MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c
SHA3-384 hash: d2bd95abe6421cb4c4e3154f07bd163038fa86163a2b69cc222443aba4a1e263048880b073505259dc145eec5d65b2b3
SHA1 hash: 29202376b1d2800060888522ce31924ad0803669
MD5 hash: 251d0387dde193c927a138c6d9e977a8
humanhash: island-carbon-angel-utah
File name:251d0387dde193c927a138c6d9e977a8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:36'864 bytes
First seen:2023-07-05 21:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:k6Qe+qUv8zcqdvOXA6XkPslJvGaVWaYPMp2B:k6H+qUv8zrvOXf9Je48yQ
Threatray 370 similar samples on MalwareBazaar
TLSH T1FAF2D0297788E1BEDCCF12B780C3A993467053C20456BEC8E4A18BAFD5C7F4453632A9
TrID 45.6% (.SCR) Windows screen saver (13097/50/3)
17.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.EXE) Win32 Executable (generic) (4505/5/1)
7.0% (.EXE) OS/2 Executable (generic) (2029/13)
6.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.68.70:19073

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
251d0387dde193c927a138c6d9e977a8.exe
Verdict:
Malicious activity
Analysis date:
2023-07-05 21:36:46 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/92894b31-bc8e-4315-b24e-db50d1a7f205

