MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d
SHA3-384 hash: f32789f59cc3b2d537fc5df635994f59b760666796b104fd33897836b94625250d3537a466e9904d5c961b8c341f5788
SHA1 hash: 3f05cf4f7b5a8bf8679aa07607335f1a6c886d8d
MD5 hash: b664f1adaf348e3fc894fc751f39db84
humanhash: delta-bulldog-mango-nuts
File name:b664f1adaf348e3fc894fc751f39db84.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:328'192 bytes
First seen:2021-12-07 11:16:46 UTC
Last seen:2021-12-07 12:57:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd61429d86f194f3b84d97af55b8c371 (3 x RedLineStealer, 1 x Amadey, 1 x RaccoonStealer)
ssdeep 6144:Yq1ORQo7GBHCglPKUu1N5RNLP35x7JRwud:YqAKogH3lPKP1N5RNT35xzwy
Threatray 74 similar samples on MalwareBazaar
TLSH T1C4647D10A6E0D435F5B712F85AB59269A93F7AB15B3490CF12D427EE5B34AE0EC3031B
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.112.131:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.112.131:80 https://threatfox.abuse.ch/ioc/262949/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b664f1adaf348e3fc894fc751f39db84.exe
Verdict:
No threats detected
Analysis date:
2021-12-07 22:58:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aad1d76a-4640-4b7b-903f-005e570efee1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/212082/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.14522.27763.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1197/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61af42b247ed217c01347a7f/reports/b19fa66a-1545-48cb-9298-bbe22c092453/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6152bd13-e4f7-4052-a0e3-de7a1fd61705
Result
Threat name:
Clipboard Hijacker SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902958
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Clipboard Hijacker
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 535436 Sample: 5AyeZ8yLO1.exe Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 47 rcacademy.at 2->47 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 10 other signatures 2->63 9 5AyeZ8yLO1.exe 2->9         started        12 ifgswuw 2->12         started        14 ifgswuw 2->14         started        signatures3 process4 signatures5 73 Detected unpacking (changes PE section rights) 9->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->75 77 Maps a DLL or memory area into another process 9->77 16 explorer.exe 4 9->16 injected 79 Machine Learning detection for dropped file 12->79 81 Checks if the current machine is a virtual machine (disk enumeration) 12->81 83 Creates a thread in another existing process (thread injection) 12->83 process6 dnsIp7 41 rcacademy.at 189.165.51.125, 49717, 49724, 49732 UninetSAdeCVMX Mexico 16->41 43 petknorra.com 85.143.174.106, 49753, 49815, 80 TRADERSOFTRU Russian Federation 16->43 45 4 other IPs or domains 16->45 31 C:\Users\user\AppData\Roaming\ifgswuw, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\Temp\C7D3.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp\9FD5.exe, PE32 16->35 dropped 37 C:\Users\user\...\ifgswuw:Zone.Identifier, ASCII 16->37 dropped 49 System process connects to network (likely due to code injection or exploit) 16->49 51 Benign windows process drops PE files 16->51 53 Deletes itself after installation 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 21 C7D3.exe 4 16->21         started        25 9FD5.exe 16->25         started        27 SmartClock.exe 16->27         started        file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\SmartClock.exe, PE32 21->39 dropped 65 Detected unpacking (changes PE section rights) 21->65 67 Detected unpacking (overwrites its own PE header) 21->67 69 Machine Learning detection for dropped file 21->69 71 Delayed program exit found 21->71 29 SmartClock.exe 21->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 11:17:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tba3a5jgkbercjfc3vgmvp4646pxsflbgy7rmd5yfjzknxi6fagq._file
Verdict:
malicious
Similar samples:
2ad536248b31c68f944b660e6062e9ddf76a9f4dff85edb300a1e3def3f395ab
RedLineStealer
3e2324a1984b7bbd91cd330f430920aac22d48750048e6573b707848bc72bffd
RedLineStealer
7e6888c535be7bfc54222c639a8a3d65d92fa733eec26f113de195842ec1525d
RedLineStealer
c161867b30341da1738ad780ac4c44300dc5f29e25bca55de80803394efdcd7b
RedLineStealer
c2cb62e9291d6dc8dc9fdf0064de10045eb7995c2e8b197ac9cddf7932a662b8
RedLineStealer
+ 64 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211207-ndpq2aghcq/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
195.133.47.114:38627
Unpacked files
SH256 hash:
fff1b918442d22465bb7b3303f0e6570623711de250a2ceb164ece2d1656233b
MD5 hash:
c8a39349b64ff5753fc8f10de5d3f7a8
SHA1 hash:
42fc1a3a257903eed416ca4342c6df0c906a40a0
Link:
https://www.unpac.me/results/dcc1fd60-c5a1-4883-9876-e7da17621496/
SH256 hash:
9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d
MD5 hash:
b664f1adaf348e3fc894fc751f39db84
SHA1 hash:
3f05cf4f7b5a8bf8679aa07607335f1a6c886d8d
Link:
https://www.unpac.me/results/dcc1fd60-c5a1-4883-9876-e7da17621496/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9841b0752650/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9841b0752650491124a2dd4ccabf9ee79f791561363f160fb82a72a6dd1e280d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1858211/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/212082/

Comments