MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c25ff7d46a393a4273cdcb0d3cc46f1539287bf3c4e5f4bf7df922b9e617aff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	4c25ff7d46a393a4273cdcb0d3cc46f1539287bf3c4e5f4bf7df922b9e617aff
SHA3-384 hash:	e6eeeefd3d11279e30d4e0d16e18cac14e664cc1732e74df223977e35a1b80266f03650c001fa0023ca2f056faa43e88
SHA1 hash:	a966975738810f4e7cda50882f49015e4ed8b7ab
MD5 hash:	90be1405952d8e5a1179b64bb5b68001
humanhash:	echo-three-november-venus
File name:	90be1405952d8e5a1179b64bb5b68001.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	280'064 bytes
First seen:	2022-01-16 20:20:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80720d283b0420bbcbb388cde3e0df65 (6 x RedLineStealer, 2 x Amadey, 2 x RaccoonStealer)
ssdeep	6144:Td49vuZ8a8pfCPwu2c/YzxNasARdXAapeMrYH8nHu:TCQZ8HaIu2c/YDasOt0M88n
Threatray	6'670 similar samples on MalwareBazaar
TLSH	T14554AE10BBA0D035F8B752F44A7AC3ADB92E7AB15B2490CF52D526EE16396D0DC3131B
File icon (PE):
dhash icon	25ec1378399b9b91 (23 x RedLineStealer, 13 x Smoke Loader, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.243.59.76:23927

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.243.59.76:23927	https://threatfox.abuse.ch/ioc/295621/

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

90be1405952d8e5a1179b64bb5b68001.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-16 20:24:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f47279b9-b0bf-4c29-a62b-8d7431a10027

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/219652/

Detection(s):

Win.Dropper.Mikey-9917324-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4387/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey packed

Link:

https://www.filescan.io/uploads/61e47e301883c5ba4ed50d41/reports/b126187b-ad69-4e4c-927d-fa850eaa92b0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4e31784-68e9-432a-a5d6-cb9baf37a7fc

Result

Threat name:

RedLine SmokeLoader Tofsee

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921468

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Sigma detected: Copying Sensitive Files with Credential Data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-16 20:21:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jqs767kguoj2ijz43synhtcg6fjzfb57hrhf6s7x36jcxhtbpl7q._file

Verdict:

malicious

RedLineStealer

29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03

RedLineStealer

4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

RedLineStealer

8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

RedLineStealer

8cedc3fb74185394bbf60d2dc1f9618b1e576986f13031b9e29ef12daa6eaf2c

RedLineStealer

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

RedLineStealer

+ 6'660 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:amadey family:arkei family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion miner persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220116-y4zc9sgdaj/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

XMRig Miner Payload

Amadey

Arkei

Raccoon

SmokeLoader

Tofsee

Windows security bypass

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php