MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da
SHA3-384 hash: 2b3323814bdc7f57aa2f947dda6cfc2cb73a8b1e42bf0d6f616aaac05daa6a4ffc05004932f7d2ca199292b4a4e1703a
SHA1 hash: 2002e734f20332bfcbc230e190cc754bec6c1483
MD5 hash: 1f1a01436ee3562be31908db67f3f5ef
humanhash: mango-pluto-sodium-low
File name:1f1a01436ee3562be31908db67f3f5ef.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:138'240 bytes
First seen:2021-09-27 04:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1193224d221249fb1dfab2aba14a315c (7 x RedLineStealer, 6 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 1536:epWi5agk7NPZgqXl4SAxETqaH+PZcL57B8S/I8fIKE1PNiceJ+b8sAawNPt/CD6H:e4Zz1V4CH+B85VnIT1FVp8s9u0O
Threatray 5'656 similar samples on MalwareBazaar
TLSH T17AD3AD1D7690D432C6B655F1B895CAA0D669BC21BE65EE833B44132F3E301924E3B3A7
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c0 (41 x RedLineStealer, 30 x RaccoonStealer, 9 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.246.89.6:38437

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.246.89.6:38437 https://threatfox.abuse.ch/ioc/226920/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f1a01436ee3562be31908db67f3f5ef.exe
Verdict:
No threats detected
Analysis date:
2021-09-27 04:57:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a34c3ec1-4921-49ac-80eb-3955be313794

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191878/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.9007.936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5be396e-1591-484f-a1a8-afed8957514f
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858648
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491076 Sample: lc7n16mQKz.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 28 govsurplusstore.com 2->28 30 api.ip.sb 2->30 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 9 lc7n16mQKz.exe 2->9         started        12 aagjduu 2->12         started        signatures3 process4 signatures5 62 Detected unpacking (changes PE section rights) 9->62 64 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->64 66 Maps a DLL or memory area into another process 9->66 14 explorer.exe 2 9->14 injected 68 Multi AV Scanner detection for dropped file 12->68 70 Checks if the current machine is a virtual machine (disk enumeration) 12->70 72 Creates a thread in another existing process (thread injection) 12->72 process6 dnsIp7 32 zigorat.us 38.117.65.66, 49894, 80 RC-01-ASCA United States 14->32 34 govsurplusstore.com 27.147.183.45, 49810, 49882, 49885 LINK3-TECH-AS-BD-APLink3TechnologiesLtdBD Bangladesh 14->34 36 4 other IPs or domains 14->36 24 C:\Users\user\AppData\Roaming\aagjduu, PE32 14->24 dropped 26 C:\Users\user\...\aagjduu:Zone.Identifier, ASCII 14->26 dropped 38 System process connects to network (likely due to code injection or exploit) 14->38 40 Benign windows process drops PE files 14->40 42 Deletes itself after installation 14->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->44 19 69EB.exe 3 14->19         started        file8 signatures9 process10 signatures11 54 Detected unpacking (changes PE section rights) 19->54 56 Query firmware table information (likely to detect VMs) 19->56 58 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->58 60 2 other signatures 19->60 22 conhost.exe 19->22         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da/
Threat name:
Win32.Trojan.DllCheck
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 21:23:51 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufketlthx4aut2wtmk5gtzjs52zfk7ytxqod5whm43tefw3gw7na._file
Verdict:
malicious
Similar samples:
11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3
RedLineStealer
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d
RedLineStealer
229c6f4db65ef671df9f2af39af518ed9dde8d5401c172190a936565cf2772f2
RedLineStealer
24c3fd88b8af64d4e5d3b1258287ad25e79840034dc57f19e51d0df59a5daa72
RedLineStealer
2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133
RedLineStealer
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
RedLineStealer
466f0beab5744a1cebd4cb3de457d3c0821d972e27e25ca1969677716c6b8c6c
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
RedLineStealer
dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63
RedLineStealer
+ 5'646 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar botnet:paladin backdoor discovery evasion infostealer persistence ransomware spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210927-jx7czafhgk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
94.26.228.204:32917
Unpacked files
SH256 hash:
5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a
MD5 hash:
0723090cb25a2ec591eb170730b0e737
SHA1 hash:
d6e2422a17cfe0de3cc43053cf595b7a28897386
Link:
https://www.unpac.me/results/37f95a7e-aa31-43b1-9a25-63e3d2c6b9c2/
SH256 hash:
a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da
MD5 hash:
1f1a01436ee3562be31908db67f3f5ef
SHA1 hash:
2002e734f20332bfcbc230e190cc754bec6c1483
Link:
https://www.unpac.me/results/37f95a7e-aa31-43b1-9a25-63e3d2c6b9c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644574/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191878/

Comments