MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2
SHA3-384 hash: eeb984bb024f3ddd91736526fd0e6da2044dee0507bb95dd0e67a6abf7dbef1ac24dc7104966a6b89e9c66591fe4a915
SHA1 hash: 3dc826b1bf737364bfc0bbc665b89b306e06e5d6
MD5 hash: 1e90d4583252fab21abf7d5f9b8ec294
humanhash: india-solar-bacon-burger
File name:1e90d4583252fab21abf7d5f9b8ec294.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:154'624 bytes
First seen:2021-08-20 14:05:38 UTC
Last seen:2021-08-20 15:11:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a84fa8c5c9d81b30cf439f0d2b7f422b (7 x RedLineStealer, 4 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 3072:egPcX4tcj3sNj25RkJ4q8FZ83zgFnLmx:w7Ex08DgFnL
Threatray 5'507 similar samples on MalwareBazaar
TLSH T1D1E3BE11B9F0C772C15635314871CAA01679B9616EA8B6073F7F337D1F622C0DA2AFA6
dhash icon 1072c292b0381902 (5 x RaccoonStealer, 3 x RedLineStealer, 1 x CryptBot)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/
51.254.68.139:8067 https://threatfox.abuse.ch/ioc/192437/
65.21.141.215:8374 https://threatfox.abuse.ch/ioc/192438/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e90d4583252fab21abf7d5f9b8ec294.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-20 14:07:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b35d93f-4d6c-4ae9-8a3d-acc1eb8cbf79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180957/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9685.17896.15740.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a process from a recently created file
Sending a UDP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7160ee0-dd63-4b99-9f04-306a43568c49
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836454
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468887 Sample: ibnx3M5J8m.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 54 readinglistforaugust1.xyz 2->54 56 api.ip.sb 2->56 66 Antivirus detection for URL or domain 2->66 68 System process connects to network (likely due to code injection or exploit) 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 14 other signatures 2->72 10 ibnx3M5J8m.exe 2->10         started        13 jgfuise 2->13         started        signatures3 process4 signatures5 100 Detected unpacking (changes PE section rights) 10->100 15 ibnx3M5J8m.exe 10->15         started        102 Multi AV Scanner detection for dropped file 13->102 104 Machine Learning detection for dropped file 13->104 18 jgfuise 13->18         started        process6 signatures7 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->106 108 Maps a DLL or memory area into another process 15->108 110 Checks if the current machine is a virtual machine (disk enumeration) 15->110 20 explorer.exe 17 15->20 injected 112 Creates a thread in another existing process (thread injection) 18->112 process8 dnsIp9 58 readinglistforaugust1.xyz 95.213.224.6, 49721, 49728, 49733 SELECTELRU Russian Federation 20->58 60 192.168.2.1 unknown unknown 20->60 44 C:\Users\user\AppData\Roaming\jgfuise, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\Temp\9F49.exe, PE32 20->46 dropped 48 C:\Users\user\AppData\Local\Temp\90D1.exe, PE32 20->48 dropped 50 6 other malicious files 20->50 dropped 74 Benign windows process drops PE files 20->74 76 Performs DNS queries to domains with low reputation 20->76 78 Deletes itself after installation 20->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->80 25 7C1E.exe 3 20->25         started        28 7623.exe 14 3 20->28         started        30 87D7.exe 5 20->30         started        34 3 other processes 20->34 file10 signatures11 process12 dnsIp13 82 Multi AV Scanner detection for dropped file 25->82 84 Detected unpacking (changes PE section rights) 25->84 86 Query firmware table information (likely to detect VMs) 25->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->88 36 conhost.exe 25->36         started        90 Machine Learning detection for dropped file 28->90 92 Hides threads from debuggers 28->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->94 38 conhost.exe 28->38         started        62 45.140.147.35, 49739, 80 SYNLINQsynlinqdeDE United Kingdom 30->62 64 telete.in 195.201.225.248, 443, 49736 HETZNER-ASDE Germany 30->64 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 30->52 dropped 96 Contains functionality to steal Internet Explorer form passwords 30->96 98 Tries to harvest and steal browser information (history, passwords, etc) 30->98 40 6682.exe 14 2 34->40         started        42 conhost.exe 34->42         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 14:06:11 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rigjesjjq36g3xuukbtsup3w2bn65zs7sw4zpj4gnr53una3xkra._file
Verdict:
suspicious
Similar samples:
0192b858039b3182dfd17ce582c9398dc1495566082de0f6a76279585bacf8e5
RedLineStealer
0ef8e97b174862177771e0f42373530de7356883781cd0c498ac950dd2748835
RedLineStealer
1a471836c805bbee8b08512c7a813aa00c5df6dcb11888d39bf652afb7ab36f6
RedLineStealer
28b577b09ddd23494aaa0a19ae4e9219562a80a9176b9cfcdd3bb76a59bf4a28
RedLineStealer
341affdc32c116eeac3bc8af74eeec475feb728b9bc8a56a4b35ad4755707d5e
RedLineStealer
39894026621d1c5fabeca0fe3b0ba3fe2e97d99e17d50227ead4ac7c64ee080c
RedLineStealer
4aa5d31d20f0fd1c34a98270119339269fb7be574e580d7a21da7ecb3a59f471
RedLineStealer
78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7
RedLineStealer
e74bc1681d06f6f4ab4f3eafaa576329266891516a23b6e8b96410f1b8578b96
RedLineStealer
fc2d4be12648dae97df783706ec9fea8396d3327428fa73b44e2968fbd7d3e8b
RedLineStealer
+ 5'497 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:#mix 19.08 botnet:777 botnet:blacks1 botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210820-qrt9aasvjx/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
gophamanapr.site:80
51.254.68.139:8067
135.148.139.222:33569
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/65feb58a-159f-427f-9799-434a4b319c76/
SH256 hash:
8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2
MD5 hash:
1e90d4583252fab21abf7d5f9b8ec294
SHA1 hash:
3dc826b1bf737364bfc0bbc665b89b306e06e5d6
Link:
https://www.unpac.me/results/65feb58a-159f-427f-9799-434a4b319c76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549209/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180957/

Comments