MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883
SHA3-384 hash: 4d006f762c7a251bea2d7a3b9e27cc1fdaea9b4c569ebbf8465cd9fb56288223612a9a51e33fa894f325166bcfeb321e
SHA1 hash: 4781fd3fd82b9091f9ad908c7e6f6016f00c0cf5
MD5 hash: ed0e86bacf07b2233a0aad9a20a543af
humanhash: golf-neptune-bluebird-double
File name:ed0e86bacf07b2233a0aad9a20a543af.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:254'464 bytes
First seen:2022-01-23 13:50:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1232dc64de388ade9f0aa65d0636807d (4 x RedLineStealer, 2 x GrandaMisha, 1 x OnlyLogger)
ssdeep 3072:OCQR+2qL+BAZ0DCvM5uqvErGuOIKwEHYPPP0rM/h3Lfed:ONRtqL+BG0G6ErGuHgmP0rN
Threatray 4'029 similar samples on MalwareBazaar
TLSH T15C44BE713280F431C8C61671982ACFB51E7EA8321965864737EB1B5FAF323905A2639F
File icon (PE):PE icon
dhash icon fcfcb4b4b4d4d9c9 (3 x RedLineStealer, 1 x RaccoonStealer, 1 x Loki)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.16.44:11139

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.16.44:11139 https://threatfox.abuse.ch/ioc/313265/

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ed0e86bacf07b2233a0aad9a20a543af.exe
Verdict:
No threats detected
Analysis date:
2022-01-23 14:02:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f987c1b-0a69-46e4-b314-1b5cbe445ccc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221713/
Detection(s):
Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Packed.Lockbit-9919158-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61ed5d48d32385db6322065e/reports/20ff3201-ecab-4b91-b05d-cb45418562e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b78594d-1779-4cd4-a855-e48e8a890a33
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925846
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558324 Sample: 4bn2pD8FMv.exe Startdate: 23/01/2022 Architecture: WINDOWS Score: 100 37 api.ip.sb 2->37 39 abpa.at 2->39 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 8 other signatures 2->61 8 4bn2pD8FMv.exe 2->8         started        11 rbfiver 2->11         started        13 18B5.exe 2->13         started        signatures3 process4 signatures5 81 Detected unpacking (changes PE section rights) 8->81 83 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->83 85 Maps a DLL or memory area into another process 8->85 87 Creates a thread in another existing process (thread injection) 8->87 15 explorer.exe 8 8->15 injected 89 Multi AV Scanner detection for dropped file 11->89 91 Machine Learning detection for dropped file 11->91 93 Checks if the current machine is a virtual machine (disk enumeration) 11->93 process6 dnsIp7 41 mysouthbay.com 50.87.248.26, 49763, 49818, 80 UNIFIEDLAYER-AS-1US United States 15->41 43 131.153.22.157, 49760, 80 SECUREDSERVERS-EU United States 15->43 45 6 other IPs or domains 15->45 29 C:\Users\user\AppData\Roaming\rbfiver, PE32 15->29 dropped 31 C:\Users\user\AppData\Local\Temp\22F7.exe, PE32 15->31 dropped 33 C:\Users\user\AppData\Local\Temp\18B5.exe, PE32 15->33 dropped 35 3 other malicious files 15->35 dropped 47 System process connects to network (likely due to code injection or exploit) 15->47 49 Benign windows process drops PE files 15->49 51 Deletes itself after installation 15->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->53 20 3D0B.exe 2 15->20         started        23 D359.exe 15->23         started        25 18B5.exe 15->25         started        27 2 other processes 15->27 file8 signatures9 process10 signatures11 63 Multi AV Scanner detection for dropped file 20->63 65 Detected unpacking (changes PE section rights) 20->65 67 Machine Learning detection for dropped file 20->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->69 71 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->71 73 Tries to evade analysis by execution special instruction which cause usermode exception 23->73 75 Hides threads from debuggers 23->75 77 Detected unpacking (overwrites its own PE header) 25->77 79 Contains functionality to infect the boot sector 25->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-23 13:51:11 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=em3fprgxb7s65nzujtsrg24ej2ektgh3fxgchgn34ux5tnqavcbq._file
Verdict:
malicious
Similar samples:
849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27
RedLineStealer
b6f3db88b8c6070f8d31d9c36caa59ac7fbdf99b9eeb741ec3e25c73b23bc822
RedLineStealer
d56e5fd63229d155f3490e40ed3b77a5c5b7ede955ed8af77c0434056bb5087c
RedLineStealer
d64c8c01766cefa6cc6afda7ec2291fc7d18c59d179bdf90403a76b032b04785
RedLineStealer
ede12e010ddaffd96dbc21854ff8a5f24d75cd9766d6eb41fce18824c5c18889
RedLineStealer
f80be7705daaced45f4fdd7c1b612dc249d5edd442927c116c4cf39d33728065
RedLineStealer
+ 4'019 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:ie botnet:new backdoor collection discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220123-q5s9msgaej/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
92.255.111.23:38134
178.20.44.124:38636
Unpacked files
SH256 hash:
1ff9a75082212ea111b1d0bd15bb4b6583298b8c2c6585994a5003f8bb966211
MD5 hash:
372914937cc56157b0e449ec1d3825ce
SHA1 hash:
4ffa778e5af71d7fe7333be5920246e6afa45ead
Link:
https://www.unpac.me/results/e884e1e9-d9f4-420e-9b31-245f1323d554/
SH256 hash:
233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883
MD5 hash:
ed0e86bacf07b2233a0aad9a20a543af
SHA1 hash:
4781fd3fd82b9091f9ad908c7e6f6016f00c0cf5
Link:
https://www.unpac.me/results/e884e1e9-d9f4-420e-9b31-245f1323d554/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 233657c4d70fe5eeb7344ce5136b844e88a998fb2dcc2399bbe52fd9b600a883

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1995364/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1995362/
Cape
Cape
https://www.capesandbox.com/analysis/221713/

Comments