MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162ddba38fa4124281bed59c8bf886b20202c5c2160290eeb696a21a98bf0e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 162ddba38fa4124281bed59c8bf886b20202c5c2160290eeb696a21a98bf0e61
SHA3-384 hash: 804ac9ebc4abf2d9eca305b5a456b335e6a33b2d16cee945058c0a1712ec19254914ee406015a711da00f07aa594a74f
SHA1 hash: c8e8dbaa0c94e33e2f5f718a9bdc462412909f46
MD5 hash: 66a6c45d0a5aa815526ccc725f2347c2
humanhash: east-delaware-july-spaghetti
File name:66a6c45d0a5aa815526ccc725f2347c2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:336'384 bytes
First seen:2022-02-18 18:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed673bb78007b5e69407cd48f247d0f7 (2 x Stop, 1 x RedLineStealer)
ssdeep 6144:O1FLUY9aRZp8dSxrJlzhue1RTqFpZhUJunm:cWY9UZuYxrPvRTqFZ
Threatray 16'534 similar samples on MalwareBazaar
TLSH T1DE649E40BAA0D03DE0B711F47975C3AEA92E7DA15B2095CB62D63ADE16343E0EDB1317
File icon (PE):PE icon
dhash icon 25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.133.203.40:20113

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.133.203.40:20113 https://threatfox.abuse.ch/ioc/388853/
95.216.16.35:80 https://threatfox.abuse.ch/ioc/388854/
188.127.235.44:23948 https://threatfox.abuse.ch/ioc/388855/

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242592/
Detection(s):
Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6635/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed smokeloader
Link:
https://www.filescan.io/uploads/620fe4bea2660f3bb9fddc56/reports/7e0dd428-8e9a-4669-b75f-24f282bb7238/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39e09bda-86e7-404b-a1f2-34289ec40579
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942416
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574894 Sample: TiSbliAd7x.exe Startdate: 18/02/2022 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 9 other signatures 2->74 9 TiSbliAd7x.exe 2->9         started        12 jihjhhb 2->12         started        14 uhhjhhb 2->14         started        16 msiexec.exe 2->16         started        process3 signatures4 102 Detected unpacking (changes PE section rights) 9->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->104 106 Maps a DLL or memory area into another process 9->106 18 explorer.exe 4 9->18 injected 108 Multi AV Scanner detection for dropped file 12->108 110 Machine Learning detection for dropped file 12->110 112 Checks if the current machine is a virtual machine (disk enumeration) 12->112 114 Creates a thread in another existing process (thread injection) 14->114 process5 dnsIp6 60 91.243.44.60, 49782, 49814, 80 SHOCK-1US Russian Federation 18->60 62 oakland-studio.video 143.198.125.86, 443, 49817, 49820 LDCOMNETFR United States 18->62 64 9 other IPs or domains 18->64 48 C:\Users\user\AppData\Roaming\uhhjhhb, PE32 18->48 dropped 50 C:\Users\user\AppData\Roaming\jihjhhb, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\Temp\B943.exe, PE32 18->52 dropped 54 3 other files (2 malicious) 18->54 dropped 76 System process connects to network (likely due to code injection or exploit) 18->76 78 Benign windows process drops PE files 18->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->80 82 4 other signatures 18->82 23 73B6.exe 79 18->23         started        27 B943.exe 18->27         started        29 5B79.exe 18->29         started        32 cmd.exe 1 18->32         started        file7 signatures8 process9 dnsIp10 56 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 23->56 dropped 58 C:\ProgramData\sqlite3.dll, PE32 23->58 dropped 84 Query firmware table information (likely to detect VMs) 23->84 86 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->86 88 Machine Learning detection for dropped file 23->88 98 4 other signatures 23->98 34 cmd.exe 1 23->34         started        90 Detected unpacking (changes PE section rights) 27->90 92 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->92 94 Maps a DLL or memory area into another process 27->94 100 2 other signatures 27->100 66 badgoodreason.com 103.208.86.108, 49837, 80 ZAPPIE-HOST-ASZappieHostGB New Zealand 29->66 96 Tries to detect virtualization through RDTSC time measurements 29->96 36 WMIC.exe 1 32->36         started        38 WMIC.exe 1 32->38         started        40 WMIC.exe 1 32->40         started        42 3 other processes 32->42 file11 signatures12 process13 process14 44 conhost.exe 34->44         started        46 timeout.exe 1 34->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/162ddba38fa4124281bed59c8bf886b20202c5c2160290eeb696a21a98bf0e61/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 03:07:14 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyw5xi4puqjefan62woix6egwibafroccybjb3vws2rbvgf7bzqq._file
Verdict:
malicious
Similar samples:
059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf
RedLineStealer
07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
RedLineStealer
177281ae34e8e42aeca619f1a5dd728bb7dc4647b64b1411b2b13103c6b06865
RedLineStealer
1e1885766a2d50045f07b07ef4d8f989a578e7cae4696054ff60c0341537d371
RedLineStealer
470723b25a6bf11f30ad1b2f1d0eb2129895eb3e6ba4f7dd23eb69137538505f
RedLineStealer
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
RedLineStealer
d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8
RedLineStealer
e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
RedLineStealer
+ 16'524 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/f8d8cda5-be31-4594-beea-7978ca9562bf/
SH256 hash:
162ddba38fa4124281bed59c8bf886b20202c5c2160290eeb696a21a98bf0e61
MD5 hash:
66a6c45d0a5aa815526ccc725f2347c2
SHA1 hash:
c8e8dbaa0c94e33e2f5f718a9bdc462412909f46
Link:
https://www.unpac.me/results/f8d8cda5-be31-4594-beea-7978ca9562bf/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/162ddba38fa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/162ddba38fa4124281bed59c8bf886b20202c5c2160290eeb696a21a98bf0e61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242592/

Comments