MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e
SHA3-384 hash: 507ab9b701bdea4f1736bd7d90222826d777387ed62d8d2d4b9d19be41247805a6cccf35abef6e7be0480a7c2bc8baa1
SHA1 hash: b01e79b87d4f9d278551d647b47f4ea6e6065659
MD5 hash: c51677d364c928b88cad86019a718ccd
humanhash: kentucky-winter-equal-indigo
File name:c51677d364c928b88cad86019a718ccd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:310'272 bytes
First seen:2022-07-19 14:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19b703097c4f74d6bb1c823ff614186e (5 x RedLineStealer)
ssdeep 6144:tECH2VF/KTzXfbHnogzmXtBttvh+lEWnzqyf2yUPXWtj3Q:tESiyXvbHoGmXtBttibf+pG
Threatray 5'173 similar samples on MalwareBazaar
TLSH T14A647D00BB90C435F5B722F446BA9379B92E7EA0572460CF52D52AFE56346E0EC3135B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 25ac137039939b91 (15 x Smoke Loader, 12 x Amadey, 6 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
176.124.208.66:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.124.208.66:80 https://threatfox.abuse.ch/ioc/838639/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291885/
Detection(s):
Win.Malware.Pwsx-9956485-0
Create hunting rule

Win.Malware.Pwsx-9956486-0
Create hunting rule

Win.Malware.Pwsx-9956528-0
Create hunting rule

Win.Malware.Pwsx-9956543-0
Create hunting rule

Win.Malware.Pwsx-9956611-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26747/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62d6bcc10e298a94f3de6ebe/reports/d521fcde-8b08-4a47-8928-1eaf75c46c58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fc7845c-941a-4834-bc2a-b7696baca8a3
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036558
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669052 Sample: LI7UsZ6j5W.exe Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 27 synchbrokers.asia 2->27 29 api.ip.sb 2->29 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 8 LI7UsZ6j5W.exe 2->8         started        11 cscwehg 2->11         started        signatures3 process4 signatures5 51 Detected unpacking (changes PE section rights) 8->51 53 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->53 55 Maps a DLL or memory area into another process 8->55 57 Creates a thread in another existing process (thread injection) 8->57 13 explorer.exe 4 8->13 injected 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 63 Checks if the current machine is a virtual machine (disk enumeration) 11->63 process6 dnsIp7 31 138.36.3.134, 49803, 49804, 49805 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 13->31 33 211.119.84.112, 49801, 49809, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 13->33 35 5 other IPs or domains 13->35 21 C:\Users\user\AppData\Roaming\cscwehg, PE32 13->21 dropped 23 C:\Users\user\AppData\Local\Temp\3E75.exe, PE32 13->23 dropped 25 C:\Users\user\...\cscwehg:Zone.Identifier, ASCII 13->25 dropped 65 System process connects to network (likely due to code injection or exploit) 13->65 67 Benign windows process drops PE files 13->67 69 Deletes itself after installation 13->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->71 18 3E75.exe 2 13->18         started        file8 signatures9 process10 signatures11 37 Detected unpacking (changes PE section rights) 18->37 39 Detected unpacking (overwrites its own PE header) 18->39 41 Machine Learning detection for dropped file 18->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2022-07-16 11:32:16 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=usuyuh25cja6n74g34nhvuyu622bajdzkmtjsvk7mgm53n5vijpa._file
Verdict:
malicious
Similar samples:
46208bf1cbba615713b47d155f82e4b75b5d333cd0aaf78ab3484808f31d5508
RedLineStealer
7bd930935f5318bf8b9b0905536d0183a43a58100ea9af549dfcbe79417f3cc1
RedLineStealer
7c23a4178b8fc14dedfd30b2b8fe462b4d936210bc64d6a14671b14a9387306a
RedLineStealer
941a3bcb60c83f993af2d14d472962847aad9bcff4d129c8763692ef4591e0bd
RedLineStealer
c5c6d3e4815d6c5d57a1c0740a92f2aed80a19568838b828fc83e6187fb72068
RedLineStealer
c71196956045aca4d7099accbecf03611f6225cc6f4037b371fc35aa7ce910f0
RedLineStealer
d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06
RedLineStealer
+ 5'163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220719-rk413sdgh7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Unpacked files
SH256 hash:
f6480db45d6a35a04394896df8c67ec365b3aa47c151e4dc4e33b3ddeaaf99bd
MD5 hash:
8fb69b11b56499930fcbfd94e51c92d5
SHA1 hash:
e7400f65a9d66c28af1410d4729bc0b9499612d3
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ad3a96c4-2e41-48a9-af66-786aa0bc1a21/
Parent samples :
72049b20ca0a154341e57f40ba27f394f1bc5ee56b70ac729fe9e13d5b170633
a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e
f8ead10cd80934a84d94736726e5f3c2098731df934e5e0765bfedf1cd153201
SH256 hash:
a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e
MD5 hash:
c51677d364c928b88cad86019a718ccd
SHA1 hash:
b01e79b87d4f9d278551d647b47f4ea6e6065659
Link:
https://www.unpac.me/results/ad3a96c4-2e41-48a9-af66-786aa0bc1a21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4a98a1f5d1241e6ff86df1a7ad314f6b4102479532699555f6199ddb7b5425e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291885/

Comments