b57a4f11171d6abc8bbc4451ee4.exe 43->57         started        59 InstallSetup5.exe 43->59         started        71 3 other processes 43->71 137 C:\Users\user\AppData\Local\...\nl6sl7SS.exe, PE32 47->137 dropped 139 C:\Users\user\AppData\Local\...\6ak05kb.exe, PE32 47->139 dropped 62 nl6sl7SS.exe 4 47->62         started        141 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 49->141 dropped 64 Utsysc.exe 49->64         started        173 171.22.28.239 CMCSUS Germany 51->173 175 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 51->175 177 3 other IPs or domains 51->177 261 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->261 263 Found many strings related to Crypto-Wallets (likely being stolen) 51->263 265 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->265 267 2 other signatures 51->267 67 chrome.exe 51->67         started        69 chrome.exe 51->69         started        73 9 other processes 51->73 file15 signatures16 process17 dnsIp18 201 Multi AV Scanner detection for dropped file 54->201 203 Detected unpacking (changes PE section rights) 54->203 205 Injects a PE file into a foreign processes 54->205 75 toolspub2.exe 54->75         started        207 Antivirus detection for dropped file 57->207 209 Detected unpacking (overwrites its own PE header) 57->209 211 Machine Learning detection for dropped file 57->211 217 2 other signatures 57->217 145 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 59->145 dropped 78 Broom.exe 59->78         started        147 C:\Users\user\AppData\Local\...\mR3vu4pF.exe, PE32 62->147 dropped 149 C:\Users\user\AppData\Local\...\5ND80TZ.exe, PE32 62->149 dropped 80 mR3vu4pF.exe 4 62->80         started        161 167.235.20.126 ALBERTSONSUS United States 64->161 151 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 64->151 dropped 153 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 64->153 dropped 155 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 64->155 dropped 157 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 64->157 dropped 213 Creates an undocumented autostart registry key 64->213 215 Uses schtasks.exe or at.exe to add and modify task schedules 64->215 83 schtasks.exe 64->83         started        85 cmd.exe 64->85         started        163 239.255.255.250 unknown Reserved 67->163 87 chrome.exe 67->87         started        90 chrome.exe 67->90         started        92 chrome.exe 69->92         started        165 148.251.234.93 HETZNER-ASDE Germany 71->165 167 172.67.193.43 CLOUDFLARENETUS United States 71->167 159 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 71->159 dropped 94 6 other processes 73->94 file19 signatures20 process21 dnsIp22 243 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 75->243 245 Maps a DLL or memory area into another process 75->245 247 Checks if the current machine is a virtual machine (disk enumeration) 75->247 249 Creates a thread in another existing process (thread injection) 75->249 251 Multi AV Scanner detection for dropped file 78->251 111 C:\Users\user\AppData\Local\...111b1Xx7Rf.exe, PE32 80->111 dropped 113 C:\Users\user\AppData\Local\...\4Nk220Sg.exe, PE32 80->113 dropped 96 Nb1Xx7Rf.exe 4 80->96         started        99 conhost.exe 83->99         started        185 104.244.42.1 TWITTERUS United States 87->185 187 104.244.42.194 TWITTERUS United States 87->187 189 35 other IPs or domains 87->189 file23 signatures24 process25 file26 115 C:\Users\user\AppData\Local\...\ou7Kw6si.exe, PE32 96->115 dropped 117 C:\Users\user\AppData\Local\...\3VT0cV99.exe, PE32 96->117 dropped 101 ou7Kw6si.exe 96->101         started        process27 file28 119 C:\Users\user\AppData\Local\...\2AA467sE.exe, PE32 101->119 dropped 121 C:\Users\user\AppData\Local\...\1Rj99uu5.exe, PE32 101->121 dropped 104 1Rj99uu5.exe 101->104         started        107 2AA467sE.exe 101->107         started        process29 signatures30 233 Writes to foreign memory regions 104->233 235 Allocates memory in foreign processes 104->235 237 Injects a PE file into a foreign processes 104->237 109 conhost.exe 104->109         started        239 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 107->239 241 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 107->241 process31
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gexcvh4e43obhqps5nnplcr62ji5p5q4bufgb5swk5t4eco5c4oa._file
Verdict:
unknown
Similar samples:
0487efa62042b3f3e40cccf5855975137fdad8c3d553292487cee0b54ce18946
RedLineStealer
2d269e5031618c19624f5ac8e292b2b106e6242352db52c3d2b8d3a71ba3b0a1
RedLineStealer
4e13187cf3b12225f1d1f6b5522401d26b6a4cba66aa76c559d278d249bc29da
RedLineStealer
5c2004af8f84cc545d90c9884494ca8ab1e192220639b723dcf9cca70b91cb13
RedLineStealer
6c05520d9146b248eafb1f7309e371a01ba349d15c77c818a0d6a92d3ce1e994
RedLineStealer
809d0d5edb9e070ff7c15db38721378a8a1f6f0f4ea2bccfa5e8d1bbf6396f49
RedLineStealer
82ee1ad2edf67bb4e1e94a1759c6adbf1ef4d235ab01165009d51dca66435bf2
RedLineStealer
9ba7ba0628c6739e758d2efed0207f70aa4dab2d436cdd11cd25d5585b94481d
RedLineStealer
bba50e5211dbe39d71812f552c7856a3960ac0046006cd0233616fd2ac12c7d7
RedLineStealer
bf6b84d8e2a2c5f43fd7ced193b7ee22e3ae30e6fde67571bacd4dfb3ddac9d5
RedLineStealer
+ 3'754 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat family:smokeloader botnet:pixelnew2.0 botnet:plost backdoor infostealer persistence rat trojan
Link:
https://tria.ge/reports/231104-mq39hsac39/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
194.49.94.11:80
Unpacked files
SH256 hash:
312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c
MD5 hash:
bc10829568a731feee2b950a07ab1d0f
SHA1 hash:
f392378a52d10c873755c8af24cf857b19e1cdf8
Link:
https://www.unpac.me/results/518f6f29-e6c1-4e1b-aa84-07d94a64afce/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/312e2a9f84e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 312e2a9f84e6dc13c1f2eb5af58a3ed251d7f61c0d0a60f6565767c209dd171c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2725300/
  
Delivery method
Distributed via web download

Comments