MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1
SHA3-384 hash: 3e3db046b606010b4c49cfd2c5c230aaf2bda7a3712dc2d58ec17cb118fef39d553d4677ef1a22e9736edabebd45f08f
SHA1 hash: a381679a0f402ecd529bd1710c4c0471e0b74a14
MD5 hash: 126d098cc8409b6511c12225649dbc6d
humanhash: edward-mountain-wyoming-comet
File name:126d098cc8409b6511c12225649dbc6d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:184'832 bytes
First seen:2021-10-30 06:36:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9091a811693b0e7097b5e88c505c279e (4 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 3072:qIvDPOMh67JE5wHPol5i2czbvVBNmGyWTFPWrxpzbgqru:lvD5hiE6vori3vDwWZuzbgwu
Threatray 2'396 similar samples on MalwareBazaar
TLSH T10E04AF3432DDC471D5A7193C4861C6A15A3ABC62EA71C58B3B942B2D1F70FCC4AE639E
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c8 (12 x RedLineStealer, 9 x RaccoonStealer, 2 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
126d098cc8409b6511c12225649dbc6d.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-30 06:56:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ef37142-f2fa-409c-b884-bcf7a14aaadf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.17112.12844.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ba89735-3d71-4b24-bf24-8c23396a540d
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879715
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512148 Sample: pAjlqBTFRL.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 87 nusurtal4f.net 2->87 89 gkxnrOkGCjCIGdqgxFn.gkxnrOkGCjCIGdqgxFn 2->89 105 Multi AV Scanner detection for domain / URL 2->105 107 Antivirus detection for URL or domain 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 6 other signatures 2->111 11 pAjlqBTFRL.exe 2->11         started        14 grfcjta 2->14         started        16 grfcjta 2->16         started        signatures3 process4 signatures5 121 Contains functionality to inject code into remote processes 11->121 123 Injects a PE file into a foreign processes 11->123 18 pAjlqBTFRL.exe 11->18         started        125 Multi AV Scanner detection for dropped file 14->125 127 Machine Learning detection for dropped file 14->127 21 grfcjta 14->21         started        129 Sample uses process hollowing technique 16->129 process6 signatures7 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->97 99 Maps a DLL or memory area into another process 18->99 101 Checks if the current machine is a virtual machine (disk enumeration) 18->101 103 Creates a thread in another existing process (thread injection) 18->103 23 explorer.exe 14 18->23 injected process8 dnsIp9 91 216.128.137.31, 80 AS-CHOOPAUS United States 23->91 93 sysaheu90.top 85.143.173.97, 49754, 49755, 49756 TRADERSOFTRU Russian Federation 23->93 95 4 other IPs or domains 23->95 65 C:\Users\user\AppData\Roaming\grfcjta, PE32 23->65 dropped 67 C:\Users\user\AppData\Roaming\affcjta, PE32 23->67 dropped 69 C:\Users\user\AppData\Local\Temp\7332.exe, PE32 23->69 dropped 71 8 other malicious files 23->71 dropped 113 System process connects to network (likely due to code injection or exploit) 23->113 115 Benign windows process drops PE files 23->115 117 Deletes itself after installation 23->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->119 28 31C1.exe 1 23->28         started        32 1AAD.exe 21 6 23->32         started        35 3E25.exe 23->35         started        37 4 other processes 23->37 file10 signatures11 process12 dnsIp13 75 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 28->75 dropped 131 Multi AV Scanner detection for dropped file 28->131 133 DLL reload attack detected 28->133 135 Detected unpacking (changes PE section rights) 28->135 151 3 other signatures 28->151 81 cdn.discordapp.com 162.159.130.233, 443, 49776, 49780 CLOUDFLARENETUS United States 32->81 77 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 32->77 dropped 137 Machine Learning detection for dropped file 32->137 139 Writes to foreign memory regions 32->139 141 Allocates memory in foreign processes 32->141 153 2 other signatures 32->153 39 AdvancedRun.exe 32->39         started        41 powershell.exe 32->41         started        43 SMSvcHost.exe 32->43         started        143 Injects a PE file into a foreign processes 35->143 45 3E25.exe 35->45         started        83 93.115.20.139, 28978, 49855 MVPShttpswwwmvpsnetEU Romania 37->83 85 162.159.134.233, 443, 49786, 49818 CLOUDFLARENETUS United States 37->85 79 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 37->79 dropped 145 Uses schtasks.exe or at.exe to add and modify task schedules 37->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->147 149 Maps a DLL or memory area into another process 37->149 48 cmd.exe 37->48         started        50 at.exe 37->50         started        52 AdvancedRun.exe 37->52         started        file14 signatures15 process16 signatures17 54 AdvancedRun.exe 39->54         started        56 conhost.exe 41->56         started        155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->155 157 Maps a DLL or memory area into another process 45->157 159 Checks if the current machine is a virtual machine (disk enumeration) 45->159 161 Creates a thread in another existing process (thread injection) 45->161 163 Drops PE files with a suspicious file extension 48->163 58 cmd.exe 48->58         started        61 conhost.exe 48->61         started        63 conhost.exe 50->63         started        process18 file19 73 C:\Users\user\AppData\Local\...\Hai.exe.com, PE32 58->73 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-30 06:37:13 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgxq2n6zvbcbwdxvxwdercjfwaku7ywrynvi3n3ygelyrh3t6dqq._file
Verdict:
malicious
Similar samples:
2d21d56c6e2bb7643be411747eabf7c9eaf5316a1520e3a84f1363c53075d87c
RedLineStealer
2d94674cf3ddc45854de41ae7793f56a7053c10047f4503ce385a3bdbb737894
RedLineStealer
3979d23a3063637781dfab14f6f83534dd635bff59aaf372b4d4e7d1f24938dc
RedLineStealer
73b55aa960fdd55ead8274bfcfbb63fa919e67ef534b825196d8864a243a40dd
RedLineStealer
96c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
RedLineStealer
fdb8321fe5919f80f19b679e4f918e707713cf52f734d0815e27a52f7cc19d50
RedLineStealer
+ 2'386 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 botnet:superstar agilenet backdoor collection discovery evasion infostealer spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/211030-hdgsjabcen/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Nirsoft
Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
185.215.113.29:36224
https://mas.to/@lilocc
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/b0ba48f2-4da9-4085-9c89-b5a31e4882c1/
SH256 hash:
81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1
MD5 hash:
126d098cc8409b6511c12225649dbc6d
SHA1 hash:
a381679a0f402ecd529bd1710c4c0471e0b74a14
Link:
https://www.unpac.me/results/b0ba48f2-4da9-4085-9c89-b5a31e4882c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 81af0d37d9a8441b0ef5bd86488925b0154fe2d1c36a8db7783117889f73f0e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments