MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35
SHA3-384 hash: dced633d46190775b40489fa42dd0e531aae7f5b1c72de1a4e9b8cdaf60d907cd8177db20a9d362202867a9888b43bc7
SHA1 hash: 7ece2be57742aebd48d4267e5d02ec255feb3724
MD5 hash: 37f653cc837e9537c08838f7b36daa35
humanhash: fillet-indigo-jig-pasta
File name:37f653cc837e9537c08838f7b36daa35.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:200'192 bytes
First seen:2021-11-12 16:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 52f3cbaa89ec222f54fb6ad33fd12ebf (3 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 3072:O7uEFxzCWf3vik1vn4CDTIkzcyf9A4gMPvH8ysxkgaBChopZa9uD6Vdyhko:vEOWf36k1vn47SJgMMvigaTwVf
Threatray 11'880 similar samples on MalwareBazaar
TLSH T17714AD1277E09876E1A22E305464DABD163BFC726930954BE750A76F1EB33D08A7231F
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
86.107.197.248:56626

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.248:56626 https://threatfox.abuse.ch/ioc/247483/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205334/
Detection(s):
Win.Malware.Fragtor-9907126-0
Create hunting rule

Win.Malware.Generic-9908035-0
Create hunting rule

Win.Malware.Generic-9908337-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618e97fda00afa9663a53fca/reports/e4e02aeb-19f1-4501-9fdf-6d877a0653b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab83018e-2a52-4d20-817b-10d5c1b31d5b
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888254
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520727 Sample: GhlYvtlwHA.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 72 www.google.com 2->72 74 www-googletagmanager.l.google.com 2->74 76 25 other IPs or domains 2->76 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Antivirus detection for URL or domain 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 10 other signatures 2->100 10 GhlYvtlwHA.exe 2->10         started        12 uutrecw 2->12         started        15 fitrecw 2->15         started        signatures3 process4 signatures5 17 GhlYvtlwHA.exe 10->17         started        110 Machine Learning detection for dropped file 12->110 112 Contains functionality to inject code into remote processes 12->112 114 Injects a PE file into a foreign processes 12->114 20 uutrecw 12->20         started        116 DLL reload attack detected 15->116 118 Checks if the current machine is a virtual machine (disk enumeration) 15->118 process6 signatures7 86 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->86 88 Maps a DLL or memory area into another process 17->88 90 Checks if the current machine is a virtual machine (disk enumeration) 17->90 22 explorer.exe 16 17->22 injected 92 Creates a thread in another existing process (thread injection) 20->92 process8 dnsIp9 78 216.128.137.31, 443, 49759, 49760 AS-CHOOPAUS United States 22->78 80 anonfiles.com 45.154.253.151, 443, 49898 SVEASE Sweden 22->80 82 10 other IPs or domains 22->82 50 C:\Users\user\AppData\Roaming\uutrecw, PE32 22->50 dropped 52 C:\Users\user\AppData\Roaming\fitrecw, PE32 22->52 dropped 54 C:\Users\user\AppData\Local\Temp\D9B6.exe, PE32 22->54 dropped 56 9 other malicious files 22->56 dropped 102 System process connects to network (likely due to code injection or exploit) 22->102 104 Benign windows process drops PE files 22->104 106 Deletes itself after installation 22->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->108 27 B6BB.exe 1 22->27         started        31 3300.exe 22->31         started        33 731C.exe 2 22->33         started        36 6 other processes 22->36 file10 signatures11 process12 dnsIp13 62 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 27->62 dropped 120 Multi AV Scanner detection for dropped file 27->120 122 DLL reload attack detected 27->122 124 Detected unpacking (changes PE section rights) 27->124 140 5 other signatures 27->140 126 Query firmware table information (likely to detect VMs) 31->126 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->128 130 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 31->130 142 2 other signatures 31->142 38 AppLaunch.exe 31->38         started        64 45.9.20.149, 10844 DEDIPATH-LLCUS Russian Federation 33->64 132 Machine Learning detection for dropped file 33->132 144 2 other signatures 33->144 66 93.115.20.139, 28978, 49867 MVPShttpswwwmvpsnetEU Romania 36->66 68 162.159.133.233, 443, 49818, 49977 CLOUDFLARENETUS United States 36->68 70 cdn.discordapp.com 36->70 134 Antivirus detection for dropped file 36->134 136 Detected unpacking (overwrites its own PE header) 36->136 138 Injects a PE file into a foreign processes 36->138 40 ABCD.exe 36->40         started        43 1B8F.exe 36->43         started        46 C8AE.exe 2 36->46         started        48 3 other processes 36->48 file14 signatures15 process16 dnsIp17 58 C:\Users\user\AppData\Local\Temp\ins.exe, PE32 40->58 dropped 60 C:\Users\user\AppData\Local\Temp\1234.exe, PE32 40->60 dropped 84 telegin.top 43->84 file18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 20:23:18 UTC
AV detection:
27 of 27 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5cc5takd4egb2lrwoumutphq5f6ai33474gv3f6xpxbilweru2q._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
RedLineStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
RedLineStealer
72e7b4c70e737e0de819b5745cb0149317f2ced194149ea119fd6d727f08a407
RedLineStealer
c216318aa07c096684c7cd9fec44a07ac8a48294b0f463ff4e4703a4fa7d4790
RedLineStealer
f4d185f32721b1c2da2dfdf291154a0c3927fea3e267a4f88f99a49d36ef149a
RedLineStealer
+ 11'870 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:netsupport family:redline family:smokeloader botnet:superstar backdoor discovery evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/211112-t3916adha4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NetSupport
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
185.159.80.90:38637
185.215.113.29:36224
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/7898890b-8b85-417c-9676-06fd9bce0fb4/
SH256 hash:
9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35
MD5 hash:
37f653cc837e9537c08838f7b36daa35
SHA1 hash:
7ece2be57742aebd48d4267e5d02ec255feb3724
Link:
https://www.unpac.me/results/7898890b-8b85-417c-9676-06fd9bce0fb4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9f442ecc0a1f0860e971b3a8ca4de7874be0237be7f86aecbebbee142ec48d35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205334/

Comments