MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
SHA3-384 hash: 8cd55eff687b5c9783f1fd134b00bb60c31b976b4cc3d08c47523cd8cb5f99f37add7e955bbce00b50bb5de8368e82db
SHA1 hash: 31b731099104f5dfda61b79dcea723d3cd5e1d84
MD5 hash: e4d8a5580372bcff92a7be2f385eb7f7
humanhash: william-potato-maryland-london
File name:e4d8a5580372bcff92a7be2f385eb7f7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:358'912 bytes
First seen:2021-04-30 01:10:52 UTC
Last seen:2021-04-30 02:03:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:x3BovcGbA3VFe0aLzpvTSc2VAJmvHndgxTJDtQ:1B1KA3vxaXxTpzEnkJ
Threatray 371 similar samples on MalwareBazaar
TLSH 837458CB6D1486B3C74CF63280A3773C072B997E6BD38E0EA48F3E5957362AE5449145
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.142.146.202:36186

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.142.146.202:36186 https://threatfox.abuse.ch/ioc/25068/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147073/
Detection(s):
Win.Packed.Bulz-9854729-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a file
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Moving a recently created file
Setting a global event handler
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/703568
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400708 Sample: rSYbV3jx0K.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 98 greenco2020.top 2->98 100 cdn.discordapp.com 2->100 134 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->134 136 Found malware configuration 2->136 138 Antivirus detection for dropped file 2->138 140 12 other signatures 2->140 11 rSYbV3jx0K.exe 19 12 2->11         started        16 Onedrives.exe 2->16         started        signatures3 process4 dnsIp5 114 www.yoursite.com 172.67.133.191, 443, 49713, 49714 CLOUDFLARENETUS United States 11->114 116 yoursite.com 11->116 78 C:\Users\user\AppData\Roaming\Onedrives.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\...\rSYbV3jx0K.exe, PE32 11->80 dropped 82 C:\Users\...\Onedrives.exe:Zone.Identifier, ASCII 11->82 dropped 86 2 other malicious files 11->86 dropped 150 Writes to foreign memory regions 11->150 152 Allocates memory in foreign processes 11->152 154 Injects a PE file into a foreign processes 11->154 18 wscript.exe 1 11->18         started        20 rSYbV3jx0K.exe 1 7 11->20         started        25 wscript.exe 1 11->25         started        29 2 other processes 11->29 118 yoursite.com 16->118 84 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->84 dropped 156 Machine Learning detection for dropped file 16->156 27 AdvancedRun.exe 16->27         started        file6 signatures7 process8 dnsIp9 31 Btwgyizzspfr.exe 18->31         started        102 193.142.146.202, 49732, 49738, 8808 HOSTSLICK-GERMANYNL Netherlands 20->102 104 pastebin.com 104.23.99.190, 443, 49731 CLOUDFLARENETUS United States 20->104 106 192.168.2.1 unknown unknown 20->106 64 C:\Users\user\AppData\Local\Temp\tbjvcq.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\qicqii.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\Temp\okjnek.exe, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\Temp\srndix.exe, PE32+ 20->70 dropped 142 Machine Learning detection for dropped file 20->142 35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        144 Wscript starts Powershell (via cmd or directly) 25->144 146 Adds a directory exclusion to Windows Defender 25->146 39 powershell.exe 25->39         started        41 AdvancedRun.exe 29->41         started        43 AdvancedRun.exe 29->43         started        file10 signatures11 process12 file13 96 C:\Users\user\AppData\Local\Temp\D8E6.tmp, PE32 31->96 dropped 120 Antivirus detection for dropped file 31->120 122 Multi AV Scanner detection for dropped file 31->122 124 Machine Learning detection for dropped file 31->124 132 5 other signatures 31->132 45 explorer.exe 31->45 injected 126 Suspicious powershell command line found 35->126 128 Wscript starts Powershell (via cmd or directly) 35->128 130 Bypasses PowerShell execution policy 35->130 49 conhost.exe 35->49         started        51 powershell.