MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413
SHA3-384 hash: 8985796dbc344c7c88b7d66bdbd628643e680a897a917eb596c0d5e4a844607f9a97d26638ef0b9884006e875ef520f7
SHA1 hash: ffa774c779ae66bd2bafcd4ded9af4a205b8b14c
MD5 hash: 8116febb9d5e772f8f527172f0bbb481
humanhash: arkansas-maryland-queen-cat
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'394'176 bytes
First seen:2023-09-10 02:36:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2627254264278e0e80567712e48122f4 (5 x RedLineStealer, 1 x Smoke Loader)
ssdeep 24576:+xUevbWEEOz0mlEyyHyn4xUtTAWIcIooKRNkMsxq2mTaI1PUJ:FevyB45lExyKyAJnKw82meQUJ
Threatray 8 similar samples on MalwareBazaar
TLSH T1F855135474E681B1C4F246384DA0AEFD4E7D7C3289925CDFA7A44BEF4F3468286309A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-09-10 02:37:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4ac9a6a-3502-4d04-8ca1-508b0b002438

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447681/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60935.9105.22982.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64fd2bcff31091fe114bd83a/reports/cf7b4564-042d-438c-a8f0-e7a9d90e7e4f/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b947ff7-ef01-4195-b5a0-32561ce8f622
Result
Threat name:
Mystic Stealer, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306760
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306760 Sample: file.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for URL or domain 2->129 131 9 other signatures 2->131 14 file.exe 2->14         started        17 odNFQ6koyhJrnxa.exe 2->17         started        19 rundll32.exe 2->19         started        21 htttsig 2->21         started        process3 signatures4 201 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->201 203 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->203 205 Contains functionality to inject code into remote processes 14->205 209 3 other signatures 14->209 23 AppLaunch.exe 1 4 14->23         started        27 WerFault.exe 21 9 14->27         started        207 Tries to harvest and steal browser information (history, passwords, etc) 17->207 process5 file6 91 C:\Users\user\AppData\Local\...\v8124575.exe, PE32 23->91 dropped 93 C:\Users\user\AppData\Local\...\f6912903.exe, PE32 23->93 dropped 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->163 29 v8124575.exe 1 4 23->29         started        signatures7 process8 file9 111 C:\Users\user\AppData\Local\...\v5760068.exe, PE32 29->111 dropped 113 C:\Users\user\AppData\Local\...\e4828954.exe, PE32 29->113 dropped 211 Antivirus detection for dropped file 29->211 213 Machine Learning detection for dropped file 29->213 33 v5760068.exe 1 4 29->33         started        signatures10 process11 file12 83 C:\Users\user\AppData\Local\...\v5159273.exe, PE32 33->83 dropped 85 C:\Users\user\AppData\Local\...\d2666261.exe, PE32 33->85 dropped 133 Antivirus detection for dropped file 33->133 135 Machine Learning detection for dropped file 33->135 37 v5159273.exe 1 4 33->37         started        41 d2666261.exe 33->41         started        signatures13 process14 dnsIp15 87 C:\Users\user\AppData\Local\...\v9634619.exe, PE32 37->87 dropped 89 C:\Users\user\AppData\Local\...\c2426310.exe, PE32 37->89 dropped 153 Machine Learning detection for dropped file 37->153 44 v9634619.exe 1 4 37->44         started        48 c2426310.exe 37->48         started        115 77.91.124.82, 19071, 49720, 49721 ECOTEL-ASRU Russian Federation 41->115 155 Antivirus detection for dropped file 41->155 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->157 159 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->159 file16 signatures17 process18 file19 95 C:\Users\user\AppData\Local\...\b3640301.exe, PE32 44->95 dropped 97 C:\Users\user\AppData\Local\...