MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
SHA3-384 hash: 9e76d7a6a358e208d45646eb4b3635acb5ca0b1be8e8071fc6dc2cc9d80030b576aa71b9586f4b1610d79128a06ef2b8
SHA1 hash: 2c477e9ef7f055f7dab54078c9aff8eb30694b89
MD5 hash: 99aaffa85ef7f0f16fb71435a1789210
humanhash: montana-helium-finch-muppet
File name:1B8943B2CCEA3EE9E464B5865711DB721BAE33CA03646.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:237'056 bytes
First seen:2023-12-25 20:35:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e02f6b73811afb8377f3033bdeecd68 (1 x Stealc, 1 x RedLineStealer)
ssdeep 3072:uI71HpD138zSIQ6WoVTEEiS+IWWWkElI8ULPz6j0kmZorp:F7111MzSoPVTKIWNkEGVH6gvo
Threatray 3 similar samples on MalwareBazaar
TLSH T14234DF22B7E0C072E16346304A71C7A65A377CB19B7199CF2BD41A7E6E702D1CB7934A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0ad092484844c84c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
82.115.223.163:20643

Intelligence

File Origin
# of uploads :
1
# of downloads :
513
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
1B8943B2CCEA3EE9E464B5865711DB721BAE33CA03646.exe
Verdict:
Malicious activity
Analysis date:
2023-12-25 20:36:21 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/b4510d79-977b-408f-9dd2-6776b582a37a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469323/
Detection(s):
Win.Ransomware.Tofsee-10015140-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin packed zusy
Link:
https://www.filescan.io/uploads/6589e7b3ffafd83ebc9b57c8/reports/ad0f7815-59b8-4f60-bc91-2606dbf62c10/overview
Verdict:
Malicious
Labled as:
Trojan.Kryptik
Link:
https://www.hybrid-analysis.com/sample/1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e821bd84-9386-4920-ac8d-bafbeba6f640
Result
Threat name:
BazaLoader, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366906
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BazaLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366906 Sample: 1B8943B2CCEA3EE9E464B586571... Startdate: 25/12/2023 Architecture: WINDOWS Score: 100 75 dpav.cc 2->75 95 Multi AV Scanner detection for domain / URL 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 14 other signatures 2->101 13 1B8943B2CCEA3EE9E464B5865711DB721BAE33CA03646.exe 2->13         started        16 evfevht 2->16         started        18 evfevht 2->18         started        signatures3 process4 signatures5 127 Detected unpacking (changes PE section rights) 13->127 129 Maps a DLL or memory area into another process 13->129 131 Checks if the current machine is a virtual machine (disk enumeration) 13->131 133 Creates a thread in another existing process (thread injection) 13->133 20 explorer.exe 8 5 13->20 injected 135 Antivirus detection for dropped file 16->135 137 Multi AV Scanner detection for dropped file 16->137 139 Machine Learning detection for dropped file 16->139 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->141 process6 dnsIp7 77 201.235.220.156 TelecomArgentinaSAAR Argentina 20->77 79 dpav.cc 211.119.84.112, 49735, 49736, 49737 LGDACOMLGDACOMCorporationKR Korea Republic of 20->79 81 88.151.192.77, 49755, 80 AZERONLINEAZ Azerbaijan 20->81 65 C:\Users\user\AppData\Roaming\evfevht, PE32 20->65 dropped 67 C:\Users\user\AppData\Local\Temp\B563.exe, PE32+ 20->67 dropped 69 C:\Users\user\...\evfevht:Zone.Identifier, ASCII 20->69 dropped 103 System process connects to network (likely due to code injection or exploit) 20->103 105 Benign windows process drops PE files 20->105 107 Deletes itself after installation 20->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->109 25 B563.exe 5 20->25         started        file8 signatures9 process10 file11 71 C:\Windows \System32\WINMM.dll, PE32+ 25->71 dropped 73 C:\Windows \System32\winSAT.exe, PE32+ 25->73 dropped 119 Multi AV Scanner detection for dropped file 25->119 121 Detected unpacking (overwrites its own PE header) 25->121 123 Machine Learning detection for dropped file 25->123 125 5 other signatures 25->125 29 winSAT.exe 1 25->29         started        31 winSAT.exe 25->31         started        signatures12 process13 process14 33 B563.exe 3 29->33         started        37 conhost.exe 29->37         started        file15 63 C:\Windows\System\svchost.exe, PE32+ 33->63 dropped 89 Found Tor onion address 33->89 91 Drops executables to the windows directory (C:\Windows) and starts them 33->91 93 Adds a directory exclusion to Windows Defender 33->93 39 svchost.exe 33->39         started        43 powershell.exe 23 33->43         started        45 powershell.exe 23 33->45         started        47 schtasks.exe 33->47         started        signatures16 process17 dnsIp18 83 5.8.55.77, 49772, 9001 PINDC-ASRU Russian Federation 39->83 85 198.140.141.51, 443, 49774 PCA-ASUS United States 39->85 87 21 other IPs or domains 39->87 111 System process connects to network (likely due to code injection or exploit) 39->111 113 Multi AV Scanner detection for dropped file 39->113 115 Machine Learning detection for dropped file 39->115 117 2 other signatures 39->117 49 powershell.exe 39->49         started        51 powershell.exe 39->51         started        53 conhost.exe 43->53         started        55 conhost.exe 45->55         started        57 conhost.exe 47->57         started        signatures19 process20 process21 59 conhost.exe 49->59         started        61 conhost.exe 51->61         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 09:35:55 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=doeuhmwm5i7otzdewwdfoeo3oin24m6kansggdp2n526w7zmrjdq._file
Verdict:
malicious
Similar samples:
1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
RedLineStealer
698d0121ad84456cad91925ad212150e1184e62a62944f3d77742afc9deef181
RedLineStealer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/231225-zdj2bsacck/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
dfce14ca9fa6c76df25ff3d3ff18ba943031d07a5cae3f0bad422e2b5e7eb559
MD5 hash:
37875cacee117b15e05b3f1c808592ac
SHA1 hash:
6a7882ca410e781262af685cf395bd2458c35a3b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/9652622e-7863-4d79-b53d-7fec6f3a296c/
Parent samples :
b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
07850ea1732b07aae1b520bc4e07f939a29ea8f842993a5849965d71aec14cb1
8ce95aee92cffc56420902fa657bc82a44574450ada63eb864d11e404a59a078
73639e5216b7fb5c0550f69d63bcbb3e568fd912f9288216795eb965b1b2b6fe
5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
fc447974118abe161835c31fd3b0305a84b9ba374f47a4295b435a85cc756f57
98368ebea0db4a1ef1ef8ae8b9cdc862c8dc5bb00bfb570f83a50794ce6ad816
90575d53104fa810c6896f874e421e905c3687ff1767574842d10cc143237762
e669dd52d97cc96b42efb1661dfeb898b6277a0484d25b8e86b492acf41c8f7d
1729faf82ded430ab520c6ebd82743abb231222a867329f5b15c2d01b7578016
f8619a870e7c7ef001512d9b2d5caf3b40a4855c5c72ec9a8fe7d4ee44a93b3a
1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
SH256 hash:
1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
MD5 hash:
99aaffa85ef7f0f16fb71435a1789210
SHA1 hash:
2c477e9ef7f055f7dab54078c9aff8eb30694b89
Link:
https://www.unpac.me/results/9652622e-7863-4d79-b53d-7fec6f3a296c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b8943b2ccea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469323/

Comments