MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08a6dfeb7adf5eb90703abfab6c1f24a9f93c79e6287213f695c44f0181644ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash: 08a6dfeb7adf5eb90703abfab6c1f24a9f93c79e6287213f695c44f0181644ec
SHA3-384 hash: fac0cc3b3bed7c4035593a05d05d8331eb635244f3534644cdcb0aa60bab718c023df2011a92003d714334b09ff43ed7
SHA1 hash: 977b7d8cc4237ca4c8a2268aedfff4d83c7d0a86
MD5 hash: 246b41453b996bfa14f60d4785e598ac
humanhash: table-nevada-pennsylvania-coffee
File name:246b41453b996bfa14f60d4785e598ac.exe
Download: download sample
Signature RedLineStealer
File size:299'008 bytes
First seen:2022-01-09 17:45:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09aef69c73de8322563f63d55badb1aa (1 x RedLineStealer)
ssdeep 6144:Sgs+Lk1QNJlgD6g++0MGnyIh41uzbgwuJ2:SO8QNJlK6g++eh41unnb
Threatray 6'493 similar samples on MalwareBazaar
TLSH T14954BF3175EDC432C0AF05704920C7A55E7BB8321A65806B3B65076E6E70FAC9FE275E
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
45.9.20.101:23970

Intelligence


File Origin
# of uploads :
1
# of downloads :
333
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
246b41453b996bfa14f60d4785e598ac.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-09 17:49:22 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
–°reating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file
Running batch commands
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mikey
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 549822 Sample: cz2ZyeL2Zd.exe Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 76 host-data-coin-11.com 2->76 78 amogohuigotuli.at 2->78 88 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 16 other signatures 2->94 11 cz2ZyeL2Zd.exe 2->11         started        13 icgujuh 2->13         started        15 svchost.exe 2->15         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 21 cz2ZyeL2Zd.exe 11->21         started        24 icgujuh 13->24         started        132 Changes security center settings (notifications, updates, antivirus, firewall) 15->132 26 MpCmdRun.exe 1 15->26         started        80 192.168.2.1 unknown unknown 18->80 signatures6 process7 signatures8 116 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->116 118 Maps a DLL or memory area into another process 21->118 120 Checks if the current machine is a virtual machine (disk enumeration) 21->120 28 explorer.exe 6 21->28 injected 122 Creates a thread in another existing process (thread injection) 24->122 33 conhost.exe 26->33         started        process9 dnsIp10 82 amogohuigotuli.at 28->82 84 185.233.81.115, 443, 49771 SUPERSERVERSDATACENTERRU Russian Federation 28->84 86 18 other IPs or domains 28->86 66 C:\Users\user\AppData\Roaming\icgujuh, PE32 28->66 dropped 68 C:\Users\user\AppData\Roaming\ecgujuh, PE32 28->68 dropped 70 C:\Users\user\AppData\Local\TempC9F.exe, PE32 28->70 dropped 72 10 other files (7 malicious) 28->72 dropped 124 System process connects to network (likely due to code injection or exploit) 28->124 126 Benign windows process drops PE files 28->126 128 Deletes itself after installation 28->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->130 35 EC9F.exe 28->35         started        38 5D68.exe 28->38         started        40 1F0B.exe 3 28->40         started        42 2B8.exe 2 28->42         started        file11 signatures12 process13 file14 96 Detected unpacking (changes PE section rights) 35->96 98 Detected unpacking (overwrites its own PE header) 35->98 100 Found evasive API chain (may stop execution after checking mutex) 35->100 112 4 other signatures 35->112 102 Multi AV Scanner detection for dropped file 38->102 104 Machine Learning detection for dropped file 38->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->106 114 3 other signatures 38->114 108 Sample uses process hollowing technique 40->108 110 Injects a PE file into a foreign processes 40->110 45 1F0B.exe 40->45         started        64 C:\Users\user\AppData\Local\...\rljdetbq.exe, PE32 42->64 dropped 47 cmd.exe 1 42->47         started        50 cmd.exe 2 42->50         started        52 sc.exe 1 42->52         started        54 sc.exe 1 42->54         started        signatures15 process16 file17 74 C:\Windows\SysWOW64\...\rljdetbq.exe (copy), PE32 47->74 dropped 56 conhost.exe 47->56         started        58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        62 conhost.exe 54->62         started        process18
Threat name:
Win32.Trojan.Raccoon
Status:
Malicious
First seen:
2022-01-09 17:46:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:arkei family:loaderbot family:raccoon family:smokeloader family:tofsee backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
LoaderBot executable
Arkei
LoaderBot
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
patmushta.info
parubey.info
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
SH256 hash:
08a6dfeb7adf5eb90703abfab6c1f24a9f93c79e6287213f695c44f0181644ec
MD5 hash:
246b41453b996bfa14f60d4785e598ac
SHA1 hash:
977b7d8cc4237ca4c8a2268aedfff4d83c7d0a86
Malware family:
SmokeLoader
Verdict:
Malicious

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.101:23970 https://threatfox.abuse.ch/ioc/292069

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 08a6dfeb7adf5eb90703abfab6c1f24a9f93c79e6287213f695c44f0181644ec

(this sample)

  
Delivery method
Distributed via web download

Comments