MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486
SHA3-384 hash: 16ba608e77e830fe11608710bb2752c633d537ed7001905616433c5b7fda1fc4c3cd29c02b4e8622cf46c15d47077d08
SHA1 hash: 75e3c148d38cdb578efbf24ad574ac31300d190d
MD5 hash: 82c0c2e4672fba954a0482ac24e02498
humanhash: high-ack-sodium-chicken
File name:82c0c2e4672fba954a0482ac24e02498
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:154'624 bytes
First seen:2021-08-20 14:37:59 UTC
Last seen:2021-08-20 17:56:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a84fa8c5c9d81b30cf439f0d2b7f422b (7 x RedLineStealer, 4 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 1536:k0vfX+0b2D9hwdmF/I4d++wgz/zmXQj3bbidSRk1ZOQuye+03ZzABFnLFBMK486:OnTjsPaaXQXbNRk1ZOCvMZzgFnLmX
Threatray 5'528 similar samples on MalwareBazaar
TLSH T1AFE3BED175B1C4B3D09249314861CAF0663AF9636EA096433F5B235E1EB12D0DF2AFA7
dhash icon 1072c292b0381802 (7 x RedLineStealer, 7 x RaccoonStealer, 2 x Stop)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/
51.254.68.139:8067 https://threatfox.abuse.ch/ioc/192437/
65.21.141.215:8374 https://threatfox.abuse.ch/ioc/192438/

Intelligence

File Origin
# of uploads :
3
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82c0c2e4672fba954a0482ac24e02498
Verdict:
Suspicious activity
Analysis date:
2021-08-20 14:40:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e8c391a-5113-4805-9070-2c77d63c2cbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180968/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9685.1483.987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Searching for analyzing tools
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2677329-07dd-4339-b007-0311ab7cfbc0
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836473
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468911 Sample: KYZ13aLo8k Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 62 readinglistforaugust1.xyz 2->62 64 api.ip.sb 2->64 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 System process connects to network (likely due to code injection or exploit) 2->74 76 13 other signatures 2->76 10 KYZ13aLo8k.exe 2->10         started        13 gjdueui 2->13         started        signatures3 process4 signatures5 106 Detected unpacking (changes PE section rights) 10->106 15 KYZ13aLo8k.exe 10->15         started        108 Machine Learning detection for dropped file 13->108 18 gjdueui 13->18         started        process6 signatures7 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->110 112 Maps a DLL or memory area into another process 15->112 114 Checks if the current machine is a virtual machine (disk enumeration) 15->114 20 explorer.exe 21 15->20 injected 116 Creates a thread in another existing process (thread injection) 18->116 process8 dnsIp9 66 readinglistforaugust1.xyz 95.213.224.6, 49749, 49763, 80 SELECTELRU Russian Federation 20->66 68 192.168.2.1 unknown unknown 20->68 50 C:\Users\user\AppData\Roaming\gjdueui, PE32 20->50 dropped 52 C:\Users\user\AppData\Local\Temp\D09E.exe, PE32 20->52 dropped 54 C:\Users\user\AppData\Local\Temp\C3EB.exe, PE32 20->54 dropped 56 8 other malicious files 20->56 dropped 78 Benign windows process drops PE files 20->78 80 Performs DNS queries to domains with low reputation 20->80 82 Deletes itself after installation 20->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->84 25 7BF8.exe 15 3 20->25         started        28 AEFA.exe 20->28         started        30 8B72.exe 3 20->30         started        32 6 other processes 20->32 file10 signatures11 process12 dnsIp13 86 Multi AV Scanner detection for dropped file 25->86 88 Query firmware table information (likely to detect VMs) 25->88 90 Machine Learning detection for dropped file 25->90 92 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->92 36 conhost.exe 25->36         started        94 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->94 96 Hides threads from debuggers 28->96 98 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->98 38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        58 45.140.147.35, 49766, 80 SYNLINQsynlinqdeDE United Kingdom 32->58 60 telete.in 195.201.225.248, 443, 49764 HETZNER-ASDE Germany 32->60 48 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 32->48 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 32->100 102 Sample uses process hollowing technique 32->102 104 Injects a PE file into a foreign processes 32->104 42 70DB.exe 2 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 14:38:06 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrx2hgyeznmsrq65tqn3zpmqbbab3gh275peeekrakyayyh32sda._file
Verdict:
suspicious
Similar samples:
0192b858039b3182dfd17ce582c9398dc1495566082de0f6a76279585bacf8e5
RedLineStealer
0ef8e97b174862177771e0f42373530de7356883781cd0c498ac950dd2748835
RedLineStealer
11d175a08e1f4fc351af4e4c2c0549168d4c235a497f3bc1f278e8cb46b972e1
RedLineStealer
1a471836c805bbee8b08512c7a813aa00c5df6dcb11888d39bf652afb7ab36f6
RedLineStealer
341affdc32c116eeac3bc8af74eeec475feb728b9bc8a56a4b35ad4755707d5e
RedLineStealer
39894026621d1c5fabeca0fe3b0ba3fe2e97d99e17d50227ead4ac7c64ee080c
RedLineStealer
78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7
RedLineStealer
8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2
RedLineStealer
a19317b14abc6d4c1294aaaeab29d0ada023dffa37025c839671c193a74fd519
RedLineStealer
+ 5'518 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:#mix 19.08 botnet:777 botnet:blacks1 botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210820-2czwr297fn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
51.254.68.139:8067
gophamanapr.site:80
135.148.139.222:33569
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/6c13f1ef-0261-470b-b347-3800a6e9a49e/
SH256 hash:
b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486
MD5 hash:
82c0c2e4672fba954a0482ac24e02498
SHA1 hash:
75e3c148d38cdb578efbf24ad574ac31300d190d
Link:
https://www.unpac.me/results/6c13f1ef-0261-470b-b347-3800a6e9a49e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b46fa39b04cb5928c3dd9c1bbcbd9008401d98faff5e42115102b00c60fbd486

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180968/
  
URLhaus
https://urlhaus.abuse.ch/url/1549209/

Comments


Avatar
zbet commented on 2021-08-20 14:37:59 UTC

url : hxxp://thedownloadprivacytools.club/downloads/toolspab2.exe