MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
SHA3-384 hash: 9a8f9cd232c447808e6f8938c0112f9e588e1a91f2508496beb857c35fa5666d755cb93a4cdd88a8284fa3d501a1717e
SHA1 hash: 83fc9c84a0e1c37c2144a3ef9bec83a0569847bb
MD5 hash: d14b20c4eb8676d6b311af2e9dde7f93
humanhash: connecticut-michigan-idaho-low
File name:d14b20c4eb8676d6b311af2e9dde7f93.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:127'488 bytes
First seen:2021-10-30 06:11:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:FfreLx2qN8/eE1023NIZvGQ3CtnD484vTWJ:BmN82ElOZvGQ3+8
Threatray 3'079 similar samples on MalwareBazaar
TLSH T120C3129EE5ACD823DB2C1E389CD71F440694B9214928FB1F5D0573663E8B38B8461BE7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
80.66.87.50:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.66.87.50:80 https://threatfox.abuse.ch/ioc/239757/

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d14b20c4eb8676d6b311af2e9dde7f93.exe
Verdict:
No threats detected
Analysis date:
2021-10-30 06:18:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5b58025-ceab-4f90-8ea1-0406165b8bfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Deleting a recently created file
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Reading critical registry keys
Launching a process
Creating a process with a hidden window
Launching a service
Creating a file
Creating a file in the Windows subdirectories
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Setting a single autorun event
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a4b6a60-9d6b-4a45-ae17-7de08ff85b94
Result
Threat name:
Cryptolocker RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879701
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
DLL reload attack detected
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512135 Sample: 7Qjo7zm4qj.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus / Scanner detection for submitted sample 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 11 other signatures 2->106 10 7Qjo7zm4qj.exe 4 2->10         started        13 bgftsvw 1 2->13         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 66 C:\Users\user\AppData\Local\Temp66IKE.exe, PE32 10->66 dropped 68 C:\Users\user\AppData\Local\Temp\136.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\...\7Qjo7zm4qj.exe.log, ASCII 10->70 dropped 21 136.exe 1 10->21         started        24 NIKE.exe 15 5 10->24         started        72 C:\Users\user\AppData\Local\Temp\BC84.tmp, PE32 13->72 dropped 146 Antivirus detection for dropped file 13->146 148 Multi AV Scanner detection for dropped file 13->148 150 DLL reload attack detected 13->150 154 6 other signatures 13->154 152 Changes security center settings (notifications, updates, antivirus, firewall) 16->152 27 MpCmdRun.exe 16->27         started        82 192.168.2.1 unknown unknown 18->82 file5 signatures6 process7 dnsIp8 108 Antivirus detection for dropped file 21->108 110 Multi AV Scanner detection for dropped file 21->110 112 DLL reload attack detected 21->112 122 6 other signatures 21->122 29 explorer.exe 1 8 21->29 injected 92 80.66.87.50, 49710, 80 WORLDSTREAMNL Russian Federation 24->92 94 api.ip.sb 24->94 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->116 118 Tries to harvest and steal browser information (history, passwords, etc) 24->118 120 Tries to steal Crypto Currency Wallets 24->120 34 conhost.exe 27->34         started        signatures9 process10 dnsIp11 96 planilhasvba.com.br 216.172.172.202, 49714, 49718, 49758 UNIFIEDLAYER-AS-1US United States 29->96 98 prismarepres.com.br 191.252.142.137, 49715, 49734, 49759 LocawebServicosdeInternetSABR Brazil 29->98 74 C:\Users\user\AppData\Roaming\bgftsvw, PE32 29->74 dropped 76 C:\Users\user\AppData\Local\Temp\DC03.exe, PE32 29->76 dropped 78 C:\Users\user\AppData\Local\Temp\369D.exe, PE32 29->78 dropped 80 C:\Users\user\AppData\Local\Temp\1CCB.exe, PE32 29->80 dropped 156 System process connects to network (likely due to code injection or exploit) 29->156 158 Benign windows process drops PE files 29->158 160 Injects code into the Windows Explorer (explorer.exe) 29->160 162 2 other signatures 29->162 36 1CCB.exe 29->36         started        40 DC03.exe 15 7 29->40         started        42 explorer.exe 29->42         started        44 2 other processes 29->44 file12 signatures13 process14 dnsIp15 84 162.159.135.233, 443, 49761, 49762 CLOUDFLARENETUS United States 36->84 124 Multi AV Scanner detection for dropped file 36->124 126 Machine Learning detection for dropped file 36->126 128 Creates autostart registry keys with suspicious names 36->128 130 Sample uses process hollowing technique 36->130 46 powershell.exe 36->46         started        48 powershell.exe 36->48         started        86 cdn.discordapp.com 162.159.129.233, 443, 49733, 49740 CLOUDFLARENETUS United States 40->86 132 Creates an autostart registry key pointing to binary in C:\Windows 40->132 134 Adds a directory exclusion to Windows Defender 40->134 136 Injects a PE file into a foreign processes 40->136 50 powershell.exe 40->50         started        52 powershell.exe 40->52         started        54 powershell.exe 40->54         started        56 2 other processes 40->56 88 planilhasvba.com.br 42->88 138 System process connects to network (likely due to code injection or exploit) 42->138 140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->140 142 Tries to steal Mail credentials (via file access) 42->142 144 Tries to harvest and steal browser information (history, passwords, etc) 42->144 90 162.159.133.233, 443, 49763, 49765 CLOUDFLARENETUS United States 44->90 signatures16 process17 process18 58 conhost.exe 46->58         started        60 conhost.exe 50->60         started        62 conhost.exe 52->62         started        64 conhost.exe 54->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 21:59:36 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uphwbitvy4ftw6nbf5ao6r345lgdlntcbgcw7l7hodpsfdpqrxsa._file
Verdict:
malicious
Similar samples:
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RedLineStealer
3fe70737f4c556e55f6ff23ebde2d84d9867059847105623d9414a57abfda632
RedLineStealer
42dbfa5efe80e105779d68ff235e542aea125899495f2c7feea11471531238fd
RedLineStealer
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
RedLineStealer
5b742d7fc7f00ec13442daf22ff2bb2b856e5083eee18fffc267185bfbb7720b
RedLineStealer
6c7390a207bf7d3ce9df2c9df04609bbc6176eb958294f760e9167553fd05428
RedLineStealer
6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5
RedLineStealer
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
RedLineStealer
a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36
RedLineStealer
+ 3'069 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:223 backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211030-gx7mmaeee4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
80.66.87.50:80
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
23.94.183.146:60709
Unpacked files
SH256 hash:
a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
MD5 hash:
d14b20c4eb8676d6b311af2e9dde7f93
SHA1 hash:
83fc9c84a0e1c37c2144a3ef9bec83a0569847bb
Link:
https://www.unpac.me/results/d244aca6-7096-4958-b151-4aaeaaaf254c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments