MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65
SHA3-384 hash: edb107eb42af0e2e0301aa720050a0c8b3ab6cc1c80ac8df1c101acd61178230e77818e9aef81f877bd7edc1b6532243
SHA1 hash: a9ca687ddae5892698255bb41b3b64c429f32d30
MD5 hash: 99629a1f5888cf9ef2ddd7262d0af5d9
humanhash: monkey-football-papa-beryllium
File name:99629a1f5888cf9ef2ddd7262d0af5d9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:312'320 bytes
First seen:2022-05-22 07:48:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b622727af5b269a1c94420afcaa28e75 (3 x RedLineStealer, 1 x TeamBot)
ssdeep 6144:jwV+mU9FB8zIACWPmVjPQCvRjUDr4CpKB48N2:j2wjyIANmVjPBJVCkF
Threatray 4'401 similar samples on MalwareBazaar
TLSH T142646C10BAA3D034F1B715F845758268B52EBFA1AB2750CB62D73AEE5A346D0EC30717
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.109.11.10:8599 https://threatfox.abuse.ch/ioc/624978/

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99629a1f5888cf9ef2ddd7262d0af5d9
Verdict:
No threats detected
Analysis date:
2022-05-22 07:49:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/782def3c-6119-4fd8-afbc-d34b24997940

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273393/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for synchronization primitives
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19506/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6289eb05370bb1455cbd05e4/reports/15d78f2f-1ebe-4da6-aa68-9825a94e6de2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7985b070-905d-4c88-9900-5b363b2ee40f
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999280
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 631772 Sample: tChASEAYHo Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 78 soapbeginshops.com 2->78 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 12 other signatures 2->98 11 tChASEAYHo.exe 2->11         started        14 srfuhtd 2->14         started        signatures3 process4 signatures5 118 Detected unpacking (changes PE section rights) 11->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->120 122 Maps a DLL or memory area into another process 11->122 16 explorer.exe 8 11->16 injected 124 Checks if the current machine is a virtual machine (disk enumeration) 14->124 126 Creates a thread in another existing process (thread injection) 14->126 process6 dnsIp7 72 happyday9risce.com 34.118.86.4, 49768, 49769, 49770 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->72 74 soapbeginshops.com 16->74 76 motionberry999xerz.ru 16->76 56 C:\Users\user\AppData\Roaming\srfuhtd, PE32 16->56 dropped 58 C:\Users\user\AppData\Local\Temp\D73C.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\C47E.exe, PE32 16->60 dropped 62 C:\Users\user\...\srfuhtd:Zone.Identifier, ASCII 16->62 dropped 84 System process connects to network (likely due to code injection or exploit) 16->84 86 Benign windows process drops PE files 16->86 88 Injects code into the Windows Explorer (explorer.exe) 16->88 90 3 other signatures 16->90 21 D73C.exe 18 43 16->21         started        26 explorer.exe 8 16->26         started        28 C47E.exe 2 16->28         started        30 7 other processes 16->30 file8 signatures9 process10 dnsIp11 80 soapbeginshops.com 21->80 64 C:\Users\user\Desktop64EBFQQYWPS.exe, PE32 21->64 dropped 66 C:\Users\user\Desktop\MXPXCVPDVN.exe, PE32 21->66 dropped 68 C:\Users\user\Desktop\LSBIHQFDVT.exe, PE32 21->68 dropped 70 32 other files (25 malicious) 21->70 dropped 100 Machine Learning detection for dropped file 21->100 32 unarchiver.exe 21->32         started        82 happyday9risce.com 26->82 102 System process connects to network (likely due to code injection or exploit) 26->102 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->104 106 Tries to steal Mail credentials (via file / registry access) 26->106 116 3 other signatures 26->116 108 Antivirus detection for dropped file 28->108 110 Writes to foreign memory regions 28->110 112 Allocates memory in foreign processes 28->112 114 Injects a PE file into a foreign processes 28->114 34 cmd.exe 1 28->34         started        36 InstallUtil.exe 28->36         started        38 InstallUtil.exe 28->38         started        40 InstallUtil.exe 28->40         started        file12 signatures13 process14 process15 42 cmd.exe 32->42         started        44 7za.exe 32->44         started        46 conhost.exe 34->46         started        48 timeout.exe 1 34->48         started        process16 50 conhost.exe 42->50         started        52 powershell.exe 42->52         started        54 conhost.exe 44->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 00:39:55 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vj3s5ohwh3rpahvsxy4hbygeguk5yzjyomn45gp43eiexkki55sq._file
Verdict:
malicious
Similar samples:
1f7d2fb2ea88483fb17e6df444dbd217ca203d8828d29d1c998cd007d1124dbc
RedLineStealer
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
RedLineStealer
7a71c46f5f6f27776603ee0de69e6eb83364942d8af0c16f5b54c14d7faba136
RedLineStealer
81162cf2b42e4eac915924af3619432a854f9ee5f587501a647403b8681f8b04
RedLineStealer
aac5a9949dd50c434924869ec0ccdd28dacaf9729ba2cbf0744b3c9731b91010
RedLineStealer
b961d6795d7ceb3ea3cd00e037460958776a39747c8f03783d458b38daec8025
RedLineStealer
cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4
RedLineStealer
d618d086cdfc61b69e6d93a13cea06e98ac2ad7d846f044990f2ce8305fe8d1b
RedLineStealer
+ 4'391 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:camp1 backdoor infostealer spyware trojan
Link:
https://tria.ge/reports/220522-jnnt9scfhq/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://motionberry999xerz.ru/
http://happyday9risce.com/
http://kokihap7siexz3.com/
https://motionberry999xerz.ru/
https://happyday9risce.com/
https://kokihap7siexz3.com/
65.109.11.10:8599
Unpacked files
SH256 hash:
fdcc84c80c8260fe57c28e701d9137d89618a727044e989ac93703bb1397c498
MD5 hash:
27dcf2d9fca102d2f1f92b1f6c8385d0
SHA1 hash:
d10d2ba16045cac1a6757d207916ac34fb77a223
Link:
https://www.unpac.me/results/24b86ecf-4ec6-4803-92db-ad573d9c3c63/
SH256 hash:
aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65
MD5 hash:
99629a1f5888cf9ef2ddd7262d0af5d9
SHA1 hash:
a9ca687ddae5892698255bb41b3b64c429f32d30
Link:
https://www.unpac.me/results/24b86ecf-4ec6-4803-92db-ad573d9c3c63/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa772eb8f63e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe aa772eb8f63ee2f01eb2be3870e0c43515dc6538731bce99fcd9104ba948ef65

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273393/
  
URLhaus
https://urlhaus.abuse.ch/url/2206383/

Comments


Avatar
zbet commented on 2022-05-22 07:48:49 UTC

url : hxxp://soapbeginshops.com/tel.exe