MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292
SHA3-384 hash: da2e366b79b1e9e8345c835c4345aacef9c97c05cf82631f8f9696e2622a802c8e641e7eb163e80fbc3073e93f731e97
SHA1 hash: 904335f82b19a563542043635905c9e8b60c48fe
MD5 hash: c9143fa5e2792724172980e5acc312f0
humanhash: kitten-ink-timing-delta
File name:SecuriteInfo.com.Variant.Zusy.434623.25141.8225
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:371'184 bytes
First seen:2022-08-10 20:52:59 UTC
Last seen:2022-08-10 21:31:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54f8d006845c0984f21909c6fd975d84 (3 x RedLineStealer, 1 x RecordBreaker)
ssdeep 6144:KS3YW1IIsIbi1F5PsKFuE4dEinxd57Uej6DDXo9GN25Wmh4u10fe2SkJJQzB:KS3YW1Iibi1F5PsKFuE4dEinxd57UhnY
TLSH T13F848D11B9C08032D673383206B8E6B14DBDB4302B654BDF67C919BA5F746C1A636B6F
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Zusy.434623.25141.8225
Verdict:
No threats detected
Analysis date:
2022-08-10 20:53:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d69957fb-a13b-4a61-9e32-cf516bae2cb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297790/
Detection(s):
SecuriteInfo.com.Variant.Zusy.434623.25141.8225.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28606/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed zusy
Link:
https://www.filescan.io/uploads/62f41ab8f6ec33747d93f0ed/reports/ebdcf72e-748e-45ff-9c52-8123747e0b6e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8562eaf0-7c5d-434b-8e1f-4077a5b7da40
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049539
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682033 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 10/08/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 9 SecuriteInfo.com.Variant.Zusy.434623.25141.exe 2->9         started        12 bsivjus 2->12         started        process3 signatures4 78 Contains functionality to inject code into remote processes 9->78 80 Writes to foreign memory regions 9->80 82 Allocates memory in foreign processes 9->82 84 Injects a PE file into a foreign processes 9->84 14 AppLaunch.exe 9->14         started        17 AppLaunch.exe 9->17         started        process5 signatures6 86 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->86 88 Maps a DLL or memory area into another process 14->88 90 Checks if the current machine is a virtual machine (disk enumeration) 14->90 92 Creates a thread in another existing process (thread injection) 14->92 19 explorer.exe 6 14->19 injected process7 dnsIp8 44 cdnxpnew4af.pw 185.106.93.5, 49750, 80 SUPERSERVERSDATACENTERRU Russian Federation 19->44 46 85.192.63.46, 49752, 80 LINEGROUP-ASRU Russian Federation 19->46 48 4 other IPs or domains 19->48 36 C:\Users\user\AppData\Roaming\bsivjus, PE32 19->36 dropped 38 C:\Users\user\AppData\Local\Temp\5347.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\Temp\4888.exe, PE32 19->40 dropped 58 System process connects to network (likely due to code injection or exploit) 19->58 60 Benign windows process drops PE files 19->60 62 Performs DNS queries to domains with low reputation 19->62 64 3 other signatures 19->64 24 4888.exe 19->24         started        27 5347.exe 19->27         started        29 explorer.exe 19->29         started        31 8 other processes 19->31 file9 signatures10 process11 signatures12 66 Multi AV Scanner detection for dropped file 24->66 68 Writes to foreign memory regions 24->68 70 Allocates memory in foreign processes 24->70 72 Injects a PE file into a foreign processes 24->72 33 AppLaunch.exe 2 24->33         started        74 Antivirus detection for dropped file 27->74 76 Machine Learning detection for dropped file 27->76 process13 dnsIp14 42 103.89.90.61, 18728, 49756 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 33->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 20:16:38 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mew67cybbe5gtlsrc2j3hcepvpsuzjguuox37cuzu4qsu2m6mkja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220810-zpaa9sehcj/
Unpacked files
SH256 hash:
b7c8965441bd32ad64eab81214a2970748cfd5e9bddaf8959de1b983f825c4c8
MD5 hash:
89a5225b6e3edf34d16694f7dbbb6f23
SHA1 hash:
f77e3335d5bb8ead61822dca5b2c723cf565e734
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2d0aea02-0de2-44a3-809e-2ab72284bfbf/
SH256 hash:
612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292
MD5 hash:
c9143fa5e2792724172980e5acc312f0
SHA1 hash:
904335f82b19a563542043635905c9e8b60c48fe
Link:
https://www.unpac.me/results/2d0aea02-0de2-44a3-809e-2ab72284bfbf/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/612def8b0109/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 612def8b01093a69ae511693b3888fabe54ca4d4a3afbf8a99a7212a699e6292

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271314/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297790/

Comments