MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe
SHA3-384 hash: 969ef06c97b8188e0d67114d10949c474732491cac3ef62398b86fe774f782cff12c13a97713b0d97c913319fcf5ad0d
SHA1 hash: 84905309ab7c15819e2c6d524ea426a0109f4999
MD5 hash: 1e9f1d5036f203d0193f39960852e030
humanhash: jig-potato-blossom-emma
File name:1e9f1d5036f203d0193f39960852e030.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'930'824 bytes
First seen:2022-04-21 11:02:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 49152:wPVcUnP0DXTOfdeYimRO0bjRjS+rGod8yVuNC57yL7hUMit8Gxs6MmeA9/IAZb59:wGePGXTqgT05W+rGoeyQ057yRUMN4s6r
TLSH T14AD5013811D1FF2AE9951CB5EC5231FE07970DA17E8F68054080B7AE9B39EB92F4D846
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f0c8c8c8f2b2cccc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:europa.eu
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2020-07-16T12:26:05Z
Valid to:2022-06-20T10:15:02Z
Serial number: 3440d6dbc7cb65c512981650
Thumbprint Algorithm:SHA256
Thumbprint: 5deb43242b29a71405a00f14d73e5728981dc5cf049e6417e2577cf6726e16c9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
94.130.222.120:29240

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.130.222.120:29240 https://threatfox.abuse.ch/ioc/523220/

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265429/
Detection(s):
SecuriteInfo.com.Variant.Lazy.171675.25231.27412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/626139e9eab80a7a6c535170/reports/6fc29eb0-4a6a-4ded-a07f-26eb7ddf4e6c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9558022-585c-478a-ac27-f912d05ec4af
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/980603
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613090 Sample: kj5BE1FHSg.exe Startdate: 21/04/2022 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 5 other signatures 2->36 7 kj5BE1FHSg.exe 1 2->7         started        10 dsierri 1 2->10         started        process3 signatures4 46 Detected unpacking (changes PE section rights) 7->46 48 Injects a PE file into a foreign processes 7->48 50 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->50 12 kj5BE1FHSg.exe 7->12         started        15 conhost.exe 7->15         started        52 Multi AV Scanner detection for dropped file 10->52 17 conhost.exe 10->17         started        process5 signatures6 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Checks if the current machine is a virtual machine (disk enumeration) 12->58 60 Creates a thread in another existing process (thread injection) 12->60 19 explorer.exe 3 12->19 injected process7 dnsIp8 28 hydroxychl0roquine.xyz 37.0.10.25, 49778, 80 WKD-ASIE Netherlands 19->28 24 C:\Users\user\AppData\Roaming\dsierri, PE32 19->24 dropped 26 C:\Users\user\...\dsierri:Zone.Identifier, ASCII 19->26 dropped 38 System process connects to network (likely due to code injection or exploit) 19->38 40 Benign windows process drops PE files 19->40 42 Performs DNS queries to domains with low reputation 19->42 44 2 other signatures 19->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 11:03:13 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mjo372iugf5wmwglxeheyc5ttgyozjloq2ohmcbysjllnrc637a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220421-m5pdxaebd9/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
9ee6a215d82c3418c4d252b74ef2e8c14dda119cd7ed7e67cb83bc7d8373d4a7
MD5 hash:
c3301fe73e43a75ef9c3c3b2dbdbd62d
SHA1 hash:
f5d6110f2075cfc50cbe6c7bc9bc8ec920ea0d64
Link:
https://www.unpac.me/results/2f0cae16-ed8e-463c-8ea5-3694275e476c/
SH256 hash:
f84c48991f2a5ea474ba622ab0f3d46a503fd3ca306be483487d36027396c112
MD5 hash:
6df34d37c907082915c97946c615abae
SHA1 hash:
92c5c84cea58bae51ac603a2c8e7396be66c00df
Link:
https://www.unpac.me/results/2f0cae16-ed8e-463c-8ea5-3694275e476c/
SH256 hash:
d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe
MD5 hash:
1e9f1d5036f203d0193f39960852e030
SHA1 hash:
84905309ab7c15819e2c6d524ea426a0109f4999
Link:
https://www.unpac.me/results/2f0cae16-ed8e-463c-8ea5-3694275e476c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d312edff48a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d312edff48a18bdb32c65dc872605d9ccd87652b7434e3b041c492b5b622f6fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2136856/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/265429/

Comments