MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30b2ac034862bb3cec9fb96b58cfa218b15f79ccf1063d4e8214bf8f97b9550b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30b2ac034862bb3cec9fb96b58cfa218b15f79ccf1063d4e8214bf8f97b9550b
SHA3-384 hash: afb2f98e55f46ff54e1013c715216335cf5aa2ccadc69a57eed475c61bbe6c5e0c7abf2394a2def6e3ccaa56fe4da866
SHA1 hash: afc3e8228aed25cba8cc8a2393b7152fb00c465f
MD5 hash: cfc13e2bc3e3819d23c04166f99589d7
humanhash: magnesium-mirror-three-summer
File name:cfc13e2bc3e3819d23c04166f99589d7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'915'976 bytes
First seen:2022-06-15 05:26:44 UTC
Last seen:2022-06-15 06:41:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f35e965f6effd939584bb73fc92ab6c (1 x RedLineStealer, 1 x RecordBreaker)
ssdeep 98304:jMJMyklY4DEk5qm9OZD0ADHu0NpoxTlcfEGrOIsX5nmBW0:WM7lY4Aaqm9Beuw2HEEGrONqn
Threatray 4'565 similar samples on MalwareBazaar
TLSH T16B3623334A790045D2F6CC3D9A277EE871FA0E57C681A038B5EFF9C529365E8A693443
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.4% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a2820759860c4c33 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.161.102.20:29854

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.161.102.20:29854 https://threatfox.abuse.ch/ioc/705389/
135.181.157.91:28855 https://threatfox.abuse.ch/ioc/705390/

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3.exe
Verdict:
Suspicious activity
Analysis date:
2022-06-14 05:22:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/049b61ac-cb77-4074-b246-c0e54a41e89f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280026/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49159036.11828.25007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21340/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed smokeloader wacatac
Link:
https://www.filescan.io/uploads/62a96daa040517c34797c9f6/reports/b20d0673-ccfc-424a-98ca-9e6b3a98b043/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0146e36e-63c7-4a3d-bc65-a70a2d8d87f7
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013419
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 645915 Sample: GPyoiVSzT9.exe Startdate: 15/06/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 10 other signatures 2->45 8 GPyoiVSzT9.exe 2->8         started        11 fjcctst 2->11         started        process3 signatures4 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->59 61 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->61 63 Checks if the current machine is a virtual machine (disk enumeration) 8->63 13 explorer.exe 8->13 injected 65 Creates a thread in another existing process (thread injection) 11->65 process5 dnsIp6 33 agressivemnaiq.xyz 2.58.149.158, 49745, 80 GBTCLOUDUS Netherlands 13->33 35 download1526.mediafire.com 205.196.123.214, 443, 49746 MEDIAFIREUS United States 13->35 37 transfer.sh 144.76.136.153, 443, 49748 HETZNER-ASDE Germany 13->37 67 System process connects to network (likely due to code injection or exploit) 13->67 69 Performs DNS queries to domains with low reputation 13->69 17 899B.exe 3 13->17         started        21 explorer.exe 13->21         started        23 9E6C.exe 1 13->23         started        25 8 other processes 13->25 signatures7 process8 dnsIp9 31 185.173.38.88, 49763, 7231 ECO-ASRU Russian Federation 17->31 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->47 49 Tries to harvest and steal browser information (history, passwords, etc) 17->49 51 Tries to detect virtualization through RDTSC time measurements 17->51 53 Found evasive API chain (may stop execution after checking mutex) 21->53 55 Checks if browser processes are running 21->55 57 Contains functionality to compare user and computer (likely to detect sandboxes) 21->57 27 conhost.exe 23->27         started        29 AppLaunch.exe 23->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30b2ac034862bb3cec9fb96b58cfa218b15f79ccf1063d4e8214bf8f97b9550b/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 17:00:36 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gczkya2imk5tz3e7xfvvrt5cdcyv66om6edd2tuccs7y7f5zkufq._file
Verdict:
malicious
Similar samples:
3675d239f3a7fe82634e98680149821d4e573e349f183b0aec58261450d4807c
RedLineStealer
450fe551f9989c51ae6b8ad556b22c4f34076f1cc61d2ffdfab5c55522d6e210
RedLineStealer
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
RedLineStealer
73ff374c87dca3383cff39f9bcb242cb00130d83daed745461245a8c52185046
RedLineStealer
780aee300d0f8eba4233484b475aa6a0109e40d0bec49d1d7fd4435846ca6608
RedLineStealer
c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c
RedLineStealer
cc15573c85379c9dd96f926c62a62f402a95052ed65b616daf881e0dae9ee674
RedLineStealer
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
RedLineStealer
d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679
RedLineStealer
+ 4'555 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@aandriyashkaa discovery infostealer spyware stealer suricata vmprotect
Link:
https://tria.ge/reports/220615-f5eq5sfahj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
RedLine
RedLine Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
193.124.22.39:48697
Unpacked files
SH256 hash:
30b2ac034862bb3cec9fb96b58cfa218b15f79ccf1063d4e8214bf8f97b9550b
MD5 hash:
cfc13e2bc3e3819d23c04166f99589d7
SHA1 hash:
afc3e8228aed25cba8cc8a2393b7152fb00c465f
Link:
https://www.unpac.me/results/b1013f73-12a2-406f-9768-0a321ccb4296/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30b2ac034862/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30b2ac034862bb3cec9fb96b58cfa218b15f79ccf1063d4e8214bf8f97b9550b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280026/

Comments