MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba
SHA3-384 hash: ba070b7bdfbfdeab7f49020ae0887cd0fdd8b517971d6c6c71ba6ff0d01e3f0851b788086ea035cfa4d6d46c34b0634b
SHA1 hash: 1f5638cf71fac8d51253360b4537b074292e70ff
MD5 hash: 54d67710488b0e50ae015dbcadf9fb24
humanhash: sierra-mountain-angel-artist
File name:pkgconsole.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'092'734 bytes
First seen:2024-08-23 07:29:29 UTC
Last seen:2024-08-23 08:42:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a1356930a9430c31e11dd7450136d1c (1 x Amadey, 1 x RedLineStealer)
ssdeep 49152:ENwSGRcvmS29H0izpHtx9hWKck4Yx8kopHO0qDtxHY80S:EKSD29H0izpHtx9hWKcrNO0qDtxHY8Z
Threatray 3 similar samples on MalwareBazaar
TLSH T129E5F74369DB0DE9DED677B4A1C32335A774FD35CA291F2BAA08C23169536C4AD1EB00
TrID 36.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
23.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.0% (.EXE) Win32 Executable (generic) (4504/4/1)
4.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter kenshi
Tags:AsyncRAT exe Loader Ransomware RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
677
Origin country :
HR HR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pkgconsole.exe
Verdict:
Malicious activity
Analysis date:
2024-08-23 07:16:44 UTC
Tags:
loader stealer crypto-regex
Link:
https://app.any.run/tasks/15b8662e-47c6-4833-b61b-9417d475e74f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Downloader.Win64.Agent.29268.30904.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c83a7db2a4681a72968124
Tags:
Encryption Execution Infostealer Injection Network Other Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Delayed writing of the file
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Forced shutdown of a browser
Changing the hosts file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay
Link:
https://www.filescan.io/uploads/66c83a7f6575775f0489da60/reports/087f4434-2291-4b25-8292-2c1ff865d92d/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5244fca-eb44-472b-af0d-8a2ccad6b229
Result
Threat name:
AsyncRAT, Discord Token Stealer, MicroCl
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1497916
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Overwrites Mozilla Firefox settings
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Discord Token Stealer
Yara detected Generic Downloader
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1497916 Sample: pkgconsole.exe Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 146 www.kenesrakishevinfo.com 2->146 148 ext-sq.squarespace.com 2->148 168 Multi AV Scanner detection for domain / URL 2->168 170 Suricata IDS alerts for network traffic 2->170 172 Malicious sample detected (through community Yara rule) 2->172 174 13 other signatures 2->174 13 pkgconsole.exe 17 2->13         started        17 Service_{0A4EF2531C6F2214332168}.exe 2->17         started        20 {0A4EF2531C6F2214332168}.exe 2 2->20         started        22 svchost.exe 2->22         started        signatures3 process4 dnsIp5 150 176.111.174.140, 49708, 49709, 49710 WILWAWPL Russian Federation 13->150 152 ext-sq.squarespace.com 198.185.159.144, 443, 49707 SQUARESPACEUS United States 13->152 142 C:\Users\user\Desktop\installer.exe, PE32+ 13->142 dropped 144 C:\Users\user\AppData\Local\...\Setup[1].exe, PE32+ 13->144 dropped 24 installer.exe 1 3 13->24         started        28 conhost.exe 13->28         started        154 Found API chain indicative of debugger detection 17->154 156 Contain functionality to detect virtual machines 17->156 158 Contains functionality to inject threads in other processes 17->158 160 Maps a DLL or memory area into another process 17->160 30 svchost.exe 17->30         started        162 Writes to foreign memory regions 20->162 164 Modifies the context of a thread in another process (thread injection) 20->164 166 Found hidden mapped module (file has been removed from disk) 20->166 32 schtasks.exe 1 20->32         started        34 relog.exe 20->34         started        file6 signatures7 process8 file9 114 C:\Users\...\{0A4EF2531C6F2214332168}.exe, PE32+ 24->114 dropped 184 Found API chain indicative of debugger detection 24->184 186 Creates multiple autostart registry keys 24->186 188 Contain functionality to detect virtual machines 24->188 192 6 other signatures 24->192 36 relog.exe 5 12 24->36         started        40 schtasks.exe 1 24->40         started        190 Contains functionality to inject threads in other processes 30->190 42 conhost.exe 32->42         started        signatures10 process11 file12 106 C:\...\Service_{0A4EF2531C6F2214332168}.exe, PE32+ 36->106 dropped 108 C:\Users\...\Service_com.adobe.dunamis.exe, PE32+ 36->108 dropped 110 C:\Users\user\AppData\...