MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d
SHA3-384 hash:	ebad9fcb66c66be6013fddcd02ae870e2b76778ca5d040f01298e0dbbf21514daf7d4d54b162708361af5ec2babab670
SHA1 hash:	518d5c726a1001d573e3a047d2dbb6bf7f538bd6
MD5 hash:	8b8d52ccb401623f9a1c9f5612f28f1c
humanhash:	florida-wyoming-angel-mars
File name:	8b8d52ccb401623f9a1c9f5612f28f1c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	273'920 bytes
First seen:	2022-03-08 17:30:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5fb8a90699385dd79bbcc37048719eae (3 x Gozi, 1 x RedLineStealer, 1 x DanaBot)
ssdeep	3072:ZEYOUT1LzJy5eNrl9ZXAh6Tpd6cJQ5wKM/h36bj:1T1LdygFt5FQoKT
Threatray	14'705 similar samples on MalwareBazaar
TLSH	T13744AF313650C032D4872130941AEFA15AFFB9716FB1864773A81BAD6F323D2A66635F
File icon (PE):
dhash icon	327e7c7f767c6e76 (1 x Gozi, 1 x RedLineStealer, 1 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/248401/

Detection(s):

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8610/overview

Behaviour

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/62279ac4b94fb38cb43fc0a7/reports/6930749d-ef8d-4bf5-98ca-977714881b53/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e288d07-be52-4c11-a771-517121493591

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/952824

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution of Suspicious File Type Extension

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2022-03-08 17:32:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=grnfc7itcbwgo5lku7djzvjq7uuma2iuubrvib6teu3tk2ajjroq._file

Verdict:

malicious

RedLineStealer

29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03

RedLineStealer

4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

RedLineStealer

8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

RedLineStealer

8cedc3fb74185394bbf60d2dc1f9618b1e576986f13031b9e29ef12daa6eaf2c

RedLineStealer

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

RedLineStealer

+ 14'695 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220308-v3p7eshga5/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc

MD5 hash:

198ff357daf4345c9fc869616b139381

SHA1 hash:

24c9899b296cf004e400b77e72b89f42bb726f37

Link:

https://www.unpac.me/results/dbf36f74-08da-4e62-b8fe-5dfa264b3986/

Parent samples :

3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d

SH256 hash:

345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d

MD5 hash:

8b8d52ccb401623f9a1c9f5612f28f1c

SHA1 hash:

518d5c726a1001d573e3a047d2dbb6bf7f538bd6

Link:

https://www.unpac.me/results/dbf36f74-08da-4e62-b8fe-5dfa264b3986/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 345a517d13106c67756aa7c69cd530fd28c06914a0635407d325373568094c5d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2059403/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/248401/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample