MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3
SHA3-384 hash: 7168620c9e090e77d9581aac9eed2ea6c850a4a837e8b94e856ccd30d6c35a16af66d1a80da22cc7f3903b6b66db3048
SHA1 hash: 601d4e33b984081b87f5005dfc11e6d01ec8d7db
MD5 hash: f5ab948a2961b8685e7e9b853c8a9c79
humanhash: gee-diet-alanine-cup
File name:f5ab948a2961b8685e7e9b853c8a9c79.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:260'608 bytes
First seen:2021-11-19 08:36:33 UTC
Last seen:2021-11-19 10:34:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d70bc49b69ed161a14a94b46f9abf02 (1 x RedLineStealer, 1 x TeamBot, 1 x ArkeiStealer)
ssdeep 3072:G0Npy7ybSTRLavDRlFZKS+tipqgY8CVvpykA4kKapRfO38AoU+5DI2huqypX/tif:tSEtcS/q3VxyFLTfO3n+lHbyCHO8WU
Threatray 2'420 similar samples on MalwareBazaar
TLSH T147448D10BBA0C034F1F716F849BA93A8B93F7AB16B7494CB52D516EA46356D0EC3035B
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.216.168.100:38784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.216.168.100:38784 https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5ab948a2961b8685e7e9b853c8a9c79.exe
Verdict:
No threats detected
Analysis date:
2021-11-19 09:23:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a988e95-06a3-45cc-8b8e-c98e44ce7b9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38062252.17417.13557.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Reading critical registry keys
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619762314912a8c920a3865e/reports/a3272e59-764a-4f06-8d14-5363556d1a08/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a184fb0-7145-4366-960d-39e250fc6229
Result
Threat name:
Clipboard Hijacker Raccoon RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892553
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525023 Sample: zc61Bv3Ql5.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 57 91.219.236.162, 80 SERVERASTRA-ASHU Hungary 2->57 59 rsuehfidvdkfvk.top 2->59 61 gululugu.zzz.com.ua 2->61 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Detected unpacking (changes PE section rights) 2->75 77 15 other signatures 2->77 10 zc61Bv3Ql5.exe 2->10         started        13 fujwagi 2->13         started        15 atjwagi 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 119 Detected unpacking (changes PE section rights) 10->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->121 123 Maps a DLL or memory area into another process 10->123 19 explorer.exe 8 10->19 injected 125 Multi AV Scanner detection for dropped file 13->125 127 Machine Learning detection for dropped file 13->127 129 Checks if the current machine is a virtual machine (disk enumeration) 13->129 131 Creates a thread in another existing process (thread injection) 15->131 process6 dnsIp7 63 154.16.148.95, 49801, 49809, 49854 ASDETUKhttpwwwheficedcomGB South Africa 19->63 65 189.165.53.172, 49788, 49829, 49851 UninetSAdeCVMX Mexico 19->65 67 10 other IPs or domains 19->67 49 C:\Users\user\AppData\Roaming\fujwagi, PE32 19->49 dropped 51 C:\Users\user\AppData\Roaming\atjwagi, PE32 19->51 dropped 53 C:\Users\user\AppData\Local\Temp\DFDD.exe, PE32 19->53 dropped 55 8 other malicious files 19->55 dropped 85 System process connects to network (likely due to code injection or exploit) 19->85 87 Benign windows process drops PE files 19->87 89 Deletes itself after installation 19->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->91 24 12DE.exe 4 19->24         started        27 C1F4.exe 5 19->27         started        30 DFDD.exe 19->30         started        32 4 other processes 19->32 file8 signatures9 process10 dnsIp11 93 DLL reload attack detected 24->93 95 Machine Learning detection for dropped file 24->95 97 Adds a directory exclusion to Windows Defender 24->97 35 12DE.exe 24->35         started        39 powershell.exe 24->39         started        69 185.215.113.29, 1102, 49849 WHOLESALECONNECTIONSNL Portugal 27->69 99 Detected unpacking (overwrites its own PE header) 27->99 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->101 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->103 105 Tries to harvest and steal browser information (history, passwords, etc) 27->105 107 Detected unpacking (changes PE section rights) 30->107 109 Maps a DLL or memory area into another process 30->109 117 2 other signatures 30->117 45 C:\Users\user\AppData\...\SmartClock.exe, PE32 32->45 dropped 111 Multi AV Scanner detection for dropped file 32->111 113 Contains functionality to infect the boot sector 32->113 115 Delayed program exit found 32->115 41 SmartClock.exe 32->41         started        file12 signatures13 process14 file15 47 C:\Users\user\AppData\Local\Temp\4C05.tmp, PE32 35->47 dropped 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->79 81 Renames NTDLL to bypass HIPS 35->81 83 Checks if the current machine is a virtual machine (disk enumeration) 35->83 43 conhost.exe 39->43         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 08:37:09 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymxbyortgaoyogcn5hzvee6b7sfpwtr3eiycyodgir3j7kl6sgrq._file
Verdict:
malicious
Similar samples:
01b0a6964c024dc6222295c8dea83ff4f833792a1276a10fa760d3a204b83d5d
RedLineStealer
1a29c124140577582e8c984933fab06675d52c40b8e461866154a44f4fece199
RedLineStealer
4ad86f977388353d9c4af78a53d546182497ffdb977d3fb68ebd781ea6ffb46a
RedLineStealer
7dab1f684aec2df9de6144f4e14381245275e9d659152d5f40a437f1c1ec3758
RedLineStealer
946f111acee62af04c9b67628cc68a4630f1a0c0f70240f7d89821deeafe85cf
RedLineStealer
a9feed41ad2265e4c8a14047a8e95fa634b0ce8a99f7fad810b3294dd5720e7f
RedLineStealer
ac8697711f5fa68084b2c122a9907ab845aff81592d4d1b86bb8d269357b66e2
RedLineStealer
eac7ad1a557e26c8be44b8d3f223a764b07f346f8f7037df3614be67edeb644b
RedLineStealer
f6c10cababdca8d6de20f8977489182b31ce24bb2ac9399965d32cedf0f526fe
RedLineStealer
+ 2'410 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211119-kh522ahgdj/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Deletes itself
Drops startup file
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Unpacked files
SH256 hash:
38b50520397a48d6dc0044fb2aca06b6789cfbe921488422471eab7def65e820
MD5 hash:
67c9034e01a3a23f977b8aa138e88b57
SHA1 hash:
e430b48053c15d914edc1eca59be4964292648c2
Link:
https://www.unpac.me/results/a2b8390d-6221-44d9-bf88-fda6578fad44/
SH256 hash:
c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3
MD5 hash:
f5ab948a2961b8685e7e9b853c8a9c79
SHA1 hash:
601d4e33b984081b87f5005dfc11e6d01ec8d7db
Link:
https://www.unpac.me/results/a2b8390d-6221-44d9-bf88-fda6578fad44/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c32e1c3a3330/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c32e1c3a33301d87184de9f35213c1fc8afb4e3b22302c386644769fa97e91a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1799142/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207545/

Comments