MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba
SHA3-384 hash: e25f1069a841f9c042ff29f49511131070d8c25ac976af789585b5ec0a498ca58e37ff6d7e79b49f5d981735677e25c4
SHA1 hash: 4ef4e0b70a90037ea415c37e2d8daab00d14013c
MD5 hash: a2bc6d16ab3c57a8b0b9fac7e204bb2d
humanhash: west-paris-mango-july
File name:Elsify v2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:603'648 bytes
First seen:2022-03-28 12:06:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6177777cd67f32c7dfaa28c6d6e9d36d (3 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:WVxghhvlw+SvHZrjIHygcECMTZV80QS03ULaHNqrxlKIQNoHI1mcOeOvql1z:WbazSV0SLKX80kEaHNYK3z1ZOeQqzz
Threatray 1'988 similar samples on MalwareBazaar
TLSH T179D423EBA78B2B16C20D89F849B02D4F80C59675BCD83D16E27B4F531425CBA8E345DB
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Elsify v2.exe
Verdict:
Malicious activity
Analysis date:
2022-03-28 12:06:36 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/d6071bc8-e87d-485a-9b62-cb5e83daeb26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258604/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6241a4e9a19c6494129f3f67/reports/ce28108e-198b-46db-aa52-885d8a62e525/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d10535f-c55d-49ba-a152-e0aaa608e6c6
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965802
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 598283 Sample: Elsify v2.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 23 sectigotls.xyz 2->23 25 cdn.discordapp.com 2->25 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 7 other signatures 2->43 8 Elsify v2.exe 1 2->8         started        signatures3 process4 signatures5 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 49 Injects a PE file into a foreign processes 8->49 11 AppLaunch.exe 15 7 8->11         started        16 conhost.exe 8->16         started        process6 dnsIp7 27 91.243.32.184, 28056, 49781 MATTEOGB Russian Federation 11->27 29 cdn.discordapp.com 162.159.129.233, 443, 49785 CLOUDFLARENETUS United States 11->29 21 C:\Users\user\AppData\Local\Temp\werikk.exe, PE32 11->21 dropped 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 Tries to steal Crypto Currency Wallets 11->57 18 werikk.exe 2 11->18         started        file8 signatures9 process10 signatures11 31 Antivirus detection for dropped file 18->31 33 Multi AV Scanner detection for dropped file 18->33 35 Machine Learning detection for dropped file 18->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 12:15:15 UTC
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
6b316e9b28740fd58ef9e2bcd2843b6d86955bdc41f350ae06ff617ef1380a6b
RedLineStealer
8e608482cad57e0b61c813e96639f62abd854f069f49d68807c966ccadc518d5
RedLineStealer
9156df2fc9b608331333b0c9c76ceabb43273ef011c59dcf0223b4151c90b9aa
RedLineStealer
a5614115a7018eb0a78d31aa6a8b64d2938a8fab7358a2055347534a51ae2979
RedLineStealer
a866fa02bf6f9324d6f3713ed1533e4f0262a29a50ab0734e03fe6ed52df11fd
RedLineStealer
b2fbe782c61b83263330dfd32f27f704f6aa7eb1ad7c5046321afa3460799003
RedLineStealer
c28e96902c42e75cd27aa189c22686335108d21d5e3f7815174588cb4f4ca186
RedLineStealer
cb3538ccd59fa740708efdb6f481d1b7182f18a413994a72d0669086469a3244
RedLineStealer
+ 1'978 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220328-paandahge9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.243.32.184:28056
Unpacked files
SH256 hash:
1036078f02c03a182c5929ea29466614119f0a54ef7cd70a02317c05ce8d96df
MD5 hash:
3a98c51632f0d693bcb1ed9398dbb86d
SHA1 hash:
c39cda55b73a3eebf303c995233e8860559767b1
Link:
https://www.unpac.me/results/62282a13-85f7-49fc-91ad-b31e43497d56/
SH256 hash:
f0cf3f2838a29b20fb917fbaf7738f18dd4777ce1ba7024bb730e380d085fb52
MD5 hash:
c6f8a156a9500ef03922d3ecb5952320
SHA1 hash:
25557dfbdff198c577b833678e862c01ccfba551
Link:
https://www.unpac.me/results/62282a13-85f7-49fc-91ad-b31e43497d56/
SH256 hash:
b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba
MD5 hash:
a2bc6d16ab3c57a8b0b9fac7e204bb2d
SHA1 hash:
4ef4e0b70a90037ea415c37e2d8daab00d14013c
Link:
https://www.unpac.me/results/62282a13-85f7-49fc-91ad-b31e43497d56/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b6406059af8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b6406059af8bc5dc3b7ae91ecd3e2ec7d4281436d2243c96ae289b6feb9ad4ba

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258604/

Comments