MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 027dd9d41ae5364eafb8ad151321a32b1b7d1d20eb02db7bc2c94dcfaceaff95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	027dd9d41ae5364eafb8ad151321a32b1b7d1d20eb02db7bc2c94dcfaceaff95
SHA3-384 hash:	601871859ec42da090f4a16e6e3333e97e0daac72466c7ee1626babf35da14823336e706ca8726229ae794c5376f3d22
SHA1 hash:	04a0101f2e56e6c55a74cfbd0b8de4d390352220
MD5 hash:	19b1319a724d76ed2de90d5fa3c98efd
humanhash:	william-beryllium-batman-orange
File name:	19b1319a724d76ed2de90d5fa3c98efd.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	314'880 bytes
First seen:	2022-02-06 08:50:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f129e2bd6f90680b3617141b4faf74c (1 x RedLineStealer)
ssdeep	6144:prMqeBFClZDcciGtOWU4fwMRIBENSrAwNfKo:pBECl5ZrAWU4f4BENSX
TLSH	T126648D14BB90C039F1F716F849BA936DA93E7DA15B2460CB62D52BEE16346E0EC31317
File icon (PE):
dhash icon	25ac1378399b9b91 (28 x Smoke Loader, 24 x Amadey, 21 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.253.63.156:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
5.253.63.156:80	https://threatfox.abuse.ch/ioc/379567/

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

19b1319a724d76ed2de90d5fa3c98efd.exe

Verdict:

Suspicious activity

Analysis date:

2022-02-06 09:07:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e27cfad5-86d8-460f-bb63-23f5126040a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/233761/

Detection(s):

Win.Malware.Dropperx-9938227-0

Win.Dropper.Zenpak-9938419-0

Win.Dropper.Zenpak-9938420-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6149/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61ff8bffa72f86da69613653/reports/495a6559-c748-459d-a7d8-fb51a5d4691b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89d9a77c-ac7d-4c12-810f-056afeee5cad

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934697

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/027dd9d41ae5364eafb8ad151321a32b1b7d1d20eb02db7bc2c94dcfaceaff95/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2022-02-05 10:00:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aj65tva24u3e5l5yvukrgindfmnx2hja5mbnw66czfg47lhk76kq._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220206-kr6d6ahbaq/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc

MD5 hash:

198ff357daf4345c9fc869616b139381

SHA1 hash:

24c9899b296cf004e400b77e72b89f42bb726f37

Link:

https://www.unpac.me/results/d0ccc5cd-d7e7-4e16-a49b-f5d99a4ff6f6/

Parent samples :

3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d

SH256 hash:

027dd9d41ae5364eafb8ad151321a32b1b7d1d20eb02db7bc2c94dcfaceaff95

MD5 hash:

19b1319a724d76ed2de90d5fa3c98efd

SHA1 hash:

04a0101f2e56e6c55a74cfbd0b8de4d390352220

Link:

https://www.unpac.me/results/d0ccc5cd-d7e7-4e16-a49b-f5d99a4ff6f6/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 027dd9d41ae5364eafb8ad151321a32b1b7d1d20eb02db7bc2c94dcfaceaff95

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2020720/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/233761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample