MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash: 02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
SHA3-384 hash: 94743e5209248389bddebb4f261e798664c5643361630a99026db2453fd55c5016d3d259a58cb61dc0db0afa969ce481
SHA1 hash: 62df758f397934053749ee38416a74f81a6d8ed6
MD5 hash: 31646747fe74d32212a7cbcb97c7d78d
humanhash: berlin-arizona-lima-ohio
File name:31646747fe74d32212a7cbcb97c7d78d.exe
Download: download sample
Signature RedLineStealer
File size:339'456 bytes
First seen:2021-12-28 04:16:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39de84e7a601fa8861e0e6a8c8b0a138 (4 x Smoke Loader, 3 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 6144:EBGT3isLw0aTaB2Wc/Kimyj3OAHgAdHrlwZ0:EBGTSsLw0aTaB2Wc/jmyjNAAdHeZ
Threatray 6'372 similar samples on MalwareBazaar
TLSH T1FA747B10B7A0D035F1B316F44AB9A274B52E7EE16B2491CB53D52BEE96396D0EC3031B
File icon (PE):PE icon
dhash icon e0f8e8e8aa66a499 (12 x RedLineStealer, 11 x RaccoonStealer, 5 x ArkeiStealer)
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
185.93.6.82:18955

Intelligence


File Origin
# of uploads :
1
# of downloads :
240
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
31646747fe74d32212a7cbcb97c7d78d.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-28 04:19:32 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
–°reating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware virus
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
RedLine SmokeLoader Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545835 Sample: H4HU4rg1NM.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 69 elew3le3lanle.freeddns.org 2->69 97 Antivirus detection for URL or domain 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected SmokeLoader 2->101 103 10 other signatures 2->103 11 H4HU4rg1NM.exe 2->11         started        14 iudbdfd 2->14         started        signatures3 process4 signatures5 123 Contains functionality to inject code into remote processes 11->123 125 Injects a PE file into a foreign processes 11->125 16 H4HU4rg1NM.exe 11->16         started        127 Machine Learning detection for dropped file 14->127 19 iudbdfd 14->19         started        process6 signatures7 89 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->89 91 Maps a DLL or memory area into another process 16->91 93 Checks if the current machine is a virtual machine (disk enumeration) 16->93 21 explorer.exe 10 16->21 injected 95 Creates a thread in another existing process (thread injection) 19->95 process8 dnsIp9 71 185.233.81.115, 443, 49757 SUPERSERVERSDATACENTERRU Russian Federation 21->71 73 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 21->73 75 12 other IPs or domains 21->75 61 C:\Users\user\AppData\Roaming\iudbdfd, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\C26E.exe, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\Temp\A87C.exe, PE32 21->65 dropped 67 8 other malicious files 21->67 dropped 105 System process connects to network (likely due to code injection or exploit) 21->105 107 Benign windows process drops PE files 21->107 109 Deletes itself after installation 21->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->111 26 8CA5.exe 21->26         started        30 325D.exe 21->30         started        32 4D1A.exe 127 21->32         started        35 5 other processes 21->35 file10 signatures11 process12 dnsIp13 77 185.7.214.239, 49850, 49868, 80 DELUNETDE France 26->77 129 Multi AV Scanner detection for dropped file 26->129 131 Query firmware table information (likely to detect VMs) 26->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->133 149 4 other signatures 26->149 37 cmd.exe 26->37         started        135 Machine Learning detection for dropped file 30->135 137 Injects a PE file into a foreign processes 30->137 39 325D.exe 30->39         started        79 file-file-host4.com 32->79 57 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 32->57 dropped 59 C:\ProgramData\sqlite3.dll, PE32 32->59 dropped 139 Detected unpacking (changes PE section rights) 32->139 141 Detected unpacking (overwrites its own PE header) 32->141 151 2 other signatures 32->151 42 cmd.exe 32->42         started        81 91.219.236.18, 80 SERVERASTRA-ASHU Hungary 35->81 83 194.180.174.41, 80 MIVOCLOUDMD unknown 35->83 85 194.180.174.53, 80 MIVOCLOUDMD unknown 35->85 143 Antivirus detection for dropped file 35->143 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->145 147 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->147 153 3 other signatures 35->153 44 110B.exe 4 35->44         started        47 9B5C.exe 35->47         started        49 AppLaunch.exe 35->49         started        file14 signatures15 process16 dnsIp17 51 conhost.exe 37->51         started        113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->113 115 Maps a DLL or memory area into another process 39->115 117 Checks if the current machine is a virtual machine (disk enumeration) 39->117 119 Creates a thread in another existing process (thread injection) 39->119 53 conhost.exe 42->53         started        55 timeout.exe 42->55         started        87 86.107.197.138, 38133, 49835 MOD-EUNL Romania 44->87 121 Tries to steal Crypto Currency Wallets 44->121 signatures18 process19
Threat name:
Win32.Trojan.Raccrypt
Status:
Malicious
First seen:
2021-12-27 21:24:55 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:arkei family:raccoon family:smokeloader family:tofsee botnet:10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor discovery evasion persistence spyware stealer trojan vmprotect
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
VMProtect packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Raccoon
SmokeLoader
Tofsee
Windows security bypass
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
patmushta.info
parubey.info
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
SH256 hash:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
MD5 hash:
31646747fe74d32212a7cbcb97c7d78d
SHA1 hash:
62df758f397934053749ee38416a74f81a6d8ed6
Malware family:
SmokeLoader
Verdict:
Malicious

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.93.6.82:18955 https://threatfox.abuse.ch/ioc/288179

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408

(this sample)

  
Delivery method
Distributed via web download

Comments