MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash: 164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
SHA3-384 hash: 0855cd19f07edf8e22d90a4e3565be120de4e44f44429e02167ab7f85da258604ab925719597d7a7e255e44350c6756e
SHA1 hash: d0e5c1e975ec41e222f99f7a235d85317a1be3a7
MD5 hash: f768f4a81e8b87d6990895a35b8d7d6c
humanhash: bluebird-coffee-robert-pasta
File name:f768f4a81e8b87d6990895a35b8d7d6c.exe
Download: download sample
Signature RedLineStealer
File size:320'000 bytes
First seen:2022-01-14 11:21:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64f7fef844b1e4fdfabf9d9b629075a0 (3 x RedLineStealer, 1 x OnlyLogger)
ssdeep 6144:03Oruhy9+2efARaYhqUc9xm1IQgUS1u2NG03OF:aOrm0JRzp0x/QgUp2N6
Threatray 6'562 similar samples on MalwareBazaar
TLSH T14D64AE10BBA0C035F1B722F44AB593ADB93E3AA1572680CF62D51AEE57356E0EC31717
File icon (PE):PE icon
dhash icon 2dec137031939b91 (4 x RedLineStealer, 1 x DanaBot, 1 x Loki)
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
65.108.104.175:1193

Intelligence


File Origin
# of uploads :
1
# of downloads :
306
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f768f4a81e8b87d6990895a35b8d7d6c.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-14 11:33:00 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
–°reating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware tofsee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Tofse
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553170 Sample: sbxGIUIhRd.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 86 185.215.113.35, 49907, 49908, 49912 WHOLESALECONNECTIONSNL Portugal 2->86 88 185.163.204.24, 49930, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->88 90 7 other IPs or domains 2->90 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 Antivirus detection for URL or domain 2->116 118 22 other signatures 2->118 11 sbxGIUIhRd.exe 2->11         started        14 gaystiqf.exe 2->14         started        16 adijaeg 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 156 Contains functionality to inject code into remote processes 11->156 158 Injects a PE file into a foreign processes 11->158 20 sbxGIUIhRd.exe 11->20         started        160 Detected unpacking (changes PE section rights) 14->160 162 Detected unpacking (overwrites its own PE header) 14->162 164 Writes to foreign memory regions 14->164 166 Allocates memory in foreign processes 14->166 23 svchost.exe 14->23         started        168 Machine Learning detection for dropped file 16->168 26 adijaeg 16->26         started        28 WerFault.exe 18->28         started        process6 dnsIp7 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->138 140 Maps a DLL or memory area into another process 20->140 142 Checks if the current machine is a virtual machine (disk enumeration) 20->142 30 explorer.exe 12 20->30 injected 92 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49849 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->92 94 patmushta.info 94.142.143.116, 443, 49853 IHOR-ASRU Russian Federation 23->94 144 System process connects to network (likely due to code injection or exploit) 23->144 146 Creates a thread in another existing process (thread injection) 26->146 signatures8 process9 dnsIp10 98 185.233.81.115, 443, 49791 SUPERSERVERSDATACENTERRU Russian Federation 30->98 100 81.163.30.181, 49926, 80 IR-RASANAPISHTAZIR Russian Federation 30->100 102 11 other IPs or domains 30->102 78 C:\Users\user\AppData\Roaming\adijaeg, PE32 30->78 dropped 80 C:\Users\user\AppData\Local\Temp\FA5C.exe, PE32 30->80 dropped 82 C:\Users\user\AppData\Local\Temp2A6.exe, PE32 30->82 dropped 84 11 other malicious files 30->84 dropped 104 System process connects to network (likely due to code injection or exploit) 30->104 106 Benign windows process drops PE files 30->106 108 Deletes itself after installation 30->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->110 35 CFE8.exe 30->35         started        38 E2A6.exe 2 30->38         started        41 95C6.exe 30->41         started        43 2 other processes 30->43 file11 signatures12 process13 file14 120 Detected unpacking (changes PE section rights) 35->120 122 Detected unpacking (overwrites its own PE header) 35->122 124 Found evasive API chain (may stop execution after checking mutex) 35->124 136 4 other signatures 35->136 74 C:\Users\user\AppData\Local\...\gaystiqf.exe, PE32 38->74 dropped 126 Machine Learning detection for dropped file 38->126 128 Uses netsh to modify the Windows network and firewall settings 38->128 130 Modifies the windows firewall 38->130 45 cmd.exe 38->45         started        48 cmd.exe 38->48         started        50 sc.exe 38->50         started        60 3 other processes 38->60 132 Injects a PE file into a foreign processes 41->132 52 95C6.exe 41->52         started        134 Antivirus detection for dropped file 43->134 55 FA5C.exe 43->55         started        58 WerFault.exe 23 9 43->58         started        signatures15 process16 dnsIp17 76 C:\Windows\SysWOW64\...\gaystiqf.exe (copy), PE32 45->76 dropped 62 conhost.exe 45->62         started        64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        148 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->148 150 Maps a DLL or memory area into another process 52->150 152 Checks if the current machine is a virtual machine (disk enumeration) 52->152 154 Creates a thread in another existing process (thread injection) 52->154 96 86.107.197.138, 38133, 49901 MOD-EUNL Romania 55->96 68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        file18 signatures19 process20
Threat name:
Win32.Packed.Generic
Status:
Suspicious
First seen:
2022-01-14 11:21:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Result
Malware family:
Score:
  10/10
Tags:
family:amadey family:arkei family:loaderbot family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
LoaderBot executable
XMRig Miner Payload
Amadey
Arkei
LoaderBot
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
SH256 hash:
164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
MD5 hash:
f768f4a81e8b87d6990895a35b8d7d6c
SHA1 hash:
d0e5c1e975ec41e222f99f7a235d85317a1be3a7

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.104.175:1193 https://threatfox.abuse.ch/ioc/295071

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5

(this sample)

  
Delivery method
Distributed via web download

Comments