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/408690/
Detection(s):
SecuriteInfo.com.Trojan.Heur.beW@JuwNMY.13899.17887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connecting to a non-recommended domain
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/64a5e2437e0af7bfbe332def/reports/955307f7-6068-4aec-8cc6-c9577f23f814/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5b810625-b9b8-4e93-a5c2-297fa2b23650
Result
Threat name:
Amadey, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267622
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267622 Sample: oY7XIITr1l.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 100 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Found malware configuration 2->149 151 20 other signatures 2->151 12 oY7XIITr1l.exe 2->12         started        15 svcrcsd 2->15         started        17 svcrcsd 2->17         started        19 4 other processes 2->19 process3 signatures4 185 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->185 187 Maps a DLL or memory area into another process 12->187 189 Checks if the current machine is a virtual machine (disk enumeration) 12->189 21 explorer.exe 11 13 12->21 injected 191 Antivirus detection for dropped file 15->191 193 Multi AV Scanner detection for dropped file 15->193 195 Machine Learning detection for dropped file 15->195 197 Creates a thread in another existing process (thread injection) 17->197 process5 dnsIp6 127 77.91.68.157, 49705, 49707, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 21->127 129 77.91.68.29, 49704, 49706, 49708 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 21->129 131 2 other IPs or domains 21->131 109 C:\Users\user\AppData\Roaming\svcrcsd, PE32 21->109 dropped 111 C:\Users\user\AppData\Local\Temp\CA35.exe, PE32 21->111 dropped 113 C:\Users\user\AppData\Local\Temp\9CA0.exe, PE32 21->113 dropped 115 2 other malicious files 21->115 dropped 175 System process connects to network (likely due to code injection or exploit) 21->175 177 Benign windows process drops PE files 21->177 179 Deletes itself after installation 21->179 181 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->181 26 CA35.exe 1 5 21->26         started        30 384D.exe 1 5 21->30         started        32 9CA0.exe 3 8 21->32         started        file7 signatures8 process9 file10 117 C:\Users\user\AppData\Local\...\x7866386.exe, PE32 26->117 dropped 119 C:\Users\user\AppData\Local\...\i8741918.exe, PE32 26->119 dropped 183 Machine Learning detection for dropped file 26->183 34 x7866386.exe 4 26->34         started        38 i8741918.exe 26->38         started        40 conhost.exe 26->40         started        121 C:\Users\user\AppData\Local\...\y8974170.exe, PE32 30->121 dropped 123 C:\Users\user\AppData\Local\...\n2844550.exe, PE32 30->123 dropped 42 y8974170.exe 4 30->42         started        44 n2844550.exe 30->44         started        46 conhost.exe 30->46         started        125 C:\Users\user\AppData\Local\Temp\m_ET.cpl, PE32 32->125 dropped 48 control.exe 32->48         started        signatures11 process12 file13 99 C:\Users\user\AppData\Local\...\g6313829.exe, PE32 34->99 dropped 101 C:\Users\user\AppData\Local\...\f2257853.exe, PE32 34->101 dropped 155 Antivirus detection for dropped file 34->155 157 Machine Learning detection for dropped file 34->157 50 g6313829.exe 34->50         started        54 f2257853.exe 4 34->54         started        103 C:\Users\user\AppData\Local\...\l8821624.exe, PE32 42->103 dropped 105 C:\Users\user\AppData\Local\...\k3330326.exe, PE32 42->105 dropped 57 l8821624.exe 42->57         started        59 k3330326.exe 42->59         started        159 Multi AV Scanner detection for dropped file 44->159 61 rundll32.exe 48->61         started        signatures14 process15 dnsIp16 107 C:\Users\user\AppData\Local\...\rugen.exe, PE32 50->107 dropped 161 Antivirus detection for dropped file 50->161 163 Multi AV Scanner detection for dropped file 50->163 165 Machine Learning detection for dropped file 50->165 63 rugen.exe 50->63         started        133 77.91.68.70, 19073, 49711, 49712 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 54->133 68 conhost.exe 54->68         started        167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->169 171 Tries to harvest and steal browser information (history, passwords, etc) 57->171 70 conhost.exe 57->70         started        72 conhost.exe 59->72         started        173 Tries to detect sandboxes / dynamic malware analysis system (file name check) 61->173 74 rundll32.exe 61->74         started        file17 signatures18 process19 dnsIp20 135 77.91.68.63, 49713, 49714, 49715 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 63->135 95 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 63->95 dropped 97 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 63->97 dropped 137 Antivirus detection for dropped file 63->137 139 Multi AV Scanner detection for dropped file 63->139 141 Creates an undocumented autostart registry key 63->141 143 2 other signatures 63->143 76 cmd.exe 63->76         started        78 schtasks.exe 63->78         started        80 rundll32.exe 63->80         started        82 rundll32.exe 74->82         started        file21 signatures22 process23 signatures24 85 conhost.exe 76->85         started        87 cmd.exe 76->87         started        89 cacls.exe 76->89         started        93 4 other processes 76->93 91 conhost.exe 78->91         started        153 Tries to detect sandboxes / dynamic malware analysis system (file name check) 82->153 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-03 13:54:23 UTC
File Type:
PE (Exe)
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocjq43k4hs6dxhm4yvey7yhgdm3mtdka2eonolo2ha4sxikl54oa._file
Verdict:
malicious
Similar samples:
02e016eb2dca3095b1d7b067e80f288d94c0e3c71995214b078092a4eda5dcbc
RedLineStealer
7433e385dca5ed6d59ff948725f9e039c4d29fe3749f68c2359283f930089571
RedLineStealer
7a20bbfb654daf486b1ea7bbd65994e613bf57668fea80bd33a542c1ed5aca5a
RedLineStealer
90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
RedLineStealer
a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6
RedLineStealer
d732c095c20cb85382ff9a44feb5846746a266145db82c511affc93f504d2d59
RedLineStealer
ea739b632d5b884f898eafc6be0df97ac51c21b7cd32fc191f809364a4ee1133
RedLineStealer
faf46960f3da2ffb6e198a2545f341bb87de3faa25dea83b5b3dc14968e8fb3f
RedLineStealer
fc2a0a3e10b4966c640a2e3bc434a237e7bb96fc6f431fa3a1923bda09062f22
RedLineStealer
+ 360 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader botnet:furod backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230705-1fwnkshe4t/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Windows security modification
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.68.70:19073
77.91.68.63/doma/net/index.php
Unpacked files
SH256 hash:
70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c
MD5 hash:
251d0387dde193c927a138c6d9e977a8
SHA1 hash:
29202376b1d2800060888522ce31924ad0803669
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/de04133e-350d-4bb9-ae4c-e216a83cd3b4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70930e6d5c3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/70930e6d5c3cbc3b9d9cc5498fe0e61b36c98d40d11cd72dda38392ba14bef1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/408690/

Comments