MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab8c7a4d60db36aa57fd21a8fbbf5d8229cce4d3ffd8e3ab7c9c0832e446e725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	ab8c7a4d60db36aa57fd21a8fbbf5d8229cce4d3ffd8e3ab7c9c0832e446e725
SHA3-384 hash:	6308ccb2937f5498658b906f5fdc30eb98cf26165cae28d9972945fcb101fb678d6a6331e09935ccc3d713b8aacebf64
SHA1 hash:	2446b6920faf88bf9198b444fdb3b52ded7cf475
MD5 hash:	97091c5988d5581df6ef51ab3ec59066
humanhash:	earth-red-rugby-robert
File name:	97091c5988d5581df6ef51ab3ec59066.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	189'952 bytes
First seen:	2022-03-05 19:10:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fdc337a25282d3662375292d95cfcd8b (3 x RedLineStealer, 1 x Smoke Loader)
ssdeep	3072:puK8LWz5xCJisN5g4JboP6NHneaQbTc0GC+LTnRgos0J3:QK8L4y+4JsP6de9bAdT254
Threatray	7'523 similar samples on MalwareBazaar
TLSH	T138049F1031E5C032D1A715364474C7F94EBBB8A61A762A8FBFC42BBE5F256E1973430A
File icon (PE):
dhash icon	d2b1e4d4e4b9c7f9 (5 x RedLineStealer, 2 x Stealc, 1 x Amadey)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.66:26416

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.66:26416	https://threatfox.abuse.ch/ioc/392582/

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247580/

Detection(s):

Win.Malware.Generic-9937750-0

Win.Dropper.Tofsee-9937828-0

Win.Dropper.Tofsee-9937829-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8322/overview

Behaviour

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ecc874d-3c6d-40e1-baa3-c73812eea907

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/951266

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab8c7a4d60db36aa57fd21a8fbbf5d8229cce4d3ffd8e3ab7c9c0832e446e725/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-03-04 10:35:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=voghutla3m3kuv75egupxp25qiu4zzgt77mohk34tqedfzcg44sq._file

Verdict:

malicious

RedLineStealer

48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800

RedLineStealer

538d3533398c3f0adbd59483ced973cf35803de5e9356e8dafb5f6bea4049a30

RedLineStealer

55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

RedLineStealer

7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a

RedLineStealer

9b031ce5a98e281a6c59d198e443653c2c873b416f597e85433754dd962ac816

RedLineStealer

b1516cc28d0e6e3f77a8eadd2a7fda7daf746e0a7b27088e016519baf8de0338

RedLineStealer

+ 7'513 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor suricata trojan

Link:

https://tria.ge/reports/220305-xvyjyaafgp/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

SmokeLoader

suricata: ET MALWARE Danabot Key Exchange Request

Malware Config

C2 Extraction:

http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/

Unpacked files

SH256 hash:

deb096ef5410cfed2d9459b6b28b6dee42d1dee38456cfd77f071fb64b269410

MD5 hash:

4b2fb9ab2cd9c067d0b7550a3be87f4e

SHA1 hash:

919f66f587f82177355c0840aea4a0eb79531aaa

Link:

https://www.unpac.me/results/60df3e08-f232-4a6d-b58e-b3af1c4f206b/

SH256 hash:

ab8c7a4d60db36aa57fd21a8fbbf5d8229cce4d3ffd8e3ab7c9c0832e446e725

MD5 hash:

97091c5988d5581df6ef51ab3ec59066

SHA1 hash:

2446b6920faf88bf9198b444fdb3b52ded7cf475

Link:

https://www.unpac.me/results/60df3e08-f232-4a6d-b58e-b3af1c4f206b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab8c7a4d60db36aa57fd21a8fbbf5d8229cce4d3ffd8e3ab7c9c0832e446e725

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/247580/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample