MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89d1cdba0f70d4e8e7d0864b377c1c32ac84f053f3c0e4d942476ad59d996c0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89d1cdba0f70d4e8e7d0864b377c1c32ac84f053f3c0e4d942476ad59d996c0f
SHA3-384 hash: 7fc9d6ff413794ccfb6d3f1de258b39dc8111d90634f3d155d5e5a4fd4b79466b2ac7d71370df8ac37d150a336b2ad85
SHA1 hash: 23eb72cba95c4fb627beb02efdbbebde6863a60f
MD5 hash: c4d77784ddfc0e376b6cb6fa654a4f8d
humanhash: juliet-november-maryland-texas
File name:c4d77784ddfc0e376b6cb6fa654a4f8d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:298'496 bytes
First seen:2022-03-22 19:42:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bd64b13624a27b70b577055bad87689 (3 x RedLineStealer, 2 x Stop)
ssdeep 6144:Qq42iWma16ciqd4KG2Qx1FzU7tuLhXkDeLYim9tzoP8:FiWma1JdBBq9Uput0CLY19ty8
Threatray 176 similar samples on MalwareBazaar
TLSH T15F549E40B7A0D03DE1B712F8B976D3ACA52E79A05B24A1CF62D52BEE16342D0EC75347
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
142.132.184.130:15150

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
142.132.184.130:15150 https://threatfox.abuse.ch/ioc/439505/

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255182/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10563/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/623a26e4dfdfa8501cce5b52/reports/bf7d3475-5c45-4041-a9e8-355b8b8f2dca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49c00bf1-1516-40aa-b228-ead52a2c1022
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961990
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89d1cdba0f70d4e8e7d0864b377c1c32ac84f053f3c0e4d942476ad59d996c0f/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-20 00:39:36 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhi43oqpodkorz6qqzfto7a4gkwij4ct6paojwkci5vnlhmznqhq._file
Verdict:
malicious
Similar samples:
0d8e031c65e57c9924aa28bb61871e136c52cc522e8b247d504808ae93d779a4
RedLineStealer
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
RedLineStealer
81ec5293c1be63d2bdb173f258830914b3dfd094159211f1703b4666eeca1cbc
RedLineStealer
ac0dea39e31162e552ee9ff40052c5e7e985dd55f065321fbe54e3fc1cc7fb82
RedLineStealer
edc39f88a7ef54af6e85f67335c07e6c782a4c0b63b37babff3dc4aa014eb7ac
RedLineStealer
+ 166 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery spyware stealer suricata trojan
Link:
https://tria.ge/reports/220322-ye8weadhbj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
Unpacked files
SH256 hash:
62ca52b62339a8f96855c150d8d9cb0aca0ba998200111e8a44aaf399c3fdcab
MD5 hash:
d51a93b9ad236dc9b151c9f02fdbb646
SHA1 hash:
8865942793663d04bc55246c158cc5d96e8efdb8
Link:
https://www.unpac.me/results/1d6c29d9-7adb-4e8d-95ac-dfcc8c8b8f8f/
Parent samples :
d372df2f0b72e4bde91c57cb6c5cdd6f39486c68cb5cd26fa3aaf6a403bc0b66
b12d171c3a13bd3e9ded2a8c6c6c3a9303610df03ba52fa274f7f75a04b66efa
d3366535f78da4fa4b13d134260a27cad97a30c7b2de25387158077ba29b394f
35d7e3bb4439ad5252c87cbe81d7626aa72accd719ff4af346964b74ac34a689
16267071c251784aeebe5d562dfd58bfbc0a0767a85ebc5863025bc74a69d339
SH256 hash:
89d1cdba0f70d4e8e7d0864b377c1c32ac84f053f3c0e4d942476ad59d996c0f
MD5 hash:
c4d77784ddfc0e376b6cb6fa654a4f8d
SHA1 hash:
23eb72cba95c4fb627beb02efdbbebde6863a60f
Link:
https://www.unpac.me/results/1d6c29d9-7adb-4e8d-95ac-dfcc8c8b8f8f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/89d1cdba0f70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89d1cdba0f70d4e8e7d0864b377c1c32ac84f053f3c0e4d942476ad59d996c0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/255182/

Comments