\a5242377.exe, PE32 44->97 dropped 175 Machine Learning detection for dropped file 44->175 50 b3640301.exe 44->50         started        53 a5242377.exe 44->53         started        177 Writes to foreign memory regions 48->177 179 Allocates memory in foreign processes 48->179 181 Injects a PE file into a foreign processes 48->181 55 AppLaunch.exe 48->55         started        57 WerFault.exe 48->57         started        signatures20 process21 signatures22 137 Machine Learning detection for dropped file 50->137 139 Writes to foreign memory regions 50->139 141 Allocates memory in foreign processes 50->141 59 AppLaunch.exe 18 50->59         started        64 WerFault.exe 50->64         started        143 Injects a PE file into a foreign processes 53->143 66 AppLaunch.exe 9 1 53->66         started        68 WerFault.exe 19 9 53->68         started        145 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 55->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 55->147 149 Maps a DLL or memory area into another process 55->149 151 2 other signatures 55->151 70 explorer.exe 55->70 injected process23 dnsIp24 117 5.42.92.211, 49717, 49747, 49750 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 59->117 99 C:\Users\user\AppData\...\odNFQ6koyhJrnxa.exe, PE32 59->99 dropped 101 C:\Users\user\AppData\...\45y1bBDace2aYlBI, SQLite 59->101 dropped 103 C:\Users\user\...\45y1bBDace2aYlBI.dll, PE32 59->103 dropped 183 Found many strings related to Crypto-Wallets (likely being stolen) 59->183 185 Tries to harvest and steal browser information (history, passwords, etc) 59->185 187 DLL side loading technique detected 59->187 189 Tries to steal Crypto Currency Wallets 59->189 72 odNFQ6koyhJrnxa.exe 59->72         started        75 cmd.exe 59->75         started        191 Disable Windows Defender notifications (registry) 66->191 193 Disable Windows Defender real time protection (registry) 66->193 119 192.168.2.1 unknown unknown 68->119 121 77.91.68.29, 49739, 49742, 49745 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 70->121 123 77.91.124.231, 49741, 49743, 80 ECOTEL-ASRU Russian Federation 70->123 105 C:\Users\user\AppData\Roaming\htttsig, PE32 70->105 dropped 107 C:\Users\user\AppData\Local\Temp\896E.exe, PE32 70->107 dropped 109 C:\Users\user\AppData\Local\Temp\20C5.exe, PE32 70->109 dropped 195 System process connects to network (likely due to code injection or exploit) 70->195 197 Benign windows process drops PE files 70->197 199 Hides that the sample has been downloaded from the Internet (zone.identifier) 70->199 77 rundll32.exe 70->77         started        79 rundll32.exe 70->79         started        file25 signatures26 process27 signatures28 165 Antivirus detection for dropped file 72->165 167 Multi AV Scanner detection for dropped file 72->167 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 72->169 173 2 other signatures 72->173 171 Uses schtasks.exe or at.exe to add and modify task schedules 75->171 81 conhost.exe 75->81         started        process29
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 03:01:37 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbwr2qvullpyupwnp6yhs7xglczapzjtr36kkasudxjpshlleqjq._file
Verdict:
unknown
Similar samples:
14b4d7213793691cc41dc716747fb46f7dcd47654668426bdc6a0158c8bb0d53
RedLineStealer
20dea274065b38f1dbbf6a656d6b3e7417512646265d2b3d652424dfde6365c5
RedLineStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
RedLineStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
RedLineStealer
77efd22fb3d800900d512ecf06d3fd7350814eca468ed7e0e9ab5ab598a804df
RedLineStealer
c53bcbf37817860ed265dec41a4db44a89d08d176bd112758c7e07572be06a7a
RedLineStealer
ca54c6e3edac0185342ae18baa70ba469bdafa338fc67fba81fad6796e963ff6
RedLineStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
RedLineStealer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline family:smokeloader botnet:virad backdoor dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230910-c35yrseg8s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
Unpacked files
SH256 hash:
3083cc31973c169a60b5db15885920d92d545fdf13716282809a313101da088d
MD5 hash:
5318938db950ada4028d077fe5f8d430
SHA1 hash:
e885d9b6926e15b64192886f9696d8c2648f2be0
Link:
https://www.unpac.me/results/624575c2-f12f-46ce-aa76-eace4b9be6f2/
SH256 hash:
806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413
MD5 hash:
8116febb9d5e772f8f527172f0bbb481
SHA1 hash:
ffa774c779ae66bd2bafcd4ded9af4a205b8b14c
Link:
https://www.unpac.me/results/624575c2-f12f-46ce-aa76-eace4b9be6f2/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/806d1d42b45a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/447681/

Comments