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 39->55         started        signatures14 process15 file16 88 C:\Users\user\AppData\Roaming\fstdhrc, PE32 45->88 dropped 90 C:\Users\user\AppData\Local\Temp\9CA4.exe, PE32 45->90 dropped 92 C:\Users\user\AppData\Local\Temp\910A.exe, PE32 45->92 dropped 94 4 other malicious files 45->94 dropped 158 Benign windows process drops PE files 45->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->160 57 Onedrives.exe 45->57         started        signatures17 process18 dnsIp19 108 104.21.14.15, 443, 49737 CLOUDFLARENETUS United States 57->108 110 yoursite.com 57->110 112 www.yoursite.com 57->112 72 C:\Users\user\AppData\Local\...\Onedrives.exe, PE32 57->72 dropped 74 C:\Users\user\AppData\...\Btwgyizzspfr.exe, PE32 57->74 dropped 76 C:\Users\...\Onedrives.exe:Zone.Identifier, ASCII 57->76 dropped 148 Injects a PE file into a foreign processes 57->148 62 AdvancedRun.exe 57->62         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-04-18 08:36:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhyx3bggpgc54z36ud3unfk7ociqnwedgmi5hogjwz2jducjr7ya._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2d008c3033f4c5dbfe78d0ad678568b4bc06526e53b7a811fb86ca9e89a9d844
RedLineStealer
2d5a9858f39c976a0e10ce4b8f1d05ad7bd1fe0872151ef43df402ebce15b46b
RedLineStealer
352079b5516356dae554a0373e989019253b4ccc75975ddf7962e6ce17d47f4e
RedLineStealer
3884a46ac64617d3f1638402e99118aeeee8ea3e18bf3c6f768d43cce3267f4b
RedLineStealer
68e1c3cd1953f50cf97c15396e47257cedb6d67d5833ea589f1260b61638823f
RedLineStealer
7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645
RedLineStealer
84a40d0820ae9248a654b7d462fa3127d376792e16cf52b4621ca29add8fe0e5
RedLineStealer
a9133df8b9feede980d560c44b754298fc751da2ea00909ed2375f396ed3e813
RedLineStealer
a9c5029521e6d748545aabc303731f7df321976c956a43c971428b123e3c849f
RedLineStealer
ad49dea56c095979c172d844522d5f97458e41d03e8e97e647b6ee35f244c6ae
RedLineStealer
+ 361 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline family:smokeloader backdoor discovery infostealer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/210430-g5h1csgk9j/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
Nirsoft
AsyncRat
Modifies WinLogon for persistence
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
null:null
http://greenco2020.top/
http://greenco2021.top/
http://greenco2022.top/
Unpacked files
SH256 hash:
227c64df9ec0d962a339d28e446e5065c1359c35e63ae217a3581bee350f2046
MD5 hash:
6e2ea28323ca7aa8fdc29215d3ece138
SHA1 hash:
f679cf157cbad68566820ae994025708b6c1b679
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
SH256 hash:
c6da37658cfc7751ef491c75e23494b01323e7459f1b0963a40733793d79fe54
MD5 hash:
652f865ca4fc260183e09732cdfa02d8
SHA1 hash:
d570ab058bb9c0ef2b5f9dc539aecbc516d04c1a
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
SH256 hash:
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3
MD5 hash:
7ceaa5ee0a25213d3b1256f70779027d
SHA1 hash:
b7597773064c8e9409ef679357fc01495149a54b
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
SH256 hash:
077ccfe219e4ce58adcd479900820adead428016802318f8bf94f5e7f7f1f33a
MD5 hash:
47c8ebef14fcf94e27d65f802913ee12
SHA1 hash:
720bf835ee9b449018e2645cfe73dff7d4b44c6f
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
SH256 hash:
ef81add0b56ebd819e3c3c605558d51f02022184a45112aa5269dc0afc2d61a3
MD5 hash:
5df5fde36a03a17603357ea778df428a
SHA1 hash:
6b8e722565c0edf5b4012050e2bbaa13cd4676fe
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
SH256 hash:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
MD5 hash:
e4d8a5580372bcff92a7be2f385eb7f7
SHA1 hash:
31b731099104f5dfda61b79dcea723d3cd5e1d84
Link:
https://www.unpac.me/results/fa730628-8bb2-468f-a92c-c0eac916a7a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147073/

Comments