MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d
SHA3-384 hash: fbd5952da6953b6fd04bda6f0a54305856788f43092c0a28107980039d90359ce6ae7cb5c0c557e24781a0c3bdb2a734
SHA1 hash: fdc671f9a0445629c046c9643d7460a02a0bf841
MD5 hash: 3d93f02266ce6d1eb4a558dddcb0249c
humanhash: finch-one-artist-mars
File name:3d93f02266ce6d1eb4a558dddcb0249c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:189'440 bytes
First seen:2021-10-28 16:26:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0907a935ef90d39af9a616560320cd24 (4 x RaccoonStealer, 1 x LimeRAT, 1 x RedLineStealer)
ssdeep 3072:NaKw8JjNqJahZI9Qyz+fFQkYot7Zz1zBu/VvD9WrxpzbgqruXhspVggjcGkNIVqI:cKLjNqsZDA+N0ot7x1tE79uzbgwu6L7W
Threatray 5'230 similar samples on MalwareBazaar
TLSH T115049EF072ECC071D0AF293D88218BA55E2A7C21DA60594B3374239E5F76ECC9AE535D
File icon (PE):PE icon
dhash icon fcfcf4f4d4d4d8c8 (8 x RedLineStealer, 4 x RaccoonStealer, 1 x SystemBC)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.67.231.145:10991

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.231.145:10991 https://threatfox.abuse.ch/ioc/239282/

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201003/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.35416.2589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ef4b6d8-45e9-4898-a211-b704d2ee771c
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878763
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511199 Sample: 6oi3E5jdTR.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 75 ttmirror.top 2->75 77 teletele.top 2->77 79 2 other IPs or domains 2->79 95 Multi AV Scanner detection for domain / URL 2->95 97 Found malware configuration 2->97 99 Antivirus detection for URL or domain 2->99 101 12 other signatures 2->101 11 6oi3E5jdTR.exe 2->11         started        14 daehesr 2->14         started        17 wiehesr 2->17         started        signatures3 process4 file5 127 Contains functionality to inject code into remote processes 11->127 129 Injects a PE file into a foreign processes 11->129 19 6oi3E5jdTR.exe 11->19         started        73 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 14->73 dropped 131 Detected unpacking (changes PE section rights) 14->131 133 Machine Learning detection for dropped file 14->133 22 wiehesr 17->22         started        signatures6 process7 signatures8 103 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->103 105 Maps a DLL or memory area into another process 19->105 107 Checks if the current machine is a virtual machine (disk enumeration) 19->107 109 Creates a thread in another existing process (thread injection) 19->109 24 explorer.exe 10 19->24 injected process9 dnsIp10 89 216.128.137.31, 80 AS-CHOOPAUS United States 24->89 91 iyc.jelikob.ru 81.177.141.36, 443, 49807 RTCOMM-ASRU Russian Federation 24->91 93 8 other IPs or domains 24->93 65 C:\Users\user\AppData\Roaming\wiehesr, PE32 24->65 dropped 67 C:\Users\user\AppData\Roaming\daehesr, PE32 24->67 dropped 69 C:\Users\user\AppData\Local\Temp3A.exe, PE32 24->69 dropped 71 10 other malicious files 24->71 dropped 119 System process connects to network (likely due to code injection or exploit) 24->119 121 Benign windows process drops PE files 24->121 123 Deletes itself after installation 24->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->125 29 5F0D.exe 1 24->29         started        32 E3A.exe 24->32         started        34 D01D.exe 24->34         started        38 7 other processes 24->38 file11 signatures12 process13 dnsIp14 135 Multi AV Scanner detection for dropped file 29->135 137 DLL reload attack detected 29->137 139 Detected unpacking (changes PE section rights) 29->139 157 5 other signatures 29->157 141 Machine Learning detection for dropped file 32->141 143 Injects a PE file into a foreign processes 32->143 40 E3A.exe 32->40         started        81 45.95.235.77, 49857, 80 YURTEH-ASUA Russian Federation 34->81 57 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 34->57 dropped 59 C:\ProgramData\sqlite3.dll, PE32 34->59 dropped 145 Query firmware table information (likely to detect VMs) 34->145 147 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->147 159 2 other signatures 34->159 83 93.115.20.139, 28978, 49841 MVPShttpswwwmvpsnetEU Romania 38->83 85 162.159.130.233, 443, 49852, 49855 CLOUDFLARENETUS United States 38->85 87 5 other IPs or domains 38->87 61 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 38->61 dropped 63 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 38->63 dropped 149 Detected unpacking (creates a PE file in dynamic memory) 38->149 151 Detected unpacking (overwrites its own PE header) 38->151 153 Adds a directory exclusion to Windows Defender 38->153 155 Sample uses process hollowing technique 38->155 43 AdvancedRun.exe 1 38->43         started        45 powershell.exe 38->45         started        47 AdvancedRun.exe 38->47         started        49 CasPol.exe 38->49         started        file15 signatures16 process17 signatures18 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->111 113 Maps a DLL or memory area into another process 40->113 115 Checks if the current machine is a virtual machine (disk enumeration) 40->115 117 Creates a thread in another existing process (thread injection) 40->117 51 AdvancedRun.exe 43->51         started        53 conhost.exe 45->53         started        55 AdvancedRun.exe 47->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 16:20:59 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2nnym5oynubxqplftbwe66iwcjcvxmmykhg3qr7zowlb2kkikgq._file
Verdict:
malicious
Similar samples:
4f153e6ce78056f92411d5ef40fd99926f4f0130b3050136307ed8d4e9276130
RedLineStealer
5d5aa3cac3c4da5cc59b50725ace09c310ee4531dff2a6ef53db573edd5bda6f
RedLineStealer
7e52d4da15fe2a58de032652081f0875c6edb3259033a50acccd288d3aa3d8dc
RedLineStealer
9d185a3e5184065f1628af9d8325e53b8503a0f7705e54b0d7afb8223eeff208
RedLineStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
RedLineStealer
f25d7dae55dc8c848e9fed3f218f886f4ca4412e5b94ae882c846c9b52a14046
RedLineStealer
+ 5'220 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:vidar botnet:60e59be328fbd2ebac1839ea99411dccb00a6f49 botnet:754 botnet:999323 botnet:bf3d8fa0cd3851466e7e14f29c80f7156044d3dc botnet:dywa botnet:proliv botnet:safeinstaller botnet:super star backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211028-tx31nabhd5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://mas.to/@lilocc
93.115.20.139:28978
185.183.32.161:80
45.67.231.145:10991
185.183.32.183:55694
95.217.110.27:15401
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/d00e63f0-85ab-46d8-83a3-e5920365bdf7/
SH256 hash:
2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d
MD5 hash:
3d93f02266ce6d1eb4a558dddcb0249c
SHA1 hash:
fdc671f9a0445629c046c9643d7460a02a0bf841
Link:
https://www.unpac.me/results/d00e63f0-85ab-46d8-83a3-e5920365bdf7/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2e9adc33aec3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201003/

Comments