MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995
SHA3-384 hash: fb300527b61c8cfd12c0bf619989c3f1b6776a14b0728251a4bf281a3864038b5ccc2682805ad2da80d08694e95ab0b7
SHA1 hash: 45a7cc441c99ffff74f48d0c2c3deafd0cd6753d
MD5 hash: 35ef93d9c987d7492fe2fb1aea5c744f
humanhash: berlin-virginia-fix-pasta
File name:35ef93d9c987d7492fe2fb1aea5c744f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:177'152 bytes
First seen:2021-12-15 09:22:01 UTC
Last seen:2021-12-15 11:22:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fdb1d18fcb1774aedc78ecdbb5413a24 (3 x RedLineStealer, 3 x Smoke Loader, 1 x CryptBot)
ssdeep 3072:OKltNBV8cfiHFV/9P7EUtGYXIbjshJuXac0+uuhsiRVjzw9zU5g:OKrfkFdd1wYXIsG4hydzA7
Threatray 3'079 similar samples on MalwareBazaar
TLSH T12B049D02B5D2C471C69EC9708830DBA01E7BF8715670456F77B82BAE6F622D05A36B72
File icon (PE):PE icon
dhash icon 327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.82.126.188:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.82.126.188:81 https://threatfox.abuse.ch/ioc/275793/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35ef93d9c987d7492fe2fb1aea5c744f.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-15 09:46:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d14a3657-0be1-467d-9fff-290eda69f95c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214243/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.11016.7936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2106/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61b9b3bf45ca64e57f111b7d/reports/5ee8b921-7bb4-4309-b157-ed8bd01801bb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae238b43-1457-4a32-a810-26ec91817970
Result
Threat name:
IcedID RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907712
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected IcedID
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540191 Sample: SDGU7w7WFN.exe Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 56 theperfumeplus.com 2->56 58 host-data-coin-11.com 2->58 60 amogohuigotuli.at 2->60 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 11 other signatures 2->82 10 SDGU7w7WFN.exe 2->10         started        12 gisgudd 2->12         started        15 wusgudd 2->15         started        signatures3 process4 signatures5 17 SDGU7w7WFN.exe 10->17         started        118 Multi AV Scanner detection for dropped file 12->118 120 Machine Learning detection for dropped file 12->120 process6 signatures7 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->68 70 Maps a DLL or memory area into another process 17->70 72 Checks if the current machine is a virtual machine (disk enumeration) 17->72 74 Creates a thread in another existing process (thread injection) 17->74 20 explorer.exe 14 17->20 injected process8 dnsIp9 62 host-data-coin-11.com 20->62 64 host-data-coin-11.com 37.0.10.199, 49752, 49753, 49754 WKD-ASIE Netherlands 20->64 66 17 other IPs or domains 20->66 42 C:\Users\user\AppData\Roaming\wusgudd, PE32 20->42 dropped 44 C:\Users\user\AppData\Roaming\gisgudd, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\TempD29.exe, PE32 20->46 dropped 48 8 other files (7 malicious) 20->48 dropped 84 System process connects to network (likely due to code injection or exploit) 20->84 86 Benign windows process drops PE files 20->86 88 Deletes itself after installation 20->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->90 25 14A8.exe 20->25         started        28 54C2.exe 20->28         started        30 266B.exe 2 20->30         started        32 4 other processes 20->32 file10 signatures11 process12 dnsIp13 92 Multi AV Scanner detection for dropped file 25->92 94 Detected unpacking (changes PE section rights) 25->94 96 Machine Learning detection for dropped file 25->96 98 Creates a thread in another existing process (thread injection) 25->98 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->100 112 2 other signatures 28->112 102 Query firmware table information (likely to detect VMs) 30->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->104 114 2 other signatures 30->114 50 file-file-host4.com 32->50 52 jeliskvosh.com 94.140.112.17, 49805, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 32->52 54 3 other IPs or domains 32->54 38 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 32->38 dropped 40 C:\ProgramData\sqlite3.dll, PE32 32->40 dropped 106 Contains functionality to detect hardware virtualization (CPUID execution measurement) 32->106 108 Tries to harvest and steal browser information (history, passwords, etc) 32->108 116 2 other signatures 32->116 36 ED29.exe 32->36         started        file14 110 System process connects to network (likely due to code injection or exploit) 50->110 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 09:22:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmregan6qaxhoidexqubwuorxokyccc4zp76nwu2rcu3z7j37gkq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
227f7e0b6720c0efc709d592a59308bc60df849b1adb3b7336659aeda72b597d
RedLineStealer
6dd1d159928441b310792cbedaba5b84a0dfb4e241fd6cb0ea9fbb583372e9df
RedLineStealer
79c00db1607b8f07618ee3f90f5c4e160c7de05bce6380a7de83171e2eac11d4
RedLineStealer
c7173517d8f032285e6255485f4faf1e701526bd0862a55fd7e76dc666909349
RedLineStealer
f07ce81464cd8f1442dddf56b517a20b55099f84492ed2944e7909f7268d4b8e
RedLineStealer
+ 3'069 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:icedid family:mimikatz family:raccoon family:redline family:smokeloader family:warzonerat botnet:871b18794e3cbbc6476a5b391363702168853a50 campaign:3372020928 backdoor banker collection discovery infostealer persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211215-lbyvtaaahl/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Arkei Stealer Payload
Warzone RAT Payload
mimikatz is an open source tool to dump credentials on Windows
Arkei
IcedID, BokBot
Mimikatz
Raccoon
RedLine
RedLine Payload
SmokeLoader
WarzoneRat, AveMaria
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
jeliskvosh.com
185.215.113.57:50723
91.229.76.26:5200
Unpacked files
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
Link:
https://www.unpac.me/results/239c7349-d897-4b05-afd6-8c6110a36cc7/
Parent samples :
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8
SH256 hash:
13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995
MD5 hash:
35ef93d9c987d7492fe2fb1aea5c744f
SHA1 hash:
45a7cc441c99ffff74f48d0c2c3deafd0cd6753d
Link:
https://www.unpac.me/results/239c7349-d897-4b05-afd6-8c6110a36cc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 13224301be802e772064bc281b51d1bb9581085ccbffe6da9a88a9bcfd3bf995

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1886977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214243/

Comments