MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f
SHA3-384 hash: e865a10703e103085190148ac3871de0a91ae0ad33c563fa60dadaff6fd5be982013cf2c252d57b024366fa6463d0f11
SHA1 hash: f3e487886630e0729fb4b4967cd11c2ee0daa989
MD5 hash: 0d7eb2137c2d696071df27cc6a601a5a
humanhash: pip-indigo-william-william
File name:7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:30'801 bytes
First seen:2022-09-02 21:20:32 UTC
Last seen:2022-09-02 21:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:8t6+ztmVfbHmHS8/ckpKd75wiqjUKPO6AAb3vM8pYwA:2ztmJbHmHT/zKdVwigUAAK3qw
TLSH T1EED2BF93CD202CB7F75172B304A22A527726E4721C41EB5AC4728A7E64F2C994673B7F
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
216.52.57.15:38185

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
216.52.57.15:38185 https://threatfox.abuse.ch/ioc/847528/

Intelligence

File Origin
# of uploads :
2
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
Verdict:
Suspicious activity
Analysis date:
2022-09-02 21:21:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6608ddc0-b6e4-4b06-9c90-6d57b3eeb131

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307529/
Detection(s):
SecuriteInfo.com.Variant.Ser.Razy.7042.30473.8696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Reading critical registry keys
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed razy smokeloader
Link:
https://www.filescan.io/uploads/631273fcf34f3fec9d76f819/reports/badd47e4-bd59-4007-8379-d5bc8e122068/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e7f2e9ac-91b8-4878-a2b8-0d304b85a99f
Result
Threat name:
Cryptolocker, Globeimposter, RedLine, Sm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1064371
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Cryptolocker ransomware
Yara detected Generic Downloader
Yara detected Globeimposter Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696897 Sample: 7FA0FC4B901FF3BB9002F33B4A7... Startdate: 02/09/2022 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 12 other signatures 2->94 9 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe 2->9         started        12 ejdshhi 2->12         started        process3 signatures4 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->118 120 Maps a DLL or memory area into another process 9->120 122 Checks if the current machine is a virtual machine (disk enumeration) 9->122 124 Creates a thread in another existing process (thread injection) 9->124 14 explorer.exe 5 15 9->14 injected 126 Antivirus detection for dropped file 12->126 128 Multi AV Scanner detection for dropped file 12->128 130 Machine Learning detection for dropped file 12->130 process5 dnsIp6 74 akmedia.in 192.185.150.20, 49746, 49752, 80 UNIFIEDLAYER-AS-1US United States 14->74 76 panel.clientarea.host 167.88.170.23, 49748, 49753, 80 PONYNETUS United States 14->76 78 onlinejamsessions.com 188.40.49.47, 49754, 49755, 49758 HETZNER-ASDE Germany 14->78 64 C:\Users\user\AppData\Roaming\ejdshhi, PE32 14->64 dropped 66 C:\Users\user\AppData\Local\TempA4F.exe, PE32 14->66 dropped 68 C:\Users\user\AppData\Local\Temp02D.exe, PE32 14->68 dropped 70 5 other malicious files 14->70 dropped 80 System process connects to network (likely due to code injection or exploit) 14->80 82 Benign windows process drops PE files 14->82 84 Injects code into the Windows Explorer (explorer.exe) 14->84 86 3 other signatures 14->86 19 EA4F.exe 1 14->19         started        22 5AE7.exe 14->22         started        25 47E9.exe 1 14->25         started        27 7 other processes 14->27 file7 signatures8 process9 file10 96 Machine Learning detection for dropped file 19->96 98 Writes to foreign memory regions 19->98 100 Allocates memory in foreign processes 19->100 29 vbc.exe 1 19 19->29         started        42 C:\Users\user\AppData\Local\5AE7.exe, PE32 22->42 dropped 44 C:\Users\user\Desktop\LFOPODGVOH.docx, data 22->44 dropped 46 C:\Users\Public\Documents\readme.txt, data 22->46 dropped 102 Antivirus detection for dropped file 22->102 104 Multi AV Scanner detection for dropped file 22->104 106 Modifies existing user documents (likely ransomware behavior) 22->106 108 Injects a PE file into a foreign processes 25->108 33 vbc.exe 25->33         started        48 C:\Users\user\Documents\...\readme.txt, data 27->48 dropped 50 C:\Users\user\Desktop\LIJDSFKJZG.xlsx, data 27->50 dropped 52 C:\Users\user\...\BWDRWEEARI.png.r2u (copy), COM 27->52 dropped 54 C:\Users\user\Downloads\BWDRWEEARI.png, COM 27->54 dropped 110 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->110 112 Tries to steal Mail credentials (via file / registry access) 27->112 114 Tries to harvest and steal browser information (history, passwords, etc) 27->114 116 Contains functionality to detect sleep reduction / modifications 27->116 35 vbc.exe 27->35         started        37 conhost.exe 27->37         started        signatures11 process12 file13 56 C:\Users\user\Desktop\IZMFBFKMEB.mp3, data 29->56 dropped 58 C:\Users\Public\Libraries\readme.txt, data 29->58 dropped 60 C:\Users\Public\AccountPictures\readme.txt, data 29->60 dropped 62 C:\Users\user\AppData\Local\vbc.exe, PE32 29->62 dropped 132 Modifies existing user documents (likely ransomware behavior) 29->132 39 WerFault.exe 3 10 35->39         started        signatures14 process15 dnsIp16 72 192.168.2.1 unknown unknown 39->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 20:34:55 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6qpys4qd7z3xeac6m5uu7ykagxpcdzwzaye2jwnx4etjkp5qfxq._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:globeimposter family:redline family:smokeloader botnet:0025 backdoor infostealer persistence ransomware trojan
Link:
https://tria.ge/reports/220902-z7bbaacdhn/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
Detects Smokeloader packer
GlobeImposter
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
216.52.57.15:38185
Unpacked files
SH256 hash:
7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f
MD5 hash:
0d7eb2137c2d696071df27cc6a601a5a
SHA1 hash:
f3e487886630e0729fb4b4967cd11c2ee0daa989
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/85e7f794-bc5e-443d-8b84-2683f0aa0b6d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fa0fc4b901f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307529/

Comments