MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c96561abea75c95091112fe45a8e9eb79b4a66e3f19494148932ffb87aaa17d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	4c96561abea75c95091112fe45a8e9eb79b4a66e3f19494148932ffb87aaa17d
SHA3-384 hash:	9bb1f809b720ca8f3245c5e1df10d63494d88007054ba4fcfa90f763ae1247e7561b88d6ad4835063031e3a77e4a81cf
SHA1 hash:	a01b768c494a2387bb7494da55ec42d5586da175
MD5 hash:	4fca3668e0836b3e9432874e491a23c4
humanhash:	fish-bulldog-comet-zebra
File name:	4fca3668e0836b3e9432874e491a23c4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	270'336 bytes
First seen:	2022-03-22 18:57:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75e06567c553fd5738bcb732c4034310 (3 x RedLineStealer, 1 x DanaBot, 1 x Stop)
ssdeep	3072:zAXF4X1V/Q5rS9DRFECgt0OtCyENttN7AD0kw/5xXqE52B:QF4P/yS9DRuTt0Y2Qk6Eo
Threatray	15'069 similar samples on MalwareBazaar
TLSH	T10844BF213BB3C8B2C49724706825CBB56BBF743216B489473BA5173D5F703D29AB631A
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
142.132.184.130:15150

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
142.132.184.130:15150	https://threatfox.abuse.ch/ioc/439505/

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/255089/

Detection(s):

Win.Packed.Crypterx-9942101-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10483/overview

Behaviour

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/623a1c470cd58dbd92d8bb77/reports/51f634b3-b43f-49ef-8122-0dd9bfd5a53e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0090e6c-9e98-4a0d-a098-8ff52f6c0120

Result

Threat name:

RedLine SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/961934

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c96561abea75c95091112fe45a8e9eb79b4a66e3f19494148932ffb87aaa17d/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-19 03:05:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 42 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jslfmgv6u5ojkcircl7elkhj5n43jjtoh4musqkismx7xb5kuf6q._file

Verdict:

malicious

RedLineStealer

0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb

RedLineStealer

2f05e4144786baf736f3562d07398da860f68df5d263dabaaaea623ba13c515a

RedLineStealer

4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680

RedLineStealer

97c090248e9c4bff5f867844b21d5637b176eabc32d6ef6013b5dd23e76d8081

RedLineStealer

e3d3a7a94a0b6d8e6b4134d79f2c994c8a182a5a95ea3b447effe1c66586d995

RedLineStealer

edc39f88a7ef54af6e85f67335c07e6c782a4c0b63b37babff3dc4aa014eb7ac

RedLineStealer

f83ecb4f14af221b78be6670174e22434c65a49586fdbcd65f0b75df529aa947

RedLineStealer

+ 15'059 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor discovery spyware stealer trojan

Link:

https://tria.ge/reports/220322-xmhthsgfg9/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/

Unpacked files

SH256 hash:

9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d

MD5 hash:

31ebd93c9fb74de0bf3c9eac412f72fb

SHA1 hash:

b7c4e5e258b4b7a3742c23315c7a204d73bf72d4

Link:

https://www.unpac.me/results/6567331c-d2be-4d46-a64b-54c5e7bc246a/

SH256 hash:

4c96561abea75c95091112fe45a8e9eb79b4a66e3f19494148932ffb87aaa17d

MD5 hash:

4fca3668e0836b3e9432874e491a23c4

SHA1 hash:

a01b768c494a2387bb7494da55ec42d5586da175

Link:

https://www.unpac.me/results/6567331c-d2be-4d46-a64b-54c5e7bc246a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c96561abea75c95091112fe45a8e9eb79b4a66e3f19494148932ffb87aaa17d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample