MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
SHA3-384 hash: fbb9aec939a105540702faa8db06864af1879d4f83d4a0316afc0518d4b20da7f81b0a344eac4b7a5e30ffda29dad020
SHA1 hash: 337ea7adc36ddbdce5a40ae5ef86c00231dc469b
MD5 hash: 30e382a6a16549580c28d59e8b2e48d2
humanhash: undress-hotel-blossom-coffee
File name:30e382a6a16549580c28d59e8b2e48d2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:222'720 bytes
First seen:2021-11-10 11:15:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 959e3f7a6ddd7b4ec96854ed6fe13765 (6 x RedLineStealer)
ssdeep 3072:r7RTQciScHqfd6HqMeKwdCTr/XEZqoILM2Wrxpzbgqru2sxkgaBChApZa9uD6Vdj:pPiScHqfdIvHE4M2uzbgwujigaLwVf
Threatray 7'908 similar samples on MalwareBazaar
TLSH T17E249C3177BD8461E0AB2E3455618AA10A27B8727920404BE763671E2FB3FDC85F635F
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
93.115.18.158:3333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.115.18.158:3333 https://threatfox.abuse.ch/ioc/246036/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204696/
Detection(s):
Win.Malware.Fragtor-9907126-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618ba9f7a00afa9663a2e720/reports/f0c5d386-a7a3-428b-9067-e65fc7377ea3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5477678f-6442-452e-b5d8-85d2e313029c
Result
Threat name:
IcedID Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886664
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected IcedID
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 519137 Sample: ttABzQagtj.exe Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 84 nusotiso4.su 2->84 86 wrioshtivsio.su 2->86 88 2 other IPs or domains 2->88 128 Tries to download HTTP data from a sinkholed server 2->128 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Antivirus detection for URL or domain 2->132 136 15 other signatures 2->136 11 ttABzQagtj.exe 2->11         started        14 hfisruc 2->14         started        16 gvisruc 2->16         started        signatures3 134 System process connects to network (likely due to code injection or exploit) 84->134 process4 signatures5 146 Contains functionality to inject code into remote processes 11->146 148 Injects a PE file into a foreign processes 11->148 18 ttABzQagtj.exe 11->18         started        150 DLL reload attack detected 14->150 152 Detected unpacking (changes PE section rights) 14->152 154 Maps a DLL or memory area into another process 14->154 156 2 other signatures 14->156 21 gvisruc 16->21         started        process6 signatures7 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->120 122 Maps a DLL or memory area into another process 18->122 124 Checks if the current machine is a virtual machine (disk enumeration) 18->124 23 explorer.exe 10 18->23 injected 126 Creates a thread in another existing process (thread injection) 21->126 process8 dnsIp9 100 escalivrouter.net 23->100 102 176.121.14.151, 49869, 49944, 80 FLOWSPEC-ASUA Ukraine 23->102 104 11 other IPs or domains 23->104 56 C:\Users\user\AppData\Roaming\hfisruc, PE32 23->56 dropped 58 C:\Users\user\AppData\Roaming\gvisruc, PE32 23->58 dropped 60 C:\Users\user\AppData\Local\Temp\FFBE.exe, PE32 23->60 dropped 62 12 other files (10 malicious) 23->62 dropped 138 System process connects to network (likely due to code injection or exploit) 23->138 140 Benign windows process drops PE files 23->140 142 Deletes itself after installation 23->142 144 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->144 28 FFBE.exe 23->28         started        31 AEE5.exe 1 23->31         started        34 6F83.exe 23->34         started        37 11 other processes 23->37 file10 signatures11 process12 dnsIp13 162 Detected unpacking (changes PE section rights) 28->162 164 Detected unpacking (overwrites its own PE header) 28->164 166 Sample uses process hollowing technique 28->166 39 FFBE.exe 28->39         started        74 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 31->74 dropped 168 DLL reload attack detected 31->168 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->170 172 Renames NTDLL to bypass HIPS 31->172 186 3 other signatures 31->186 90 185.215.113.46, 49948, 80 WHOLESALECONNECTIONSNL Portugal 34->90 92 api.ip.sb 34->92 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->174 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->176 178 Tries to steal Crypto Currency Wallets 34->178 94 185.92.73.142, 49926, 52097 FOXCLOUDNL Netherlands 37->94 96 koyu.space 95.217.25.51, 443, 49929, 49945 HETZNER-ASDE Germany 37->96 98 2 other IPs or domains 37->98 76 C:\Users\user\AppData\Local\...\MICROS~1.EXE, PE32 37->76 dropped 78 C:\Users\user\AppData\...\rundllhost.exe, PE32 37->78 dropped 80 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 37->80 dropped 82 11 other files (none is malicious) 37->82 dropped 180 Creates multiple autostart registry keys 37->180 182 Tries to harvest and steal browser information (history, passwords, etc) 37->182 184 Injects a PE file into a foreign processes 37->184 43 MICROS~1.EXE 37->43         started        46 9E0B.exe 4 37->46         started        48 rundllhost.exe 37->48         started        50 2 other processes 37->50 file14 signatures15 process16 dnsIp17 106 91.219.236.143, 49942, 49950, 80 SERVERASTRA-ASHU Hungary 39->106 108 t.me 149.154.167.99, 443, 49949 TELEGRAMRU United Kingdom 39->108 116 6 other IPs or domains 39->116 64 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 39->64 dropped 66 C:\Users\user\AppData\...\vcruntime140.dll, PE32 39->66 dropped 68 C:\Users\user\AppData\...\ucrtbase.dll, PE32 39->68 dropped 72 56 other files (none is malicious) 39->72 dropped 110 bitbucket.org 104.192.141.1, 443, 49935 AMAZON-02US United States 43->110 118 3 other IPs or domains 43->118 70 C:\Users\user\AppData\Local\...\MICROS~1.EXE, PE32 43->70 dropped 158 Injects a PE file into a foreign processes 43->158 52 conhost.exe 43->52         started        112 93.115.20.139, 28978, 49859 MVPShttpswwwmvpsnetEU Romania 46->112 160 Tries to steal Crypto Currency Wallets 46->160 54 rundllhost.exe 48->54         started        114 185.215.113.29, 36224 WHOLESALECONNECTIONSNL Portugal 50->114 file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 11:16:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egkqh2u2ok76zv35vf2tkxwirilor7vg3gqd756lo3epk463pj2q._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
6d7596a48c5e95b3f42a58b09348c4293f92a0a6738c5850856bf1a5b323a6a8
RedLineStealer
be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
RedLineStealer
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
RedLineStealer
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
RedLineStealer
f4d185f32721b1c2da2dfdf291154a0c3927fea3e267a4f88f99a49d36ef149a
RedLineStealer
fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b
RedLineStealer
+ 7'898 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:raccoon family:redline family:smokeloader botnet:102 botnet:1217670233 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:new3 botnet:pub3 botnet:superstar backdoor banker discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211110-nc6cdsghd3/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Core1 .NET packer
IcedID, BokBot
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
93.115.20.139:28978
185.215.113.29:36224
lakogrefop.rest
hangetilin.top
follytresh.co
zojecurf.store
185.92.73.142:52097
185.215.113.46:80
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/3c27d388-253a-4406-b8c4-a356534cef02/
SH256 hash:
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
MD5 hash:
30e382a6a16549580c28d59e8b2e48d2
SHA1 hash:
337ea7adc36ddbdce5a40ae5ef86c00231dc469b
Link:
https://www.unpac.me/results/3c27d388-253a-4406-b8c4-a356534cef02/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/219503ea9a72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204696/

Comments