MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981
SHA3-384 hash:	d5e8cb88122d7d1162c7a0082b492191526a201e1cf59d47b0f59d6e17f10123a8c0f445db8e805ed3b64e9341133ae0
SHA1 hash:	b06fd09f7a32c7cd8baf7e291a01d384eafd7542
MD5 hash:	fc984dab945855a82bd58a4f2b8e6d94
humanhash:	magnesium-eleven-network-hydrogen
File name:	fc984dab945855a82bd58a4f2b8e6d94.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	194'560 bytes
First seen:	2022-01-27 19:00:49 UTC
Last seen:	2022-01-27 20:34:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	66114453adb1a4ac92d2df6c03865845 (1 x RedLineStealer, 1 x Stop)
ssdeep	3072:78/zLKexnqtrJiOkW0N0qYtuNa22geZonNW5M8bCoJ3:7KzLKGi734OukbXbC8
TLSH	T1B5149D1831E5C072E5A715764430C3B05E7B78766F36AE8F7EC527BA1F262E2872430A
File icon (PE):
dhash icon	d2b1e4c4ecb9c7f9 (20 x Smoke Loader, 13 x Stealc, 8 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.243.59.156:20856

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.243.59.156:20856	https://threatfox.abuse.ch/ioc/352482/

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fc984dab945855a82bd58a4f2b8e6d94.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-27 19:42:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b2b29367-eb06-450f-b52a-bb5067675aa4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/224660/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.2846.1616.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Reading critical registry keys

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5364/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f2ec006a7929f66a1c05ae/reports/8de3e17b-2de3-41d2-b365-7da852082b5a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eaa970e4-a299-4b97-b97a-cfcf0edb65cc

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/929291

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-01-27 19:01:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gcmsxv4zhipwtdar22ofypt46racndftfzitddrjcqxrfpkvbgaq._file

Verdict:

malicious

Label(s):

ryuk

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220127-xn75sshcan/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e

MD5 hash:

c36de8bc9668ec4eaafca4c349dca0d5

SHA1 hash:

ea2cadfada69b93ca3abeb8b2462c5c18891fabf

Link:

https://www.unpac.me/results/3c4034c6-1cbd-414d-946e-1d77525ad6f7/

Parent samples :

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8

SH256 hash:

30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981

MD5 hash:

fc984dab945855a82bd58a4f2b8e6d94

SHA1 hash:

b06fd09f7a32c7cd8baf7e291a01d384eafd7542

Link:

https://www.unpac.me/results/3c4034c6-1cbd-414d-946e-1d77525ad6f7/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/30992bd7993a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 30992bd7993a1f698c11d69c5c3e7cf440268cb32e51318e29142f12bd550981

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1970217/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1995766/

Cape

https://www.capesandbox.com/analysis/224660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample