MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba
SHA3-384 hash: db11598444149b4e8986c331ff6246b140ae4af512023cbcc993c229306d7c589f72998f79bfa02924fac1d98033dd49
SHA1 hash: 864f3d44c349a48990fb611afd35f34ec9630b0f
MD5 hash: 5e7743853ead63c82b1f5f8c8f124f5a
humanhash: monkey-speaker-wyoming-quiet
File name:5e7743853ead63c82b1f5f8c8f124f5a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:135'680 bytes
First seen:2022-08-20 15:08:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5caee56064576a8a65244ae46f3756ae (4 x RedLineStealer)
ssdeep 3072:5wz23V5CR2rfKGVkeDK+KwwI6f/2pMtP4r+FF+Uw1t5aDB1B3Kg1:57FER2dNDKowI6frF3Ym13z1
TLSH T10FD3BE3571D0C432D876193608F0CE714A3EFD720E325EAB6758267A8F306D29F2596B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e7743853ead63c82b1f5f8c8f124f5a
Verdict:
No threats detected
Analysis date:
2022-08-20 15:09:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/beb16dc5-ceb5-4c23-90c1-85e7c573d150

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299942/
Detection(s):
SecuriteInfo.com.Variant.Lazy.232861.25232.29475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6300f98cf205e2ee7669e5bb/reports/99dbfa5a-9882-4e80-b463-d15d4fc38e10/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd95ad4f-1987-432d-9c4d-48410a16f234
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1054840
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687357 Sample: js6DmV3MrK Startdate: 20/08/2022 Architecture: WINDOWS Score: 100 53 coinsurf.com 2->53 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 8 other signatures 2->67 10 js6DmV3MrK.exe 2->10         started        13 gascrga 2 2->13         started        signatures3 process4 signatures5 87 Contains functionality to inject code into remote processes 10->87 89 Writes to foreign memory regions 10->89 91 Allocates memory in foreign processes 10->91 93 Injects a PE file into a foreign processes 10->93 15 RegSvcs.exe 10->15         started        18 conhost.exe 13->18         started        process6 signatures7 95 Maps a DLL or memory area into another process 15->95 97 Checks if the current machine is a virtual machine (disk enumeration) 15->97 99 Creates a thread in another existing process (thread injection) 15->99 20 explorer.exe 10 15->20 injected process8 dnsIp9 55 185.215.113.58, 49723, 49725, 49729 WHOLESALECONNECTIONSNL Portugal 20->55 57 static.asyncvoid.net 188.114.96.3, 443, 49724 CLOUDFLARENETUS European Union 20->57 59 5 other IPs or domains 20->59 45 C:\Users\user\AppData\Roaming\gascrga, PE32 20->45 dropped 47 C:\Users\user\AppData\Local\Temp2CC.exe, PE32 20->47 dropped 49 C:\Users\user\AppData\Local\Temp\C60B.exe, PE32 20->49 dropped 51 2 other malicious files 20->51 dropped 69 System process connects to network (likely due to code injection or exploit) 20->69 71 Benign windows process drops PE files 20->71 73 Injects code into the Windows Explorer (explorer.exe) 20->73 75 2 other signatures 20->75 25 BE0B.exe 20->25         started        28 C60B.exe 20->28         started        30 E2CC.exe 1 20->30         started        32 10 other processes 20->32 file10 signatures11 process12 file13 77 Multi AV Scanner detection for dropped file 25->77 79 Machine Learning detection for dropped file 25->79 81 Writes to foreign memory regions 25->81 35 RegSvcs.exe 2 25->35         started        83 Allocates memory in foreign processes 28->83 85 Injects a PE file into a foreign processes 28->85 37 RegSvcs.exe 2 28->37         started        39 conhost.exe 30->39         started        43 C:\Users\user\AppData\Local\...\Update.exe, PE32 32->43 dropped 41 Update.exe 1 32->41         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-20 15:09:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwdhmwwyt47rm6z4up2urg4kthcpqz6xwufpmp6cgkjcsp6mww5a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220820-sje61afgh9/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
745cb2cea55111002c7d097c8723d3c9a97cd3c86508e5b1e2818f3fca91216e
MD5 hash:
064dd4f20b7c0b9bdae6fe19cfebf201
SHA1 hash:
d6a1a3f80086c5fe9464074aecf56edfa298abb9
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/c29a74bc-3851-4cc1-af91-8bffd7fa5899/
SH256 hash:
5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba
MD5 hash:
5e7743853ead63c82b1f5f8c8f124f5a
SHA1 hash:
864f3d44c349a48990fb611afd35f34ec9630b0f
Detections:
win_vigilant_cleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/c29a74bc-3851-4cc1-af91-8bffd7fa5899/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:win_vigilant_cleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vigilant_cleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5586765ad89f3f167b3ca3f5489b8a99c4f867d7b50af63fc23292293fccb5ba

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299942/
  
URLhaus
https://urlhaus.abuse.ch/url/2275072/

Comments


Avatar
zbet commented on 2022-08-20 15:08:14 UTC

url : hxxp://77.73.131.123/files/wood.exe