MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b8924763243c8a87fda3d4903d9c1a61d5fbf5677dc8e0bf2064202e7969e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA File information Comments

SHA256 hash:	7b8924763243c8a87fda3d4903d9c1a61d5fbf5677dc8e0bf2064202e7969e07
SHA3-384 hash:	20bb2e0f04213bc203d73e850b42d9a9c5a382af1db2a9d0abd2d7befd974267f70a2fabe219be054ee36ce9901f001d
SHA1 hash:	1ec537652c3e2e3cd13811d2fca70f2d5abade59
MD5 hash:	bf4a47885e07edbaa479bcf96063c708
humanhash:	pluto-juliet-maryland-helium
File name:	1ec537652c3e2e3cd13811d2fca70f2d5abade59.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	244'736 bytes
First seen:	2021-09-25 10:15:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42558e76cb0191e50d5255e5f863e8b9 (11 x RaccoonStealer, 5 x RedLineStealer, 2 x Stop)
ssdeep	6144:JHZQItUDBJiPT/u22H3s0KIjTyaeNcoF:xZiJiPLuG0KTNc
Threatray	4'626 similar samples on MalwareBazaar
TLSH	T1F6349E20AAA0C035F4F702F959BA93BCA93D7E719B3451CB62D616FE26346E49C30357
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.29:18087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.29:18087	https://threatfox.abuse.ch/ioc/226441/

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1ec537652c3e2e3cd13811d2fca70f2d5abade59.exe

Verdict:

No threats detected

Analysis date:

2021-09-25 10:18:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8928b135-5d2e-4444-92cc-519e198b7b7e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191500/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.22696.UNOFFICIAL

Win.Malware.Raccoon-9894356-1

Win.Malware.Generic-9894375-0

Win.Malware.Raccoon-9894475-1

Win.Packed.Fragtor-9894476-0

Win.Packed.Fragtor-9894751-0

Win.Packed.Fragtor-9895216-0

Win.Packed.Fragtor-9895692-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec98b9e7-f7a3-43af-9ef1-808d8efe71b1

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857935

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b8924763243c8a87fda3d4903d9c1a61d5fbf5677dc8e0bf2064202e7969e07/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-09-21 04:11:00 UTC

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=poesi5rsipekq762hveqhwobuyov7p2wo7oi4c7sazbafz4wtydq._file

Verdict:

malicious

RedLineStealer

090b8a9479907e3aa9b258d877556493fd7045c686ea24b4132da82c46c40c71

RedLineStealer

296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff

RedLineStealer

5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96

RedLineStealer

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

RedLineStealer

b7915e2c423abfd40c013439cc726587a44fc207696637b2a431abce68963dd4

RedLineStealer

e0caf6fb02b0ef2bd64b0e04e1793a502b4a3b350a5be41c1baea88842530383

RedLineStealer

edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565

RedLineStealer

+ 4'616 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/210925-mat1xabba3/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/

Unpacked files

SH256 hash:

e713021c1392f7af202ab8ab41ca50bac44278e4bc561faade62d5b3b5b90014

MD5 hash:

576557a59d0948d2851afa208c238c65

SHA1 hash:

2e00eb11bc23605a6ba4d6dd18ce33c98be571c6

Link:

https://www.unpac.me/results/53c02536-30b8-4c69-9d04-2d29334cb98a/

SH256 hash:

7b8924763243c8a87fda3d4903d9c1a61d5fbf5677dc8e0bf2064202e7969e07

MD5 hash:

bf4a47885e07edbaa479bcf96063c708

SHA1 hash:

1ec537652c3e2e3cd13811d2fca70f2d5abade59

Link:

https://www.unpac.me/results/53c02536-30b8-4c69-9d04-2d29334cb98a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7b8924763243/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b8924763243c8a87fda3d4903d9c1a61d5fbf5677dc8e0bf2064202e7969e07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191500/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample