MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e6449a25e997068ffc6be188e3e004ec7168ed4aada87396c4eddab0123ef7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e6449a25e997068ffc6be188e3e004ec7168ed4aada87396c4eddab0123ef7d
SHA3-384 hash: 908ecc8c4a3e3493d1b51a393e9091efc7aea335f3e44bcb1065cd83888de75de08e795ccf58eaa54de2c3dc96dd01bd
SHA1 hash: 2d21cf13aa2f536705f27c241c087cc976dfd49d
MD5 hash: 60ebfd5340d6abc688dfab7d9bc22080
humanhash: autumn-idaho-finch-two
File name:5E6449A25E997068FFC6BE188E3E004EC7168ED4AADA8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:291'840 bytes
First seen:2022-05-24 20:22:35 UTC
Last seen:2022-05-24 20:46:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4822b6a68dfa5df6456256144261d6fc (3 x Stop, 2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:0/SVtiFSwTOfcVoLuzbgwuO0RRRDe1PwVfW:0/SuFSwTOfcAunnwRzDe1
Threatray 14'099 similar samples on MalwareBazaar
TLSH T10B54AD34769CC8B1E04B12305826CEBC672DFD616A64564736E43B5A3EB3A8C82F535F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 327a7c7d727e6e72 (1 x Tofsee, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.150.103.38:5473

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.150.103.38:5473 https://threatfox.abuse.ch/ioc/629689/

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5E6449A25E997068FFC6BE188E3E004EC7168ED4AADA8.exe
Verdict:
No threats detected
Analysis date:
2022-05-24 20:25:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78150378-7f2d-4083-b33d-a790c9b06a9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274291/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19938/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware tofsee
Link:
https://www.filescan.io/uploads/628d3ebc6eb3ff326328d6c4/reports/8caaa33f-e47f-4898-aa84-e331ba225080/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b6dde9d-6c94-482f-a2a8-15e163516536
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001052
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633545 Sample: 5E6449A25E997068FFC6BE188E3... Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 21 gerer.at 2->21 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 5 other signatures 2->35 7 5E6449A25E997068FFC6BE188E3E004EC7168ED4AADA8.exe 2->7         started        10 gwcsabc 2->10         started        signatures3 process4 signatures5 37 Detected unpacking (changes PE section rights) 7->37 39 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->39 41 Maps a DLL or memory area into another process 7->41 49 2 other signatures 7->49 12 explorer.exe 2 7->12 injected 43 Antivirus detection for dropped file 10->43 45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 process6 dnsIp7 23 146.70.87.230, 80 TENET-1ZA United Kingdom 12->23 25 gerer.at 175.126.109.15, 49784, 49790, 49799 SKB-ASSKBroadbandCoLtdKR Korea Republic of 12->25 27 7 other IPs or domains 12->27 17 C:\Users\user\AppData\Roaming\gwcsabc, PE32 12->17 dropped 19 C:\Users\user\...\gwcsabc:Zone.Identifier, ASCII 12->19 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Benign windows process drops PE files 12->53 55 Deletes itself after installation 12->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e6449a25e997068ffc6be188e3e004ec7168ed4aada87396c4eddab0123ef7d/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 15:33:02 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzsetis6tfygr76gxymi4pqaj3drndwuvlnioolmj3o2wajd556q._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
313c8bb887567806112d0755963632c1b6f66d9479965efae7ce39cd4738bc1a
RedLineStealer
687ca5a69fc193e08538b21f8b0aba4a279c75561873b45e71e3ce57721c815b
RedLineStealer
8999c280aca7419a8b6fe0be172723fb66f18fc1439fb2ffa463d9315b79535d
RedLineStealer
a63dbe18cf6ff766405f06066655fca8fcdf2bfe2a0147006d3d29ef00734fc4
RedLineStealer
f555d9e1f8a5f8f11db6c9e22262e2cf4e7b42b8f04d6c12423573394b1d78da
RedLineStealer
+ 14'089 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220524-y54z5sfge3/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://gerer.at/upload/
http://pass-finger.com/upload/
http://meet-ru.ru/upload/
http://elroisolutions.com/upload/
http://gebzetuning.com/upload/
http://les-pub.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://autocarsjames.com/upload/
https://ny-city-mall.com/search.php
https://fresh-cars.net/search.php
Unpacked files
SH256 hash:
af1ed8bc92f9ac26980e6ee5eb06a3cbaf1f0e90b55cf232979b3ae0c2cb521d
MD5 hash:
d7eb5c5999dbf529fae1e968a5bc7d1f
SHA1 hash:
a12a198153a73f97c259be4fef60fa907e950e60
Link:
https://www.unpac.me/results/1f6154d7-79b1-487f-a22d-4c4ec4969762/
SH256 hash:
5e6449a25e997068ffc6be188e3e004ec7168ed4aada87396c4eddab0123ef7d
MD5 hash:
60ebfd5340d6abc688dfab7d9bc22080
SHA1 hash:
2d21cf13aa2f536705f27c241c087cc976dfd49d
Link:
https://www.unpac.me/results/1f6154d7-79b1-487f-a22d-4c4ec4969762/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e6449a25e99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e6449a25e997068ffc6be188e3e004ec7168ed4aada87396c4eddab0123ef7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274291/

Comments