MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5
SHA3-384 hash: c45cce915473528fc6019748491f7b76e4394c81e0390cea1c6e51d9d921bf5c9d9d8e61ae555a206801fbd0c0aa4339
SHA1 hash: c154e354186c46b4e9d4b994391c90503927db8f
MD5 hash: 0c5ff9fb952ff320b94be5c7cfd1724b
humanhash: mexico-lion-solar-angel
File name:lkadgje.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'976'192 bytes
First seen:2023-12-18 06:10:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89f8b2136c21fa2fa4c4263b97a4b62f (1 x RedLineStealer)
ssdeep 24576:eCzlfZQP+v7ETWXHKWTKh4CpQmw05Gtrg6a9DhvhoHKJycAYZoE5V:eCzdGguWTKh4cwc6a3veHKJycfV
Threatray 689 similar samples on MalwareBazaar
TLSH T123954C51F2FA5B59F9F30BB856BA6625083ABC6ACF10C2DF1265904E0C31BD48971B37
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468214/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Win.Trojan.Stealerc-10014035-0
Create hunting rule

YARA.telnet_cgi.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed rat
Link:
https://www.filescan.io/uploads/657fe2776b1c246046f9bc51/reports/c5ac420b-3c7a-470c-b95d-9c1e338f8083/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac66ca16-a80e-41de-8cc5-f4f8d4cfa578
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363772
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops password protected ZIP file
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363772 Sample: lkadgje.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 100 pastebin.com 2->100 102 api.ip.sb 2->102 104 3 other IPs or domains 2->104 120 Snort IDS alert for network traffic 2->120 122 Multi AV Scanner detection for domain / URL 2->122 124 Found malware configuration 2->124 128 12 other signatures 2->128 12 lkadgje.exe 2->12         started        15 GeforceUpdater.exe 2->15         started        signatures3 126 Connects to a pastebin service (likely for C&C) 100->126 process4 signatures5 166 Contains functionality to inject code into remote processes 12->166 168 Writes to foreign memory regions 12->168 170 Allocates memory in foreign processes 12->170 172 Injects a PE file into a foreign processes 12->172 17 AppLaunch.exe 23 7 12->17         started        22 AppLaunch.exe 12->22         started        process6 dnsIp7 96 45.15.156.167, 49735, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 17->96 98 195.20.16.153, 49737, 49747, 49748 EITADAT-ASFI Finland 17->98 80 C:\Users\user\AppData\Local\...\svchost.exe, MS-DOS 17->80 dropped 82 C:\Users\user\AppData\Local\...\conhost.exe, PE32 17->82 dropped 130 Found many strings related to Crypto-Wallets (likely being stolen) 17->130 132 Tries to harvest and steal browser information (history, passwords, etc) 17->132 24 svchost.exe 7 17->24         started        28 conhost.exe 8 17->28         started        134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->136 138 Drops PE files with benign system names 22->138 file8 signatures9 process10 file11 84 C:\ProgramData\...behaviorgrapheforceUpdater.exe, MS-DOS 24->84 dropped 156 Antivirus detection for dropped file 24->156 158 Multi AV Scanner detection for dropped file 24->158 160 Detected unpacking (changes PE section rights) 24->160 164 4 other signatures 24->164 30 cmd.exe 1 24->30         started        86 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 28->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 28->88 dropped 162 Contains functionality to register a low level keyboard hook 28->162 32 cmd.exe 2 28->32         started        signatures12 process13 signatures14 35 GeforceUpdater.exe 30->35         started        39 conhost.exe 30->39         started        41 timeout.exe 1 30->41         started        114 Uses schtasks.exe or at.exe to add and modify task schedules 32->114 43 Installer.exe 32->43         started        46 7z.exe 32->46         started        48 7z.exe 3 32->48         started        50 12 other processes 32->50 process15 dnsIp16 106 api4.ipify.org 104.237.62.212, 443, 49746 WEBNXUS United States 35->106 108 ip-api.com 208.95.112.1, 49749, 80 TUT-ASUS United States 35->108 110 45.15.156.43, 1588, 49744 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->110 140 Antivirus detection for dropped file 35->140 142 Multi AV Scanner detection for dropped file 35->142 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->144 148 6 other signatures 35->148 52 cmd.exe 35->52         started        112 pastebin.com 104.20.68.143, 443, 49745 CLOUDFLARENETUS United States 43->112 90 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 43->90 dropped 92 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 43->92 dropped 146 Sample is not signed and drops a device driver 43->146 54 cmd.exe 43->54         started        57 cmd.exe 43->57         started        59 cmd.exe 43->59         started        94 C:\Users\user\AppData\Local\...\Installer.exe, PE32 46->94 dropped file17 signatures18 process19 signatures20 61 conhost.exe 52->61         started        63 schtasks.exe 52->63         started        150 Encrypted powershell cmdline option found 54->150 152 Uses powercfg.exe to modify the power settings 54->152 154 Modifies power options to not sleep / hibernate 54->154 65 powershell.exe 54->65         started        68 conhost.exe 54->68         started        70 powercfg.exe 54->70         started        72 conhost.exe 57->72         started        74 schtasks.exe 57->74         started        76 conhost.exe 59->76         started        78 schtasks.exe 59->78         started        process21 signatures22 116 Found many strings related to Crypto-Wallets (likely being stolen) 65->116 118 Potential dropper URLs found in powershell memory 65->118
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-12-16 12:28:04 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mckmkfdxxvidotah3q5jbq7amsi2au3g3ytsyh5zlvtmoz4nn7cq._file
Verdict:
malicious
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
6ee3240e69f9f078386e729d2f2bc6613a062ca07b157e23e4ebc696f4cf7d2d
RedLineStealer
84f515bfed1a8fa9f055a9f3bddb3851618ce0b0b940a5d548aadc24c19362bb
RedLineStealer
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
RedLineStealer
8a7cc5239d412feb2e6977e47b1f3ca475fb70172ac200b81ed7700a4097564f
RedLineStealer
ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
RedLineStealer
b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
RedLineStealer
c89400e70500cd0faad8ea9d0c8d3cc2fc58408c1123dd3fbcd02e80d4bbed65
RedLineStealer
+ 679 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@topgcr infostealer spyware
Link:
https://tria.ge/reports/231218-gxledsafg9/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
Malware Config
C2 Extraction:
45.15.156.167:80
Unpacked files
SH256 hash:
4249683246badc57ff4bd22f2e1eb76296c333dd246a22f471b07a17805139d8
MD5 hash:
de41cd3ce8eb853a1ae9899a14448059
SHA1 hash:
ce2eb0620fde3de17bc144cd369e765acd5ed510
Detections:
redline
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/12806f52-3f67-45ff-ac56-7228ee8ff458/
SH256 hash:
6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5
MD5 hash:
0c5ff9fb952ff320b94be5c7cfd1724b
SHA1 hash:
c154e354186c46b4e9d4b994391c90503927db8f
Link:
https://www.unpac.me/results/12806f52-3f67-45ff-ac56-7228ee8ff458/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6094c51477bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6094c51477bd50374c07dc3a90c3e06491a05366de272c1fb95d66c7678d6fc5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/bc315339-eead-4fe7-a56c-da3fcc972776
Cape
Cape
https://www.capesandbox.com/analysis/468214/

Comments