MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
SHA3-384 hash: 81e82d3def8479c72842938e0e1c67503ddabf8faf19ae8f3a31ade117bb174b79ee84b28948d21559063b4f81f0e8c1
SHA1 hash: b843dc0253ca495cdd042314fe9031c9cd645350
MD5 hash: 06b37780cb3afdf3fa0f8a238114bd7f
humanhash: pennsylvania-emma-black-social
File name:06b37780cb3afdf3fa0f8a238114bd7f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'238'016 bytes
First seen:2022-11-14 23:45:24 UTC
Last seen:2022-11-15 01:38:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0c3cacc6bb3c76644b271814ae22a81 (1 x RedLineStealer)
ssdeep 24576:PR964zGEH9mhMh40EL6pxchdGrg17gDrX/axcT5x/Vx9:J446/ajVB3aU/P9
TLSH T170454C32B2D2D837C472167C9D1BF7A89479BD102E3C984A7BE44E4C1F3AA813569397
TrID 69.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.4% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.106.93.214:45623

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06b37780cb3afdf3fa0f8a238114bd7f.exe
Verdict:
No threats detected
Analysis date:
2022-11-14 23:47:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e28d9f0-85b9-4ccc-9fa9-ac2a6e10c983

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333983/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.30934.25524.2202.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52487/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6372d33b2445ecec3cc4a586/reports/966d71cc-35aa-4553-919d-e6f05c7b1a4e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2166af75-1baf-477b-b30a-43479ef6fb6a
Result
Threat name:
CryptOne, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113360
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 746056 Sample: xjSI5uTaeR.exe Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected CryptOne packer 2->72 74 5 other signatures 2->74 9 xjSI5uTaeR.exe 2->9         started        12 fshfasv 2->12         started        14 svcupdater.exe 2->14         started        process3 dnsIp4 96 Detected unpacking (changes PE section rights) 9->96 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->98 100 Maps a DLL or memory area into another process 9->100 17 explorer.exe 9 9->17 injected 102 Checks if the current machine is a virtual machine (disk enumeration) 12->102 104 Creates a thread in another existing process (thread injection) 12->104 66 45.134.174.158, 49704, 80 CLOUDIE-AS-APCloudieLimitedHK Russian Federation 14->66 106 Antivirus detection for dropped file 14->106 108 Machine Learning detection for dropped file 14->108 signatures5 process6 dnsIp7 62 kanamundawam.xyz 5.154.181.121, 49696, 49701, 80 SOLVIT-ASRO Romania 17->62 52 C:\Users\user\AppData\Roaming\fshfasv, PE32 17->52 dropped 54 C:\Users\user\AppData\Local\Temp\4E3B.exe, PE32 17->54 dropped 56 C:\Users\user\AppData\Local\Temp\4707.exe, PE32 17->56 dropped 58 2 other malicious files 17->58 dropped 76 System process connects to network (likely due to code injection or exploit) 17->76 78 Benign windows process drops PE files 17->78 80 Performs DNS queries to domains with low reputation 17->80 82 4 other signatures 17->82 22 4707.exe 1 17->22         started        25 4E3B.exe 1 17->25         started        27 23BE.exe 2 17->27         started        30 11 other processes 17->30 file8 signatures9 process10 file11 84 Antivirus detection for dropped file 22->84 86 Contains functionality to inject code into remote processes 22->86 88 Writes to foreign memory regions 22->88 32 AppLaunch.exe 2 22->32         started        34 WerFault.exe 3 10 22->34         started        36 conhost.exe 22->36         started        90 Allocates memory in foreign processes 25->90 92 Injects a PE file into a foreign processes 25->92 38 WerFault.exe 10 25->38         started        41 AppLaunch.exe 25->41         started        43 conhost.exe 25->43         started        60 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 27->60 dropped 94 Machine Learning detection for dropped file 27->94 45 cmd.exe 27->45         started        signatures12 process13 dnsIp14 64 192.168.2.1 unknown unknown 38->64 110 Uses schtasks.exe or at.exe to add and modify task schedules 45->110 48 conhost.exe 45->48         started        50 schtasks.exe 45->50         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 06:41:27 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=stsv6gmb2me4eabqijt6owki3xt4vzviklrfhfsqafwcrv2xleaa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:2 backdoor infostealer spyware trojan
Link:
https://tria.ge/reports/221114-3sab8aae51/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Detects Smokeloader packer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
185.106.93.214:45623
Gathering data
Unpacked files
SH256 hash:
94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
MD5 hash:
06b37780cb3afdf3fa0f8a238114bd7f
SHA1 hash:
b843dc0253ca495cdd042314fe9031c9cd645350
Link:
https://www.unpac.me/results/3c25220b-6308-40b5-ad18-6bdc774219e4/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94e55f1981d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333983/

Comments