MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633
SHA3-384 hash: f213453d8b74e86298988596243576d05970821c2051c3fe93ce09af88cd6e086c313c4a62d0ff7a04da7c5cd3c6fdf4
SHA1 hash: 631e9af9bc83c7e41b82eb7d3cf6aa036a238dca
MD5 hash: b20826ed6a63bbd1eae04fe042fb5c6e
humanhash: hawaii-idaho-diet-stairway
File name:b20826ed6a63bbd1eae04fe042fb5c6e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:315'392 bytes
First seen:2022-07-17 07:20:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d402223c1c399d65c68ec4ec74929f01 (4 x Smoke Loader, 2 x RedLineStealer)
ssdeep 6144:/w8w8m4S8WczndZmaNK7nu3Xl8WutnMWqumz98cbSyGWqZJat2:oHDO7TtNK7nu3XytMW+58c7qZc
Threatray 4'824 similar samples on MalwareBazaar
TLSH T1EE648E00BB90D035F5F712F44AB99279B93D7EA0672851CB62E52AEE57346E0EC3134B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.53.127.217:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.53.127.217:80 https://threatfox.abuse.ch/ioc/838230/

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291286/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26467/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18d7a332-2546-4c17-a8cd-39b4821661f7
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034513
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 667007 Sample: VMWzlasQDj.exe Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 29 api.ip.sb 2->29 31 synchbrokers.asia 2->31 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 7 other signatures 2->51 8 VMWzlasQDj.exe 2->8         started        11 jgjacjh 2->11         started        signatures3 process4 signatures5 53 Detected unpacking (changes PE section rights) 8->53 55 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->55 57 Maps a DLL or memory area into another process 8->57 59 Creates a thread in another existing process (thread injection) 8->59 13 explorer.exe 4 8->13 injected 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Checks if the current machine is a virtual machine (disk enumeration) 11->65 process6 dnsIp7 33 138.36.3.134, 49804, 49814, 49815 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 13->33 35 115.88.24.203, 49799, 49808, 49812 LGDACOMLGDACOMCorporationKR Korea Republic of 13->35 37 5 other IPs or domains 13->37 23 C:\Users\user\AppData\Roaming\jgjacjh, PE32 13->23 dropped 25 C:\Users\user\AppData\Local\Temp\2EAF.exe, PE32 13->25 dropped 27 C:\Users\user\...\jgjacjh:Zone.Identifier, ASCII 13->27 dropped 67 System process connects to network (likely due to code injection or exploit) 13->67 69 Benign windows process drops PE files 13->69 71 Deletes itself after installation 13->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->73 18 2EAF.exe 2 13->18         started        21 conhost.exe 13->21         started        file8 signatures9 process10 signatures11 39 Detected unpacking (changes PE section rights) 18->39 41 Detected unpacking (overwrites its own PE header) 18->41 43 Machine Learning detection for dropped file 18->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 21:36:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oicjwigkbikugqpfp5aluj7tsty3yxxfnnyky4u75hqt2wyxayzq._file
Verdict:
malicious
Similar samples:
46208bf1cbba615713b47d155f82e4b75b5d333cd0aaf78ab3484808f31d5508
RedLineStealer
7bd930935f5318bf8b9b0905536d0183a43a58100ea9af549dfcbe79417f3cc1
RedLineStealer
9542b24f1b9c2e97e1ee50aa168a5de141d4a1148b1c1e243b3df7df38f30725
RedLineStealer
c5c6d3e4815d6c5d57a1c0740a92f2aed80a19568838b828fc83e6187fb72068
RedLineStealer
c71196956045aca4d7099accbecf03611f6225cc6f4037b371fc35aa7ce910f0
RedLineStealer
d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06
RedLineStealer
d7cee5562a9a35e15365a8b2246a412048f445f2c8b278c824f5d738ddaf6e76
RedLineStealer
+ 4'814 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220717-h6n3bagfd4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
f6480db45d6a35a04394896df8c67ec365b3aa47c151e4dc4e33b3ddeaaf99bd
MD5 hash:
8fb69b11b56499930fcbfd94e51c92d5
SHA1 hash:
e7400f65a9d66c28af1410d4729bc0b9499612d3
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/3615a719-4e3a-40d5-b349-e4f9b11402b5/
Parent samples :
72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633
a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e
f8ead10cd80934a84d94736726e5f3c2098731df934e5e0765bfedf1cd153201
SH256 hash:
72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633
MD5 hash:
b20826ed6a63bbd1eae04fe042fb5c6e
SHA1 hash:
631e9af9bc83c7e41b82eb7d3cf6aa036a238dca
Link:
https://www.unpac.me/results/3615a719-4e3a-40d5-b349-e4f9b11402b5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72049b20ca0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291286/

Comments