MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16916105173762495c0c97601501b3e3662c43bdb5fa59725acd681e3794e2bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 2 YARA File information Comments

SHA256 hash:	16916105173762495c0c97601501b3e3662c43bdb5fa59725acd681e3794e2bc
SHA3-384 hash:	4b9476b714aa71f1d6d3f40faf7055c45509275e68c40ac9d87f7c798683e1173ead64ebc9b5316aefcbff93b26c6d06
SHA1 hash:	65d3d98389b9943adce18f40ff7ddc29b73e4c69
MD5 hash:	929829729d15f3f2755334cb5f2c0fbc
humanhash:	uranus-twenty-spaghetti-burger
File name:	929829729d15f3f2755334cb5f2c0fbc.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	312'832 bytes
First seen:	2021-11-30 06:25:54 UTC
Last seen:	2021-11-30 07:48:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2609c9d02832734316a97d328e2206c7 (6 x RedLineStealer)
ssdeep	3072:/0SLJ00p4Xc7h/zfWpTn8Ak6VQSluILcOJH2lFG0mYmAB8xgDagZAfOk13:1S6/zupG6VQSLcOhqw0MDaGKTI
Threatray	5'702 similar samples on MalwareBazaar
TLSH	T189648D1077E0C835F1B712B949B993B9A53F7DA1AB2891CF72D02AEA56346D0EC30347
File icon (PE):
dhash icon	b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
176.122.23.55:11768

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
176.122.23.55:11768	https://threatfox.abuse.ch/ioc/256291/
45.67.231.50:49268	https://threatfox.abuse.ch/ioc/256295/

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

929829729d15f3f2755334cb5f2c0fbc.exe

Verdict:

Suspicious activity

Analysis date:

2021-11-30 06:39:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/842e7b46-c289-4e1a-a03b-5c015cae2612

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/209790/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.80820.28305.3082.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Reading critical registry keys

Searching for analyzing tools

Searching for the window

Searching for synchronization primitives

Changing a file

Creating a file in the %AppData% subdirectories

Running batch commands

Creating a process with a hidden window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/253/overview

Behaviour

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61a5c407effcae2254f537bb/reports/ee6cefcf-705d-4777-9b73-2ae14176e270/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/eb556c8d-cede-4de0-a8d3-08c4edb1f3e7

Result

Threat name:

Cryptbot RedLine SmokeLoader Tofsee Vida

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/898511

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Yara detected Cryptbot

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16916105173762495c0c97601501b3e3662c43bdb5fa59725acd681e3794e2bc/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-11-30 06:26:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2iwcbixg5resxams5qbkant4ntcyq55wx5fs4s2zvub4n4u4k6a._file

Verdict:

malicious

RedLineStealer

54a9562e6c77a8e835e44f99ded308a6ce806d0ca09efb7efb6cef376532b278

RedLineStealer

7ea766da00634b64fd5178410bef330b4fd33aa18c78e09ed0a97c9a8efea116

RedLineStealer

cf22cfc5cf9a55cf39f9559e13ee84f183b566b52481b62d0d464ea45bf36420

RedLineStealer

d2fdb5a27dc6c62388f131aafaa89db7662936a1937bd395613234b60e1699b6

RedLineStealer

f5eb64043ef2c64c9c971bd9b6c3d6f43702c5e3dd19639327d20db8fb713c99

RedLineStealer

+ 5'692 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:arkei family:cryptbot family:icedid family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:706 botnet:default botnet:hmm campaign:2904573523 backdoor banker collection discovery evasion infostealer miner persistence spyware stealer suricata themida trojan

Link:

https://tria.ge/reports/211130-g67zraeaaq/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

Arkei

CryptBot

IcedID, BokBot

RedLine

RedLine Payload

SmokeLoader

Tofsee

Vidar

Windows security bypass

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
92.255.76.197:38637
quadoil.ru
lakeflex.ru
http://file-file-host4.com/tratata.php
194.127.178.164:59973
placingapie.ink
https://mstdn.social/@anapa
https://mastodon.social/@mniami