MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234
SHA3-384 hash: 42320f98074ccbbeca190085f0188c6229cf602d53a43b0e5768f16fbda59cf2c15ecc5e213d3ee599b1f0c20b6fe8d9
SHA1 hash: 552aa072522f22a003cadd3bcad5e4eb981a5cbb
MD5 hash: 3b947ed5aabdd775b1afc31a5c4d39a0
humanhash: william-indigo-fifteen-moon
File name:3b947ed5aabdd775b1afc31a5c4d39a0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:344'064 bytes
First seen:2021-10-29 18:22:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5243e0b7a8cb0f582099146f832c26e4 (4 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 6144:O0kWD+3Pz81AwPC4BVZ2LGuSoGZkk4mAzaV/:JZD+/CO4ULGuShkk4m1V/
Threatray 2'200 similar samples on MalwareBazaar
TLSH T144748D10A7A1C035F4B212F889BA9369B53F7EA1AB3490CF13D516EA4774AE1EC31357
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b947ed5aabdd775b1afc31a5c4d39a0.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-29 18:30:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a5a1f12-7002-4b80-b60e-f387134bddd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef9e5575-83b4-4b5e-a50e-276876835e69
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879523
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511954 Sample: 25Kf6vSBoq.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 67 91.219.236.97, 49812, 80 SERVERASTRA-ASHU Hungary 2->67 69 toptelete.top 172.67.160.46, 49811, 80 CLOUDFLARENETUS United States 2->69 71 4 other IPs or domains 2->71 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 13 other signatures 2->85 10 25Kf6vSBoq.exe 2->10         started        12 irjbuft 2->12         started        signatures3 process4 signatures5 15 25Kf6vSBoq.exe 10->15         started        103 Multi AV Scanner detection for dropped file 12->103 105 Machine Learning detection for dropped file 12->105 18 irjbuft 12->18         started        process6 signatures7 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->133 135 Maps a DLL or memory area into another process 15->135 137 Checks if the current machine is a virtual machine (disk enumeration) 15->137 139 Creates a thread in another existing process (thread injection) 15->139 20 explorer.exe 18 15->20 injected 25 DF9C.exe 15->25         started        process8 dnsIp9 73 216.128.137.31, 80 AS-CHOOPAUS United States 20->73 75 sysaheu90.top 185.98.87.159, 49747, 49748, 49749 VM-HOSTINGRU Russian Federation 20->75 77 3 other IPs or domains 20->77 43 C:\Users\user\AppData\Roaming\irjbuft, PE32 20->43 dropped 45 C:\Users\user\AppData\Roaming\fijbuft, PE32 20->45 dropped 47 C:\Users\user\AppData\Roaming\ffjbuft, PE32 20->47 dropped 51 10 other malicious files 20->51 dropped 87 System process connects to network (likely due to code injection or exploit) 20->87 89 Benign windows process drops PE files 20->89 91 Deletes itself after installation 20->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->93 27 CD0D.exe 1 20->27         started        31 6EC5.exe 20->31         started        33 B82B.exe 21 6 20->33         started        36 4 other processes 20->36 49 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 25->49 dropped file10 signatures11 process12 dnsIp13 53 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 27->53 dropped 107 Multi AV Scanner detection for dropped file 27->107 109 DLL reload attack detected 27->109 111 Detected unpacking (changes PE section rights) 27->111 127 4 other signatures 27->127 113 Machine Learning detection for dropped file 31->113 115 Contains functionality to inject code into remote processes 31->115 117 Injects a PE file into a foreign processes 31->117 38 6EC5.exe 31->38         started        59 cdn.discordapp.com 162.159.135.233, 443, 49773, 49774 CLOUDFLARENETUS United States 33->59 61 192.168.2.1 unknown unknown 33->61 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 33->55 dropped 119 Writes to foreign memory regions 33->119 121 Allocates memory in foreign processes 33->121 129 2 other signatures 33->129 41 AdvancedRun.exe 33->41         started        63 93.115.20.139, 28978, 49818 MVPShttpswwwmvpsnetEU Romania 36->63 65 162.159.129.233, 443, 49778 CLOUDFLARENETUS United States 36->65 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 36->57 dropped 123 Antivirus detection for dropped file 36->123 125 Early bird code injection technique detected 36->125 131 2 other signatures 36->131 file14 signatures15 process16 signatures17 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->95 97 Maps a DLL or memory area into another process 38->97 99 Checks if the current machine is a virtual machine (disk enumeration) 38->99 101 Creates a thread in another existing process (thread injection) 38->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-29 18:23:06 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjc23b7ou2q7dh3frlppriyltjisoygym23qow57eboxuvbjmi2a._file
Verdict:
malicious
Similar samples:
033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
RedLineStealer
555fd11933a1bb3a71714e1c234cdeaf7ea3c614f24eebec3786fb61cb3b5b5e
RedLineStealer
58cac1dad224e9c26dd2017c25b184c7e688ae127310ba2f10b1fd2e1b6c3fa3
RedLineStealer
bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
RedLineStealer
c3f8d6b3e497471cc5e1526d59f7068f0655704f98dca59d79a77b81f1cb7fd5
RedLineStealer
f3fc38ead9aae7ffdb533c056bcc93f6db5cbf153ac9cd8673945535288af947
RedLineStealer
+ 2'190 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:smokeloader family:vidar botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:706 botnet:754 botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 botnet:z0rm1on agilenet backdoor collection discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211029-w1fqmsdgh9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Amadey
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
https://mas.to/@lilocc
93.115.20.139:28978
185.215.113.45/g4MbvE/index.php
185.215.113.94:15564
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/00fc2c2f-d498-4f42-b177-26f91401e5d1/
SH256 hash:
8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234
MD5 hash:
3b947ed5aabdd775b1afc31a5c4d39a0
SHA1 hash:
552aa072522f22a003cadd3bcad5e4eb981a5cbb
Link:
https://www.unpac.me/results/00fc2c2f-d498-4f42-b177-26f91401e5d1/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8245ad87eea6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments