MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34e6951af9efb7978da56349e5de49450e842b43f8df6693094f57e484fb5cc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash:	34e6951af9efb7978da56349e5de49450e842b43f8df6693094f57e484fb5cc8
SHA3-384 hash:	e37401b7e96c8a0957d0d3bbc07ba2126677da6e78171eb95595f1b0271acf025a13ce0fc22926ffc8405dfb7ecd2ac9
SHA1 hash:	b5abaeefa30121c8083ac0897e279ed766adbdc2
MD5 hash:	4b650202af7c68342fdf572896a11c91
humanhash:	johnny-double-december-california
File name:	4b650202af7c68342fdf572896a11c91.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	343'040 bytes
First seen:	2021-11-30 06:25:32 UTC
Last seen:	2021-11-30 07:48:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3a71bf5bc86a1addc5eef798f37977c5 (2 x RedLineStealer, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep	3072:B0SLJ004N/XPJYRv+Oxmhr8ortU0puQt/SdDZC/3hQNGgMAu1MlLjd07SQ3UN:b2/XMtxGr8oBU0puQtqZC/S4ge8ndv5
Threatray	9'157 similar samples on MalwareBazaar
TLSH	T17D749E0067E0C434F5BB16B949B997B9753FBDB16B2490CFA2D02AEA46356D0EC3131B
File icon (PE):
dhash icon	badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
178.238.8.207:11703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.238.8.207:11703	https://threatfox.abuse.ch/ioc/256290/

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4b650202af7c68342fdf572896a11c91.exe

Verdict:

Suspicious activity

Analysis date:

2021-11-30 06:41:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/06e90bbf-4655-486a-a0cf-3459cfdd11aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/209784/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.7657.50.27607.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/247/overview

Behaviour

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61a5c400bbfd2af97cbbded7/reports/f02552a7-53d0-43d4-b72e-42d2e25f4ccb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ba93413-bda9-48ba-83fe-501bba778196

Result

Threat name:

Cryptbot RedLine SmokeLoader Tofsee Vida

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/898535

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Yara detected Cryptbot

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34e6951af9efb7978da56349e5de49450e842b43f8df6693094f57e484fb5cc8/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-11-29 21:34:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 45 (68.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gttjkgxz563zpdnfmne6lxsjiuhiik2d7dpwneyjj5l6jbh3ltea._file

Verdict:

malicious

RedLineStealer

6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

RedLineStealer

8b9e05937557c312981409e1107aa75b580f170138d0a7abf3cfaa93dd9113aa

RedLineStealer

be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

RedLineStealer

c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94

RedLineStealer

d2b72372d1f6ff858237a0804714acfb2afa47ad2c2530a749ba738d2e0cf416

RedLineStealer

ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0

RedLineStealer

fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b

RedLineStealer

+ 9'147 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:arkei family:cryptbot family:icedid family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:706 botnet:default botnet:hmm botnet:noname campaign:2904573523 backdoor banker collection discovery evasion infostealer miner persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/211130-g67nzshbb8/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

Arkei

CryptBot

IcedID, BokBot

RedLine

RedLine Payload

SmokeLoader

Tofsee

Vidar

Windows security bypass

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
quadoil.ru
lakeflex.ru
http://file-file-host4.com/tratata.php
92.255.76.197:38637
185.215.113.29:26828
194.127.178.164:59973
placingapie.ink
https://mstdn.social/@anapa
https://mastodon.social/@mniami