MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d
SHA3-384 hash: 42be5fa8962c920888015bc61238cb46c2bf88c8874ccac37dd4d1785e0cb4200041ca7a3d8e93646d43e86da011631c
SHA1 hash: 821d7b01912437d8884774089832ebc6c793a18b
MD5 hash: 41cfa9ac9a6cc4aaa22cf51ca47df385
humanhash: asparagus-ceiling-eleven-bakerloo
File name:41cfa9ac9a6cc4aaa22cf51ca47df385.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:205'824 bytes
First seen:2021-11-06 22:11:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80ba2861c278646549335a754dc96d41 (1 x RedLineStealer, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 3072:uavKSMG26jmJ/pDEj70l38P0v7/Wrxpzbgqru+sxkgaBChJ/oAhp:uL8RmRgklj7uzbgwu7igaI/
Threatray 5'065 similar samples on MalwareBazaar
TLSH T115148D3176E8D871E0A30E30C474DAA4153BB8615631958BE7647B2F2E70F8C5AEA35F
File icon (PE):PE icon
dhash icon a1bcdcac9c8cb4ac (3 x RedLineStealer, 1 x CryptBot, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.107.191.37:55005

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.107.191.37:55005 https://threatfox.abuse.ch/ioc/244778/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202965/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.38608.28520.16322.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6186fdb52084b424af0cfe08/reports/b41e0d2f-ec26-4aaa-a778-d20de14bed1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4421c1be-21d1-4d17-a0ad-65248ce22aea
Result
Threat name:
Clipboard Hijacker RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884606
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Bypass UAC via CMSTP
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517064 Sample: Z955a6Ht8g.exe Startdate: 06/11/2021 Architecture: WINDOWS Score: 100 68 cdn.discordapp.com 2->68 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 Antivirus detection for URL or domain 2->80 82 11 other signatures 2->82 9 Z955a6Ht8g.exe 2->9         started        12 fbrcutt 2->12         started        14 6007.exe 7 8 2->14         started        17 12 other processes 2->17 signatures3 process4 file5 92 Detected unpacking (changes PE section rights) 9->92 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->94 96 Maps a DLL or memory area into another process 9->96 19 explorer.exe 8 9->19 injected 98 Machine Learning detection for dropped file 12->98 100 Checks if the current machine is a virtual machine (disk enumeration) 12->100 102 Creates a thread in another existing process (thread injection) 12->102 60 C:\Users\user\AppData\...\breakers.exe, PE32 14->60 dropped 62 C:\Program Files\Common Files\...\svchost.exe, PE32 14->62 dropped 64 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->64 dropped 66 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->66 dropped 24 AdvancedRun.exe 14->24         started        104 Changes security center settings (notifications, updates, antivirus, firewall) 17->104 26 MpCmdRun.exe 1 17->26         started        28 consent.exe 17->28         started        signatures6 process7 dnsIp8 70 nutriescapa.com 85.143.175.87, 49790, 49804, 80 TRADERSOFTRU Russian Federation 19->70 72 5.255.98.133, 49841, 49844, 80 LITESERVERNL Netherlands 19->72 74 9 other IPs or domains 19->74 52 C:\Users\user\AppData\Roaming\fbrcutt, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\TempA0A.exe, PE32 19->54 dropped 56 C:\Users\user\AppData\Local\Temp\745B.exe, PE32 19->56 dropped 58 3 other malicious files 19->58 dropped 84 System process connects to network (likely due to code injection or exploit) 19->84 86 Benign windows process drops PE files 19->86 88 Deletes itself after installation 19->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->90 30 EA0A.exe 19->30         started        33 745B.exe 19->33         started        35 6007.exe 1 7 19->35         started        38 14A5.exe 2 19->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 file12 106 Detected unpacking (overwrites its own PE header) 30->106 108 Machine Learning detection for dropped file 30->108 110 Contains functionality to infect the boot sector 30->110 112 Multi AV Scanner detection for dropped file 33->112 46 C:\Windows\Temp\ghkiugqy.inf, Windows 35->46 dropped 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 35->48 dropped 114 Drops PE files to the startup folder 35->114 116 Drops PE files with benign system names 35->116 42 cmstp.exe 9 7 35->42         started        44 AdvancedRun.exe 35->44         started        50 C:\Users\user\AppData\...\SmartClock.exe, PE32 38->50 dropped signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 22:12:05 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vejyzstczw6oidlhu2befdsh4futxvgvquolstrirk7lnbnxsqoq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0537e5b579951c5fcbd64fbf11bb1b0ea70bd9d7984896b5893ba64d06597d6a
RedLineStealer
218ae2e9ccd0d778ca78c7aa8e9fd7101819507d0f9da4bfbc40687063bd7fd4
RedLineStealer
42e7ef551c652a5e6f0ff919fcb53cd2c34682006cb1436295205a41abec6589
RedLineStealer
5eff7e99184b9c8352125aaf8aa9d72e33049c52dc4eb7a69d509da3e7004cb2
RedLineStealer
62f94256e7fc124c7292edefd8b589dad48601ff53d4058848b91a788a981e14
RedLineStealer
672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8
RedLineStealer
8999c280aca7419a8b6fe0be172723fb66f18fc1439fb2ffa463d9315b79535d
RedLineStealer
991e3c5fb9946ed0490a723a541bda0f36a9b94fff8a68f6729c15e1044dd954
RedLineStealer
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
RedLineStealer
+ 5'055 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211106-14hfvsgab9/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/58e3ea92-d033-44c7-a84d-8ad77ea7cccf/
SH256 hash:
a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d
MD5 hash:
41cfa9ac9a6cc4aaa22cf51ca47df385
SHA1 hash:
821d7b01912437d8884774089832ebc6c793a18b
Link:
https://www.unpac.me/results/58e3ea92-d033-44c7-a84d-8ad77ea7cccf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a9138cca62cdbce40d67a682428e47e1693bd4d5851cb94e288abeb685b7941d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755713/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202965/

Comments