\Service_Mozilla.exe, PE32+ 36->110 dropped 112 5 other malicious files 36->112 dropped 176 Protects its processes via BreakOnTermination flag 36->176 178 Changes memory attributes in foreign processes to executable or writable 36->178 180 Found API chain indicative of debugger detection 36->180 182 12 other signatures 36->182 44 explorer.exe 83 13 36->44 injected 48 Service_com.adobe.dunamis.exe 36->48         started        50 schtasks.exe 1 36->50         started        54 4 other processes 36->54 52 conhost.exe 40->52         started        signatures13 process14 file15 134 C:\Users\user\...\6018.tmp.nikmok2.exe, PE32 44->134 dropped 136 C:\Users\user\AppData\...\5970.tmp.zx.exe, PE32+ 44->136 dropped 138 C:\Users\user\AppData\...\40A7.tmp.test.exe, PE32+ 44->138 dropped 140 C:\Users\user\...\14D3.tmp.nikmok1.exe, PE32 44->140 dropped 218 Benign windows process drops PE files 44->218 220 Contains functionality to inject code into remote processes 44->220 222 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->222 56 40A7.tmp.test.exe 44->56         started        60 5970.tmp.zx.exe 44->60         started        62 Service_Adobe.exe 44->62         started        72 6 other processes 44->72 224 Found API chain indicative of debugger detection 48->224 226 Contain functionality to detect virtual machines 48->226 228 Contains functionality to inject threads in other processes 48->228 230 4 other signatures 48->230 64 svchost.exe 48->64         started        66 conhost.exe 50->66         started        68 conhost.exe 54->68         started        70 conhost.exe 54->70         started        74 2 other processes 54->74 signatures16 process17 file18 116 C:\Users\user\AppData\Local\...\backend_c.pyd, PE32+ 56->116 dropped 118 C:\Users\user\AppData\Local\...\_cffi.pyd, PE32+ 56->118 dropped 120 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 56->120 dropped 130 62 other files (59 malicious) 56->130 dropped 194 Multi AV Scanner detection for dropped file 56->194 196 Machine Learning detection for dropped file 56->196 76 test.exe 56->76         started        122 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 60->122 dropped 124 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 60->124 dropped 132 48 other files (44 malicious) 60->132 dropped 79 5970.tmp.zx.exe 60->79         started        198 Found API chain indicative of debugger detection 62->198 200 Contain functionality to detect virtual machines 62->200 202 Contains functionality to inject threads in other processes 62->202 210 4 other signatures 62->210 81 svchost.exe 62->81         started        83 svchost.exe 64->83         started        126 C:\Users\user\AppData\Roaming\svchost.exe, PE32 72->126 dropped 128 C:\Users\user\AppData\...\tmp2E57.tmp.bat, DOS 72->128 dropped 204 Antivirus detection for dropped file 72->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 72->206 208 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 72->208 212 4 other signatures 72->212 85 cmd.exe 72->85         started        87 schtasks.exe 72->87         started        89 relog.exe 72->89         started        91 2 other processes 72->91 signatures19 process20 signatures21 214 Tries to harvest and steal browser information (history, passwords, etc) 76->214 93 cmd.exe 76->93         started        216 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 81->216 95 svchost.exe 85->95         started        98 conhost.exe 85->98         started        100 timeout.exe 85->100         started        102 conhost.exe 87->102         started        process22 signatures23 104 conhost.exe 93->104         started        232 System process connects to network (likely due to code injection or exploit) 95->232 process24
Score:
12%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-23 07:23:36 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjd7rfg5cjirfw6z7h4ucsz4ub4iyhpdaluanyzaei2uxz5rtk5a._file
Verdict:
malicious
Similar samples:
6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba
RedLineStealer
8599d84ab1c29d1cf83b52aac9d8aa73034cb74714bf34050c304fb64807d187
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:default botnet:diamotrix credential_access discovery infostealer persistence pyinstaller rat spyware stealer
Link:
https://tria.ge/reports/240823-jbtjzsthlm/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Async RAT payload
Credentials from Password Stores: Credentials from Web Browsers
AsyncRat
RedLine
RedLine payload
Malware Config
C2 Extraction:
176.111.174.140:6606
176.111.174.140:7707
176.111.174.140:8808
176.111.174.140:1912
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c1d9c89-a578-4a2b-8888-2006a45b5583
Unpacked files
SH256 hash:
6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba
MD5 hash:
54d67710488b0e50ae015dbcadf9fb24
SHA1 hash:
1f5638cf71fac8d51253360b4537b074292e70ff
Link:
https://www.unpac.me/results/c67a5037-b1ee-4770-a717-af62de6f4c51/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6247f894dd12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6247f894dd125112dbd9f9f9414b3ca0788c1de302e806e32022354be7b19aba

(this sample)

  
Dropping
LockBit
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments