MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 2 YARA File information Comments

SHA256 hash:	2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
SHA3-384 hash:	83e7abea6e7ed9aa7e55c1ccaa8b92462ac83c3f94af109478c95465d5ae5e114618708cd5a0251179706a0a25cb53d5
SHA1 hash:	498a1e5ec1704d96c82e7b6228ac3ba37b9dbee7
MD5 hash:	6a9ecc2b12f245698396dadd31dd7e1f
humanhash:	asparagus-illinois-helium-monkey
File name:	2988763CE776FB8A9C79A2565384A30744CCCD114CDE7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'592'114 bytes
First seen:	2022-01-11 23:05:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:Jwf4e/X2cHVz2DgoJT7VGCcSTcl1uNl4JrYhqLf:Jwf48mc1z2XsJS/kcc7
TLSH	T105F5330A39A6062BE583833659E1844FB89F6C1F4054E3A877F0174AEF6B61D1587F3E
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
80.89.228.118:24478

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.89.228.118:24478	https://threatfox.abuse.ch/ioc/293532/
193.38.54.57:45801	https://threatfox.abuse.ch/ioc/294070/

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2988763CE776FB8A9C79A2565384A30744CCCD114CDE7.exe

Verdict:

No threats detected

Analysis date:

2022-01-11 23:09:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/800f7f7d-895c-4817-b544-95658aeb1372

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/218392/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Running batch commands

Sending a custom TCP request

DNS request

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Creating a window

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

arkeistealer barys control.exe overlay packed redline shell32.dll

Link:

https://www.filescan.io/uploads/61de0d5e1883c5ba4ec29911/reports/623b22bb-b64f-4d69-92ab-0a2985951615/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4f9087cf-b26f-4d07-b119-535abb0f16b1

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/918784

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7/

Threat name:

Win32.Trojan.Antiloadr

Status:

Malicious

First seen:

2021-10-20 08:56:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 43 (74.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fgehmphho35yvhdzujlfhbfda5cmztirjtph5ze3oglfhfxudpdq._file

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:redline family:smokeloader botnet:fucker2 botnet:media18 aspackv2 backdoor infostealer spyware stealer trojan

Link:

https://tria.ge/reports/220111-23d8gshhd9/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Malware Config

C2 Extraction:

http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
91.121.67.60:2151

Unpacked files

SH256 hash:

2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339

MD5 hash:

ae22fdfdaf90dc3174ebe91333125e1e

SHA1 hash:

3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

Parent samples :

40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d

SH256 hash:

51a78b5f1799ffe27a1412e5eaa89e46dc32482e140c46ddafcd4c248e701b07

MD5 hash:

74c38bb6084f0c955a35c2355f6d9bc9

SHA1 hash:

ff3911cf479e9932acbb4148918b1e10e368b13a

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

38025567d5c9d5dd374cb5f9b1f9c7362a350509d78f03f5dcdf3b4a9fce2157

MD5 hash:

bcd7186b7025fa03137a876de4d5c3f8

SHA1 hash:

fefbe5f0837909580218d2ea70428ad322495bc5

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec

MD5 hash:

c950dfa870dc50ce6e1e2fcaeb362de4

SHA1 hash:

fc1fb7285afa8d17010134680244a19f9da847a1

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128

MD5 hash:

de1b3c28ea026c0ede620dd78199ddc5

SHA1 hash:

ee402371a36bff44c765323ccd8c7e4a56bc8d12

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

1f8aeae31a3271b2bcf49ebdf7b198289b33a9d99cfd62bed4f223461ed37499

MD5 hash:

d4cf976668138f9674bd67a68152e9ef

SHA1 hash:

e8b7f477bb113cbe6b949212ddccc615b3a07dc0

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

e3235b5345a96077085b2822c94f5fa07ebe7b2296faca293f743857182add37

MD5 hash:

ffdb3744b3e0bb279dec8a3e8df9634f

SHA1 hash:

d5a452124003cf61e62dbddeb91f528ce3c9d5f5

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

434b3631be70489bd3f979c3b0eb7debb4ff78fa63b8227064fe90e2d2273217

MD5 hash:

49766fbaf0a5ff518153ab8681b3cd33

SHA1 hash:

ca28ffdecb3ae47ab611049d62b564903ca07950

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

c48f955af8749972b7bd7dba2dd239cb224d049f8bc2dd1fe5c6233e2d64e741

MD5 hash:

78d016d5b9ee552dc76bf8a024392ce9

SHA1 hash:

8ba7b1380ca5cd7c7de57f4b8f2e74028e9b363d

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

4d7bf2038b241cc664c74c6e979f5fe95434613b0e1cfb6484417cb61793ffb9

MD5 hash:

3dab7aa5329772c930838683b5599fec

SHA1 hash:

6ef7d0cdedbd1520c1b346a9467aa5837eca679d

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d

MD5 hash:

7dc5f09dde69421bd8581b40d994ccd7

SHA1 hash:

23788ae65ec05a9e542636c6c4e1d9d6be26d05c

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

b103289d1d49827dfff649df138835afb6f7555c0b3002ae288940a56335cea9

MD5 hash:

3c66f116919a98eb1619b9f5ec7e5e1d

SHA1 hash:

0ee57ca68d23094e30e904310b3c4611b3d5b5d3

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052

MD5 hash:

6449aa2e023c5931ac91815ca54225ed

SHA1 hash:

65b5f4df2c28472469ddf924e6b0d0a61394c612

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

4dac4731ed0a9bee3a0834cc33e0c5b2e1d283c318a5bb1d83d196994b0b43b6

MD5 hash:

470d3d00e0ce20009ad477b1c301feac

SHA1 hash:

84929da49c59089f7528fa6d809f76a74f702fb9

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

03c7096f04ff5c60e9cc2f959fd2b412137ab04e131c54295edf86e6c73a9427

MD5 hash:

93477906b5ba6f5b376b21d4bf810752

SHA1 hash:

7dc227ed554b97276fd3385faa9f9af9cc9da18a

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

f88e2926a7aff6788062ace2d4999d73a4de253d8758c262e7f674088ec4bbde

MD5 hash:

9c27633bcdf8507a59b7a283a3b2b490

SHA1 hash:

102ab66902788948457c3cd715fbd3a2650f1933

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

0dba3f3ae9c6ebc14e7d3dfa347209614947f5b50dd9b58f095c04d1cf1e139f

MD5 hash:

954b86cac50240abd1fb5b089072cc09

SHA1 hash:

bef62d182072dce549d8d7b03f994c8822cc6033

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

189f7ac715f4e663d296e3f2865f001138efdf05a2d4e6fb26404d016e181e4e

MD5 hash:

ca7123fa2ca93839123bf725e500fe65

SHA1 hash:

4747530402c08ba8c87fcc81a1871d8709c5ecbe

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

3e7859436ce541fe38d10520e87636dd9a4c52ad881af1164c4f269bf17b494c

MD5 hash:

ca54694d06de1d1c802310db912d14b0

SHA1 hash:

276119934a7a16db1e5e2dee129f3cc0b7599ceb

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

cd218a014b4d8cbb00dce76b03d51031330bbddd3a66594f7543515fa26571d4

MD5 hash:

569548f37d20cf5dd653736ca43c9f27

SHA1 hash:

a6ff124ae6e42781603376f0b9e3d39beb92ac5b

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

2caec2064eb9f29109b1e330f37fa4ee13d9b71d255d6edd7d97012a10be7e39

MD5 hash:

665ccb2ec9ea1724f863bddcfbb04c4e

SHA1 hash:

67b5c9caae653d5d0e793a7a43a328961486eddf

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

SH256 hash:

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

MD5 hash:

6a9ecc2b12f245698396dadd31dd7e1f

SHA1 hash:

498a1e5ec1704d96c82e7b6228ac3ba37b9dbee7

Link:

https://www.unpac.me/results/4f049310-a7b0-4ae6-b267-19291a720c71/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2988763ce776/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/218392/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample