MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e
SHA3-384 hash: 102e463c370cdb70fb970886842514cd701417cad2a31183711c1f34021da76fd392b71cee10b64dd04a8a075eb66b0a
SHA1 hash: 4604c158493fe6f146e49665c08fa53be62783f5
MD5 hash: 6914f5f80c6caf942a51f037759346c5
humanhash: potato-iowa-pip-quiet
File name:6914f5f80c6caf942a51f037759346c5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:223'744 bytes
First seen:2022-02-28 15:26:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88ed5feb1133c38cdb474dc3586a1931 (1 x Gozi, 1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 1536:4h5/40mXACvUIcCKXCUo0OOOf7zL/LAzJvacmz8cOn91gQa8iQdsl1G7B5QdnCeH:4fQTwqCcXYb1cO9GDFe5MRXTfW+AY
Threatray 7'057 similar samples on MalwareBazaar
TLSH T1EE24AE113A8CC4F2C09B5534C478C6B16A7AB9E14765498777A83B2E6FF03D2673B24A
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.222.87:35752

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.181.222.87:35752 https://threatfox.abuse.ch/ioc/391262/
185.219.80.244:43819 https://threatfox.abuse.ch/ioc/391263/

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e.exe
Verdict:
Suspicious activity
Analysis date:
2022-02-28 16:45:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/abe9654c-d2ef-4641-b1cb-5d6719110fd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245387/
Detection(s):
SecuriteInfo.com.Packed-GEE6914F5F80C6C.1590.26627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7639/overview
Behaviour
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware hlux mokes
Link:
https://www.filescan.io/uploads/621ce9d0dfdfa8501c6c0aa3/reports/e8603574-71f7-48d4-9cfc-dca70925f610/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dc28c20-ed7c-42f2-b798-c9e7d73b7673
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947507
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution of Suspicious File Type Extension
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 579988 Sample: YusSo06p5O.exe Startdate: 28/02/2022 Architecture: WINDOWS Score: 100 31 store-images.s-microsoft.com 2->31 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected SmokeLoader 2->41 43 3 other signatures 2->43 8 YusSo06p5O.exe 2->8         started        11 iwtivhs 2->11         started        13 iwtivhs 2->13         started        signatures3 process4 signatures5 45 Contains functionality to inject code into remote processes 8->45 47 Injects a PE file into a foreign processes 8->47 15 YusSo06p5O.exe 8->15         started        49 Multi AV Scanner detection for dropped file 11->49 51 Machine Learning detection for dropped file 11->51 18 iwtivhs 11->18         started        20 iwtivhs 13->20         started        process6 signatures7 61 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Checks if the current machine is a virtual machine (disk enumeration) 15->65 22 explorer.exe 2 15->22 injected 67 Creates a thread in another existing process (thread injection) 18->67 process8 dnsIp9 33 file-coin-host-12.com 80.66.64.170, 49746, 80 VAD-SRL-AS1MD Russian Federation 22->33 35 host-data-coin-11.com 22->35 27 C:\Users\user\AppData\Roaming\iwtivhs, PE32 22->27 dropped 29 C:\Users\user\...\iwtivhs:Zone.Identifier, ASCII 22->29 dropped 53 System process connects to network (likely due to code injection or exploit) 22->53 55 Benign windows process drops PE files 22->55 57 Deletes itself after installation 22->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->59 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 15:27:07 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jutybbv6l4rb3tdha4hkydrxkhckjfynsaqqpy3lz5t5q6udzopa._file
Verdict:
malicious
Similar samples:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
RedLineStealer
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
RedLineStealer
4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
RedLineStealer
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
RedLineStealer
8cedc3fb74185394bbf60d2dc1f9618b1e576986f13031b9e29ef12daa6eaf2c
RedLineStealer
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
RedLineStealer
+ 7'047 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220228-svrdeafhfk/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/abe1b818-9644-4e3c-9ed0-153f2d5361b5/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e
MD5 hash:
6914f5f80c6caf942a51f037759346c5
SHA1 hash:
4604c158493fe6f146e49665c08fa53be62783f5
Link:
https://www.unpac.me/results/abe1b818-9644-4e3c-9ed0-153f2d5361b5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4d278086be5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4d278086be5f221dcc67070eac0e3751c4a4970d902107e36bcf67d87a83cb9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2059402/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/245387/

Comments