MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b647a646e62b8b95a40370b3a228fa50d7ac844bf4192456213ed492d74b83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b647a646e62b8b95a40370b3a228fa50d7ac844bf4192456213ed492d74b83
SHA3-384 hash: c0aa6c3a71b4f449e71bb7a26f03d3d06cbcfb86f7b9da02a11ed7946e41b8ab563d07563bdb8f43ecf23e9f0fd6ce46
SHA1 hash: a4dbe9b0f5ba4d57b2251fd07264985d4877fd4a
MD5 hash: f24f4aa4241f55ae9d70d8167ece78f3
humanhash: indigo-maine-crazy-bacon
File name:f24f4aa4241f55ae9d70d8167ece78f3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:265'216 bytes
First seen:2022-02-12 21:40:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a00d9ab900e107cfc804454c565e6968 (1 x RedLineStealer)
ssdeep 3072:Yhc8L6LxC4CNZI5KNxYKG2TF8PsxkgaBChZ43hj:YN6Lod7NeIp8EigaIG
Threatray 9'951 similar samples on MalwareBazaar
TLSH T16444AE007AD1C872C4921D749424DBE05A7FFD715A61A14BF7E8BB2F2E30BE0A636356
File icon (PE):PE icon
dhash icon a1bcdcac9c8cb48c (2 x RedLineStealer, 1 x Loki, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
31.210.20.39:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.210.20.39:81 https://threatfox.abuse.ch/ioc/387277/

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f24f4aa4241f55ae9d70d8167ece78f3.exe
Verdict:
No threats detected
Analysis date:
2022-02-12 21:45:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/49cabf6c-1fd6-4736-b5c7-578cde51073d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241119/
Detection(s):
Win.Dropper.LokiBot-9938483-0
Create hunting rule

Win.Packed.Filerepmalware-9938574-0
Create hunting rule

Win.Packed.Filerepmalware-9938575-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet exploit gandcrab greyware lokibot smokeloader
Link:
https://www.filescan.io/uploads/6208297154047500bb48466f/reports/fb8a1cfc-56a6-4ec4-882d-750a1c5cfa3c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26065171-9631-42a9-ba53-59f69dfde74b
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938870
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571348 Sample: lr96jC67LK.exe Startdate: 12/02/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 9 other signatures 2->57 8 lr96jC67LK.exe 2->8         started        11 vbeagva 2->11         started        13 rseagva 2->13         started        15 msiexec.exe 2->15         started        process3 signatures4 83 Detected unpacking (changes PE section rights) 8->83 85 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->85 87 Maps a DLL or memory area into another process 8->87 17 explorer.exe 4 8->17 injected 89 Multi AV Scanner detection for dropped file 11->89 91 Machine Learning detection for dropped file 11->91 93 Checks if the current machine is a virtual machine (disk enumeration) 11->93 95 Creates a thread in another existing process (thread injection) 13->95 process5 dnsIp6 45 texandoors.com 38.117.65.66, 49778, 80 RC-01-ASCA United States 17->45 47 vnx05.3utilities.com 185.158.249.247, 49785, 80 RACKPLACEDE Netherlands 17->47 49 9 other IPs or domains 17->49 37 C:\Users\user\AppData\Roaming\vbeagva, PE32 17->37 dropped 39 C:\Users\user\AppData\Roaming\rseagva, PE32 17->39 dropped 41 C:\Users\user\AppData\Local\Temp\5BD9.exe, PE32 17->41 dropped 43 2 other malicious files 17->43 dropped 59 System process connects to network (likely due to code injection or exploit) 17->59 61 Benign windows process drops PE files 17->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->63 65 4 other signatures 17->65 22 5BD9.exe 2 17->22         started        25 3A65.exe 17->25         started        27 cmd.exe 1 17->27         started        file7 signatures8 process9 signatures10 67 Detected unpacking (changes PE section rights) 22->67 69 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->69 71 Machine Learning detection for dropped file 22->71 81 3 other signatures 22->81 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->73 75 Maps a DLL or memory area into another process 25->75 77 Checks if the current machine is a virtual machine (disk enumeration) 25->77 79 Creates a thread in another existing process (thread injection) 25->79 29 WMIC.exe 1 27->29         started        31 WMIC.exe 1 27->31         started        33 WMIC.exe 1 27->33         started        35 3 other processes 27->35 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b647a646e62b8b95a40370b3a228fa50d7ac844bf4192456213ed492d74b83/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-05 04:46:46 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
39 of 43 (90.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=go3epjsg4yvyxfneanylhiri7jinpleejp2bsjcwee7njewxjobq._file
Verdict:
malicious
Similar samples:
279e2098736a7f119003cfdfdbd90907782f63a3071f21cd1785f970d59acbda
RedLineStealer
470723b25a6bf11f30ad1b2f1d0eb2129895eb3e6ba4f7dd23eb69137538505f
RedLineStealer
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
RedLineStealer
7aba21bd10b88275b4620021abc90e8d0e5f8f0316e8d8c0b883554afc18f8ae
RedLineStealer
d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8
RedLineStealer
e00ddba4fd34c7b0f0f2e547ee9e3ff4c0cb4d906f1ca26b17ba2e3f459c59bd
RedLineStealer
ec4524dcf5814a8446d9967b207761234760d189272dae66a9a0c184a6bcbc79
RedLineStealer
+ 9'941 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220212-1jq79sfabl/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Enumerates system info in registry
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Unpacked files
SH256 hash:
5e7b34e49ab95764c7fe135176f565a401e8e11405cf8706f951ae11a5f35093
MD5 hash:
d5fe169f6f12592687342edcc5df15e0
SHA1 hash:
41af57b6e2dda566498ed81a3086987f34b002b7
Link:
https://www.unpac.me/results/248f2bde-d072-4eb1-9885-a26585f2d329/
SH256 hash:
33b647a646e62b8b95a40370b3a228fa50d7ac844bf4192456213ed492d74b83
MD5 hash:
f24f4aa4241f55ae9d70d8167ece78f3
SHA1 hash:
a4dbe9b0f5ba4d57b2251fd07264985d4877fd4a
Link:
https://www.unpac.me/results/248f2bde-d072-4eb1-9885-a26585f2d329/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241119/

Comments