MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010
SHA3-384 hash: d361cd1b62397b8688161db5d690325d5264a559e59792da8a4946a3c6c1506105123028ad2b2d790a60a5595d96de73
SHA1 hash: cfccb8f1be7288f9b43150b567ddf4843b4af13b
MD5 hash: 4df693f47c93324efa41fccef3b1331c
humanhash: massachusetts-seven-triple-moon
File name:4df693f47c93324efa41fccef3b1331c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:240'640 bytes
First seen:2021-12-04 19:52:55 UTC
Last seen:2021-12-04 22:11:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fbaafb9c4dc21eef78a54a5defdac47 (1 x CryptBot, 1 x RedLineStealer)
ssdeep 3072:rhJ8eUlR5XKKAsEFBitTyzShsZVggjcGkNIVqI/sxkgaBCh0pZa9uD6Vdyhk8Z2:rhJqKzlFBiMb7ITsqXigaXwVfZ
Threatray 8'001 similar samples on MalwareBazaar
TLSH T18F34ACC276D18475E5A27E3188658BE15B2BBD12D6205027F6F4A7EE1FB33D04A3630E
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.133.47.114:38620

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.67:30242 https://threatfox.abuse.ch/ioc/259157/
195.133.47.114:38620 https://threatfox.abuse.ch/ioc/259445/
207.32.217.251:6202 https://threatfox.abuse.ch/ioc/259584/

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-12-02 17:28:21 UTC
Tags:
evasion trojan rat redline loader stealer vidar amadey
Link:
https://app.any.run/tasks/b4eeec47-a5bd-431a-9f49-338afa7d4955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211363/
Detection(s):
SecuriteInfo.com.Variant.Midie.105203.31242.11215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Searching for synchronization primitives
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/837/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61abc721fa72c81b5b0b87e0/reports/642a5896-9fa9-4d45-b219-30f4e070f0b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/baa1a618-f4da-4774-8f47-0413ee612763
Result
Threat name:
Clipboard Hijacker Cryptbot RedLine Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901498
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533975 Sample: W88QoyCyC7.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 57 unic16m.top 2->57 59 unic16e.top 2->59 61 3 other IPs or domains 2->61 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 14 other signatures 2->73 10 W88QoyCyC7.exe 2->10         started        13 rjgfwtg 2->13         started        15 SmartClock.exe 2->15         started        signatures3 process4 signatures5 97 Detected unpacking (changes PE section rights) 10->97 99 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->99 101 Maps a DLL or memory area into another process 10->101 103 Creates a thread in another existing process (thread injection) 10->103 17 explorer.exe 7 10->17 injected 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 109 Checks if the current machine is a virtual machine (disk enumeration) 13->109 process6 dnsIp7 51 185.215.113.208, 49849, 80 WHOLESALECONNECTIONSNL Portugal 17->51 53 rcacademy.at 41.41.255.235, 49755, 49759, 49762 TE-ASTE-ASEG Egypt 17->53 55 11 other IPs or domains 17->55 41 C:\Users\user\AppData\Roaming\rjgfwtg, PE32 17->41 dropped 43 C:\Users\user\AppData\Local\Temp51E.exe, PE32 17->43 dropped 45 C:\Users\user\AppData\Local\Temp\DB4C.exe, PE32 17->45 dropped 47 6 other malicious files 17->47 dropped 75 System process connects to network (likely due to code injection or exploit) 17->75 77 Benign windows process drops PE files 17->77 79 Deletes itself after installation 17->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->81 22 E51E.exe 4 17->22         started        26 3A45.exe 30 17->26         started        28 DB4C.exe 17->28         started        30 5 other processes 17->30 file8 signatures9 process10 dnsIp11 49 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->49 dropped 83 Detected unpacking (changes PE section rights) 22->83 85 Detected unpacking (overwrites its own PE header) 22->85 87 Machine Learning detection for dropped file 22->87 89 Delayed program exit found 22->89 33 SmartClock.exe 22->33         started        91 Tries to harvest and steal browser information (history, passwords, etc) 26->91 35 cmd.exe 28->35         started        63 195.133.47.114, 38620, 49884 SPD-NETTR Russian Federation 30->63 65 185.215.113.67, 30242, 49866 WHOLESALECONNECTIONSNL Portugal 30->65 93 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->93 95 Contains functionality to infect the boot sector 30->95 file12 signatures13 process14 process15 37 conhost.exe 35->37         started        39 timeout.exe 35->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 22:55:10 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
32 of 45 (71.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fac3445aj7rgxwbrebfa4mfj2yu22vlhxgzhkkitks7ty7ujwaia._file
Verdict:
malicious
Similar samples:
42173b9b5ae6bcec8b65312e270633a3df6fa4355c9ac4973486291f0fcd8052
RedLineStealer
437dc388b0128e6a30420d5fa3cc40e791fc27c16585f4744cbaa8306a48df35
RedLineStealer
66798c6d3dc469191b6f79c5847845df119d7cff50d1d271959a28173b930755
RedLineStealer
6b742d5776f47ded81c77b3f947f25d3b113564104967d3ebff716c5b287f384
RedLineStealer
ba9547aac21a5bf2e5220d529b5f79bcb1bf1066824ac8fc3d2074cec2944dbe
RedLineStealer
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
RedLineStealer
ea2a2d0b594f527f391abdf595d5f93424d9121dc292ff458362bff765bff2cd
RedLineStealer
+ 7'991 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader botnet:zaliv kub korm backdoor collection discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211204-ylzw3sbefm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Modifies registry class
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
CryptBot
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
195.133.47.114:38620
molerreneta.xyz:80
Unpacked files
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/fbe5498f-96ce-4e95-8f26-1603bee0aa13/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010
MD5 hash:
4df693f47c93324efa41fccef3b1331c
SHA1 hash:
cfccb8f1be7288f9b43150b567ddf4843b4af13b
Link:
https://www.unpac.me/results/fbe5498f-96ce-4e95-8f26-1603bee0aa13/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2805be73a04f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2805be73a04fe26bd831204a0e30a9d629ad5567b9b275291354bf3c7e89b010

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211363/

Comments