MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082
SHA3-384 hash: 05853e4a3c7299bae3c383676b56f6997f3bb6742d34518929f82607fb63b5ba6e76e1c10cd193ceb001816e62eebad0
SHA1 hash: aa2055a2526e9f10c96e2d35c847a1d53eaf78a4
MD5 hash: acef31a08f9aeaa6acf23853e273bed5
humanhash: maine-comet-skylark-snake
File name:acef31a08f9aeaa6acf23853e273bed5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'480 bytes
First seen:2022-01-17 12:05:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d8809088101df222b4da2c9c6c93c39 (2 x RedLineStealer, 2 x RaccoonStealer, 1 x Loki)
ssdeep 6144:Tj0kKGhBvRdGhJ6N94gKf+PlQq/ygJCXwOB57qMhAcHZXLuFmU:TjnK4v3GHoKgKf+Plr/ygJCXF57qGAcW
Threatray 573 similar samples on MalwareBazaar
TLSH T108747C00BBA0D036F5B715F449BA93B8B53E7AE15B2451CB53D16AED96386E0EC3031B
File icon (PE):PE icon
dhash icon 25ac137839939b91 (12 x Smoke Loader, 7 x Amadey, 5 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.59.76:23927

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.76:23927 https://threatfox.abuse.ch/ioc/295621/
91.243.32.174:24797 https://threatfox.abuse.ch/ioc/297518/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acef31a08f9aeaa6acf23853e273bed5.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-17 12:48:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d7d410a-3f2b-4125-abea-9c8d8ec602c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219833/
Detection(s):
Win.Dropper.Mikey-9917324-0
Create hunting rule

Win.Packed.Tofsee-9935687-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4453/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mikey packed
Link:
https://www.filescan.io/uploads/61e55bb1f81da814af88febc/reports/0ed01fc5-db78-4be3-b45a-5fc940121922/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff54f7d2-2a84-4a92-acd9-c78e97696c57
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921776
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554254 Sample: M35wDmIxV6.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 79 transfer.sh 2->79 81 host-data-coin-11.com 2->81 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Found malware configuration 2->105 107 16 other signatures 2->107 11 M35wDmIxV6.exe 2->11         started        13 rugbeai 2->13         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 21 M35wDmIxV6.exe 11->21         started        129 Machine Learning detection for dropped file 13->129 24 rugbeai 13->24         started        131 Changes security center settings (notifications, updates, antivirus, firewall) 16->131 26 MpCmdRun.exe 1 16->26         started        83 192.168.2.1 unknown unknown 18->83 28 WerFault.exe 18->28         started        signatures6 process7 signatures8 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->109 111 Maps a DLL or memory area into another process 21->111 113 Checks if the current machine is a virtual machine (disk enumeration) 21->113 30 explorer.exe 8 21->30 injected 115 Creates a thread in another existing process (thread injection) 24->115 35 conhost.exe 26->35         started        process9 dnsIp10 87 185.233.81.115, 443, 49765 SUPERSERVERSDATACENTERRU Russian Federation 30->87 89 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->89 91 8 other IPs or domains 30->91 71 C:\Users\user\AppData\Roaming\rugbeai, PE32 30->71 dropped 73 C:\Users\user\AppData\Local\Temp\FA23.exe, PE32 30->73 dropped 75 C:\Users\user\AppData\Local\Temp\DF95.exe, PE32 30->75 dropped 77 11 other malicious files 30->77 dropped 93 System process connects to network (likely due to code injection or exploit) 30->93 95 Benign windows process drops PE files 30->95 97 Deletes itself after installation 30->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->99 37 787D.exe 3 30->37         started        40 6E4B.exe 2 30->40         started        43 4BB.exe 30->43         started        file11 signatures12 process13 file14 117 Antivirus detection for dropped file 37->117 119 Multi AV Scanner detection for dropped file 37->119 121 Machine Learning detection for dropped file 37->121 123 Injects a PE file into a foreign processes 37->123 45 787D.exe 37->45         started        69 C:\Users\user\AppData\Local\...\ausmnckz.exe, PE32 40->69 dropped 125 Detected unpacking (changes PE section rights) 40->125 127 Detected unpacking (overwrites its own PE header) 40->127 48 cmd.exe 40->48         started        51 cmd.exe 40->51         started        53 sc.exe 40->53         started        55 sc.exe 40->55         started        57 WerFault.exe 3 10 43->57         started        signatures15 process16 dnsIp17 85 92.255.111.23, 38134, 49892 CONTINENTAL_GROUP-ASRU Russian Federation 45->85 67 C:\Windows\SysWOW64\...\ausmnckz.exe (copy), PE32 48->67 dropped 59 conhost.exe 48->59         started        61 conhost.exe 51->61         started        63 conhost.exe 53->63         started        65 conhost.exe 55->65         started        file18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 12:06:13 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivb2hwgsgvle2txebsiwnamcpfmvnkyutqk7wcfp3sercgvyacba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
044c4e0f1bc9b09ac252d12645a9c38a549944688609dacd3960cb0652314983
RedLineStealer
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
RedLineStealer
5617cf97967fc9377f8b775f52fe43c8c54f9cab67fa164f6f903d4ebe9b79c2
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
9230d8e8791a48bcca68a199b29e0be82d17d4079bbe715953ca35a2101b6d6b
RedLineStealer
a771e073fa4ba6ef336ab59ae52114c034d5725a7731dfb1593a764688f7dc16
RedLineStealer
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
RedLineStealer
cfe1a9cedf12e5c01c4727d0b12de8ccecf696a64bf895daf2b71e4131f1e1de
RedLineStealer
e670a645b65e5a4deadb6d555fa4f2bc88ef92a5e9657419f410bd1cc076f407
RedLineStealer
e69a5acecc913dd2a60736303db36b6f2415caf682dfff23dc5e7822e5bf117a
RedLineStealer
+ 563 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220117-n9q9qsacek/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
XMRig Miner Payload
Arkei
Raccoon
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
patmushta.info
parubey.info
http://file-file-host4.com/tratata.php
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/1df127c9-f1b0-4462-b7b6-cc1fe5a985c2/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082
MD5 hash:
acef31a08f9aeaa6acf23853e273bed5
SHA1 hash:
aa2055a2526e9f10c96e2d35c847a1d53eaf78a4
Link:
https://www.unpac.me/results/1df127c9-f1b0-4462-b7b6-cc1fe5a985c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4543a3d8d235564d4ee40c91668182795956ab149c15fb08afdc89111ab80082

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1970142/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219833/

Comments