MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc
SHA3-384 hash: 42fd10dc148bf48244a2614ee1524f7b9416d0bd487c6b9ba411f988c945ce5e73eb2812e4b5384f3ce647571f94d616
SHA1 hash: bf729ce338db9575af9a92b8106c2f5c3c6e34af
MD5 hash: 7373d78c6ccef07fae8f8b58f8c8d1bc
humanhash: magnesium-stream-lemon-muppet
File name:SecuriteInfo.com.Variant.Lazy.234097.30356.20731
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:119'784 bytes
First seen:2022-08-21 21:30:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fd1f5963acd9c393595c6bf09172dfb (3 x RedLineStealer, 2 x RecordBreaker)
ssdeep 3072:ZABoJAuAy237jPu8Rbnp0pUi/QloJerudAnhDDnpapXFS:g9b+8RoBerguDDnpSs
Threatray 8'090 similar samples on MalwareBazaar
TLSH T167C39D43B5D19871E9B61D312860C9B3DE3FF9212E61DDA7234866798F302C28F25D6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Lazy.234097.30356.20731
Verdict:
Suspicious activity
Analysis date:
2022-08-21 21:32:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/491c0f9b-6a11-4636-90ef-5d45d6eda100

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300066/
Detection(s):
SecuriteInfo.com.Variant.Lazy.234097.30356.20731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29579/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed
Link:
https://www.filescan.io/uploads/6302a495c9bbd990978557ce/reports/850b6ab6-5dd1-4062-a462-784eaed9edfc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/adecf11a-d92c-4708-926f-dd4f50efd2ac
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055153
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687666 Sample: SecuriteInfo.com.Variant.La... Startdate: 21/08/2022 Architecture: WINDOWS Score: 100 80 coinsurf.com 2->80 82 in.appcenter.ms 2->82 108 Malicious sample detected (through community Yara rule) 2->108 110 Antivirus detection for URL or domain 2->110 112 Yara detected Raccoon Stealer v2 2->112 114 8 other signatures 2->114 10 SecuriteInfo.com.Variant.Lazy.234097.30356.exe 1 2->10         started        13 jtvujrj 2 2->13         started        15 jtvujrj 2->15         started        signatures3 process4 signatures5 128 Writes to foreign memory regions 10->128 130 Allocates memory in foreign processes 10->130 132 Sample uses process hollowing technique 10->132 134 Injects a PE file into a foreign processes 10->134 17 MSBuild.exe 10->17         started        20 WerFault.exe 23 9 10->20         started        22 conhost.exe 10->22         started        24 MSBuild.exe 10->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        process6 signatures7 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->100 102 Maps a DLL or memory area into another process 17->102 104 Checks if the current machine is a virtual machine (disk enumeration) 17->104 106 Creates a thread in another existing process (thread injection) 17->106 30 explorer.exe 8 17->30 injected process8 dnsIp9 86 185.215.113.58, 49740, 49748, 80 WHOLESALECONNECTIONSNL Portugal 30->86 88 45.138.74.104, 49741, 80 HOSTGLOBALPLUS-ASRU Russian Federation 30->88 90 2 other IPs or domains 30->90 72 C:\Users\user\AppData\Roaming\jtvujrj, PE32 30->72 dropped 74 C:\Users\user\AppData\Local\Temp\6732.exe, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\Temp\36F9.exe, PE32 30->76 dropped 78 C:\Users\user\AppData\Local\Temp\1FE6.exe, PE32 30->78 dropped 92 System process connects to network (likely due to code injection or exploit) 30->92 94 Benign windows process drops PE files 30->94 96 Injects code into the Windows Explorer (explorer.exe) 30->96 98 2 other signatures 30->98 35 1FE6.exe 1 30->35         started        38 6732.exe 1 30->38         started        40 36F9.exe 4 30->40         started        43 9 other processes 30->43 file10 signatures11 process12 file13 116 Machine Learning detection for dropped file 35->116 118 Contains functionality to inject code into remote processes 35->118 120 Writes to foreign memory regions 35->120 45 MSBuild.exe 25 35->45         started        50 conhost.exe 35->50         started        122 Allocates memory in foreign processes 38->122 124 Injects a PE file into a foreign processes 38->124 52 conhost.exe 38->52         started        54 MSBuild.exe 38->54         started        56 WerFault.exe 38->56         started        60 C:\Users\user\AppData\Local\...\Update.exe, PE32 40->60 dropped 126 Multi AV Scanner detection for dropped file 40->126 58 Update.exe 7 40->58         started        signatures14 process15 dnsIp16 84 89.208.104.46, 49745, 80 PSKSET-ASRU Russian Federation 45->84 62 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 45->62 dropped 64 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 45->64 dropped 66 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 45->66 dropped 70 4 other files (none is malicious) 45->70 dropped 136 Tries to harvest and steal browser information (history, passwords, etc) 45->136 138 DLL side loading technique detected 45->138 140 Tries to steal Crypto Currency Wallets 45->140 68 C:\Users\user\AppData\Local\...\Update.exe, PE32 58->68 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-08-21 21:31:09 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpjksj6kphssdcrbt6kmybajws7vom7oqn26muwvxi3jura4wk6a._file
Verdict:
malicious
Similar samples:
01d7f7de616e35195a27d7354b78745e7dedcb4af64db9f53db1597bb42b1c21
RedLineStealer
049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2
RedLineStealer
0f9818da5be93ab2dc710fe465a2a73e34f94117d83cec9c7df3e731fa222806
RedLineStealer
5786b1e1dc5abbeb0c60e1b7b652c49af8152c2e923894feb56aee8ad4c0f629
RedLineStealer
5cd575c5fa62c375ac8f979a0231f39b1779122a277ce4a5c2faa9f5e69e1d11
RedLineStealer
7968a4ce56f635c65b0f2bbdc8d72364a58eab71642ec195cb4fd579a134fca7
RedLineStealer
7ed50d6cf6c9904f2392e39ac88e5e024c21746d794b9dca4b51cbbbd444df4a
RedLineStealer
c7946da08940de7da39c9bcd1417e1926616d7953974ef5f24aacc6de9b362c9
RedLineStealer
d94097abbaadd3536649ca914b7ac5f8828e723b74c38f37a2c23ec16156b757
RedLineStealer
e3dc41ce8a7e58f579b5b682d536c24fb4348899b6d332bf96a290eb93beac82
RedLineStealer
+ 8'080 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220821-1c14wshdh2/
Unpacked files
SH256 hash:
1d9978f1ac1d48aabe91f28096ad367a7931d6375c716a7a9972a2f14674dd1e
MD5 hash:
be4f55d4f3780a6facd52b6f14de5355
SHA1 hash:
00ce8cf26963486e22ba39021382a39cfe99ceae
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/c77c4eac-6ede-4aed-906e-56a365a9aaae/
SH256 hash:
abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc
MD5 hash:
7373d78c6ccef07fae8f8b58f8c8d1bc
SHA1 hash:
bf729ce338db9575af9a92b8106c2f5c3c6e34af
Link:
https://www.unpac.me/results/c77c4eac-6ede-4aed-906e-56a365a9aaae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe abd2a927ca79e5218a219f94cc0409b4bf5733ee8375e652d5ba369a441cb2bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275335/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300066/

Comments