MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0
SHA3-384 hash: d7201633db3db07e628b6f9116f398ba4df11c101c8d8d049a37cf11195f123dcabf596ec849ce84f44455c60cb56fc1
SHA1 hash: b039d8a382e4323d08d444b3190ea936185e9404
MD5 hash: b87d122c545b8dcdab899620aead7068
humanhash: mountain-coffee-missouri-spaghetti
File name:b87d122c545b8dcdab899620aead7068.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:194'048 bytes
First seen:2022-01-27 16:30:40 UTC
Last seen:2022-01-27 18:54:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a14b1df5553c3a8a2cc2e18054a4da6 (1 x RedLineStealer, 1 x Tofsee)
ssdeep 3072:/3xjLkC1W/Ca1JiqQedzi/JXW9ejwwZC/bJ5nU3CoJX:fxjLPFCzWJXWiI/qC8
Threatray 6'738 similar samples on MalwareBazaar
TLSH T130147C1031F1C032E56755BA4431C3F45E7BBC762E266A8F7FC52AB91F366E19A2430A
File icon (PE):PE icon
dhash icon d2b1ecd4ecb987f9 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.219.236.153/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.153/ https://threatfox.abuse.ch/ioc/351806/

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b87d122c545b8dcdab899620aead7068.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-27 21:28:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1facb96-0d0c-4342-b9f6-c44d09a30ec7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/224500/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8716.20454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5359/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61f2c8d520a5f4d327d49eba/reports/9b69c1d9-0375-4510-9ee1-4ea1de4cb4d9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbc1f10f-1ce0-49ab-9ed2-599294eed1d2
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929191
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-27 16:31:11 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 28 (60.71%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvscltzjfrnhr4qbi5knrizwrkjucecyob3vqs6fjnkgijqjwhya._file
Verdict:
malicious
Similar samples:
6d7596a48c5e95b3f42a58b09348c4293f92a0a6738c5850856bf1a5b323a6a8
RedLineStealer
6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a
RedLineStealer
be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
RedLineStealer
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
RedLineStealer
d2b72372d1f6ff858237a0804714acfb2afa47ad2c2530a749ba738d2e0cf416
RedLineStealer
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
RedLineStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
RedLineStealer
fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b
RedLineStealer
+ 6'728 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220127-t1er8sfgep/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/7da5b3a9-5989-445e-adc8-360ff888ceed/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0
MD5 hash:
b87d122c545b8dcdab899620aead7068
SHA1 hash:
b039d8a382e4323d08d444b3190ea936185e9404
Link:
https://www.unpac.me/results/7da5b3a9-5989-445e-adc8-360ff888ceed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1995770/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1970142/
Cape
Cape
https://www.capesandbox.com/analysis/224500/

Comments