MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95
SHA3-384 hash: 7c707ff35c780143ea82e9796dcbc7b6d27868b4cb98ca035206795156e13277f92e5fe71c1177be4f118393cacb486f
SHA1 hash: 3e0ec96846ccfde7f5a0a402afbf31b6c56cfa5c
MD5 hash: d79316d450d1353d88f72d070e588242
humanhash: oklahoma-beer-orange-neptune
File name:Pluxo.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'227'376 bytes
First seen:2022-01-09 13:32:32 UTC
Last seen:2022-01-09 15:35:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (730 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 196608:8pcYmscpdkw5wIl75bT8aJSIkzbeWFqIo719VoGGDlh6adk2xBpLWJ98:8WYm7kw6Il5bQwr2iWq7JhElQviBEX8
Threatray 210 similar samples on MalwareBazaar
TLSH T1FF96336278FA19EBCA4D17B90BDD71FCD626CF0126101DC23E75BA22B9FEB12E845540
File icon (PE):PE icon
dhash icon 70c4829ac66c68b2 (5 x RedLineStealer)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pluxo.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 05:01:18 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e1155da0-8ed4-4416-82ab-334e0c569ee9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217898/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.28903.2001.26219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a process with a hidden window
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3915/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61dae4111c0d769df9dbb7e4/reports/159c94b3-b757-456b-b9ce-1c44e96bdd49/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93a91752-2557-41cd-81c2-a4c3e9c33e7c
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917288
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549766 Sample: Pluxo.exe Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 6 other signatures 2->109 9 Pluxo.exe 10 2->9         started        12 RegHost.exe 2->12         started        15 RegHost.exe 2->15         started        17 RegHost.exe 2->17         started        process3 file4 77 C:\Users\user\AppData\Roaming\plugin.exe, PE32+ 9->77 dropped 79 C:\Users\user\AppData\Roaming\onyx.exe, PE32+ 9->79 dropped 81 C:\Users\user\AppData\Roaming\4v.exe, PE32 9->81 dropped 19 plugin.exe 1 2 9->19         started        24 4v.exe 9->24         started        26 onyx.exe 9->26         started        143 Antivirus detection for dropped file 12->143 145 Multi AV Scanner detection for dropped file 12->145 147 Detected unpacking (changes PE section rights) 12->147 157 4 other signatures 12->157 28 explorer.exe 12->28         started        36 2 other processes 12->36 149 Injects code into the Windows Explorer (explorer.exe) 15->149 151 Writes to foreign memory regions 15->151 153 Allocates memory in foreign processes 15->153 30 explorer.exe 15->30         started        32 bfsvc.exe 15->32         started        34 conhost.exe 15->34         started        155 Hides threads from debuggers 17->155 38 2 other processes 17->38 signatures5 process6 dnsIp7 83 185.137.234.33 SELECTELRU Russian Federation 19->83 73 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 19->73 dropped 111 Antivirus detection for dropped file 19->111 113 Multi AV Scanner detection for dropped file 19->113 115 Detected unpacking (changes PE section rights) 19->115 127 5 other signatures 19->127 40 explorer.exe 19->40         started        42 bfsvc.exe 1 19->42         started        58 2 other processes 19->58 117 Writes to foreign memory regions 24->117 119 Allocates memory in foreign processes 24->119 121 Tries to detect virtualization through RDTSC time measurements 24->121 45 AppLaunch.exe 15 5 24->45         started        48 WerFault.exe 23 9 24->48         started        85 172.217.16.141 GOOGLEUS United States 26->85 87 216.58.212.174 GOOGLEUS United States 26->87 89 8.8.8.8 GOOGLEUS United States 26->89 123 Tries to harvest and steal browser information (history, passwords, etc) 26->123 50 RegHost.exe 28->50         started        52 RegHost.exe 30->52         started        75 \Device\ConDrv, ASCII 32->75 dropped 125 Hides threads from debuggers 32->125 54 conhost.exe 32->54         started        56 conhost.exe 36->56         started        91 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->91 file8 signatures9 process10 dnsIp11 60 RegHost.exe 40->60         started        63 conhost.exe 42->63         started        93 185.255.134.22 SUPERSERVERSDATACENTERRU Russian Federation 45->93 95 104.26.12.31 CLOUDFLARENETUS United States 45->95 97 192.168.2.1 unknown unknown 45->97 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->131 133 Tries to harvest and steal browser information (history, passwords, etc) 45->133 135 Tries to steal Crypto Currency Wallets 45->135 99 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->99 137 Modifies the context of a thread in another process (thread injection) 50->137 139 Hides threads from debuggers 50->139 141 Injects a PE file into a foreign processes 50->141 65 conhost.exe 50->65         started        67 conhost.exe 52->67         started        101 149.154.167.220 TELEGRAMRU United Kingdom 58->101 69 conhost.exe 58->69         started        signatures12 process13 signatures14 159 Modifies the context of a thread in another process (thread injection) 60->159 161 Hides threads from debuggers 60->161 163 Injects a PE file into a foreign processes 60->163 71 conhost.exe 60->71         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95/
Threat name:
Win32.Trojan.MintPorcupine
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 13:33:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlsvz65ggz3tzutsxr53vmpgtggx6t6o2ebrafeukd3j3mo5z2kq._file
Verdict:
malicious
Similar samples:
0122e4f52347d81ff21425e6342c3c64a7b72f0c04adf05b2d5ec1428077b961
RedLineStealer
3980a26f3644a2e8749461e88bfa44849557613bdd9b27656a5cec2cd5122527
RedLineStealer
7e2c9e1e73e403de89b366773ce00cacc0e3b2faf21152e817ddb03976a3d6f9
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
935e889d242191efcd783fc0a72a3a1f8881314c39df20a5418ef66f306d080b
RedLineStealer
bc42874e55e3e5c1c1d2201d619fda3971d27a6427850a03baeb2b67408efa97
RedLineStealer
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
RedLineStealer
ed12366797816cbbe1a54c425680db408accd164ecc3f7488f5d89cae0459a87
RedLineStealer
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer upx
Link:
https://tria.ge/reports/220109-qthzjadhbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
ae1b392534daa8735b5b396001393cc6fe0fa5d97c428d90e7c7c8ff46013d13
MD5 hash:
049df58c6edab3025cbc6746f1445c15
SHA1 hash:
9f7b650472e074dd3af2b817564cd127959460e0
Link:
https://www.unpac.me/results/c855ee58-eeb7-4f70-b24f-4ec32ea57dcd/
SH256 hash:
3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95
MD5 hash:
d79316d450d1353d88f72d070e588242
SHA1 hash:
3e0ec96846ccfde7f5a0a402afbf31b6c56cfa5c
Link:
https://www.unpac.me/results/c855ee58-eeb7-4f70-b24f-4ec32ea57dcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3ae55cfba636773cd272bc7bbab1e6998d7f4fced10310149450f69db1ddce95

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217898/

Comments