MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17
SHA3-384 hash: f60bf8f37648844a29d9f439399335bff713bedf5c4fa681e188d42c6f1fb862ea0275a9ec2ab0c763f0eac8d982c583
SHA1 hash: 19853a695caf46d6d21046f2483e6832cdbea18e
MD5 hash: 61781192a2ca877271b9506f67c5de14
humanhash: east-arkansas-louisiana-winter
File name:61781192a2ca877271b9506f67c5de14.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'528 bytes
First seen:2021-12-16 07:55:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bb8a39044d1acb8817ffc34236f365c (14 x RedLineStealer, 2 x ArkeiStealer, 1 x Tofsee)
ssdeep 6144:5VXnENJ3j3GLxkosOAibHdV5/kQejfR0iD:jXnaJ37GLxkosjibl/kQQt
Threatray 2'996 similar samples on MalwareBazaar
TLSH T145748C10A6E1C434E1F352F84AB6A37DB53F79A16B3490CF12D516EA5A786E0EC3130B
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.168:46257

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.168:46257 https://threatfox.abuse.ch/ioc/276355/

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.zip
Verdict:
Malicious activity
Analysis date:
2021-12-16 01:19:42 UTC
Tags:
evasion loader trojan opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/d45d9345-4936-4e58-8777-33b63ad0a21b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
IcedID
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214450/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Searching for synchronization primitives
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2174/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61baf1156daa353fa3b4bd3d/reports/2e5dcdfb-6bb9-4674-a751-3d24b25342c4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49e8ab9b-90ef-4c28-9408-92278ec421b3
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908298
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540776 Sample: 4fKNxuVfcg.exe Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 27 rcacademy.at 2->27 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 8 4fKNxuVfcg.exe 2->8         started        11 ubjisgd 2->11         started        signatures3 process4 signatures5 49 Detected unpacking (changes PE section rights) 8->49 51 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->51 53 Maps a DLL or memory area into another process 8->53 13 explorer.exe 4 8->13 injected 55 Machine Learning detection for dropped file 11->55 57 Checks if the current machine is a virtual machine (disk enumeration) 11->57 59 Creates a thread in another existing process (thread injection) 11->59 process6 dnsIp7 29 45.9.20.168, 46257, 49813, 49840 DEDIPATH-LLCUS Russian Federation 13->29 31 rcacademy.at 190.117.75.91, 49774, 49779, 49781 AmericaMovilPeruSACPE Peru 13->31 33 7 other IPs or domains 13->33 21 C:\Users\user\AppData\Roaming\ubjisgd, PE32 13->21 dropped 23 C:\Users\user\AppData\Local\Temp\1B4B.exe, PE32 13->23 dropped 25 C:\Users\user\...\ubjisgd:Zone.Identifier, ASCII 13->25 dropped 61 System process connects to network (likely due to code injection or exploit) 13->61 63 Benign windows process drops PE files 13->63 65 Deletes itself after installation 13->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->67 18 1B4B.exe 2 13->18         started        file8 signatures9 process10 signatures11 35 Detected unpacking (changes PE section rights) 18->35 37 Detected unpacking (overwrites its own PE header) 18->37 39 Machine Learning detection for dropped file 18->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 03:18:43 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvrtxcstimetms4hi4qzg3bqntkj5cvp7cr77nu6ystmtry7bulq._file
Verdict:
malicious
Similar samples:
120fa0aa63598735bd316759edc1de341d089f391adf67b356039f1e706655e7
RedLineStealer
12acd7745d22a1b295e3fd96e3994a2a36d456df3cab6f3493942c79e942a43b
RedLineStealer
240ee6db893981a6dd47ffc0932dcf343d09517e8aebc07dc712e6745ee59a27
RedLineStealer
c27741b9e50da0c369b848179c9a4f9b0362b6d5e384055c6c72fc9667a270ec
RedLineStealer
c81c687949db0da1f1024238e01723a1145c5396e55bf81b5c154587b900ac4d
RedLineStealer
f207b081630595fb1b6d790e7c43ec89fe2ed88003026f5d0f9faf01c99673e2
RedLineStealer
+ 2'986 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:ww backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211216-jspmcsbde4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
45.9.20.168:46257
Unpacked files
SH256 hash:
fff1b918442d22465bb7b3303f0e6570623711de250a2ceb164ece2d1656233b
MD5 hash:
c8a39349b64ff5753fc8f10de5d3f7a8
SHA1 hash:
42fc1a3a257903eed416ca4342c6df0c906a40a0
Link:
https://www.unpac.me/results/bc6afcb2-7bf7-4b7a-9b6a-4a67177e5cdf/
SH256 hash:
c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17
MD5 hash:
61781192a2ca877271b9506f67c5de14
SHA1 hash:
19853a695caf46d6d21046f2483e6832cdbea18e
Link:
https://www.unpac.me/results/bc6afcb2-7bf7-4b7a-9b6a-4a67177e5cdf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c5633b8a534309364b874721936c306cd49e8aaff8a3ffb69ec4a6c9c71f0d17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1868668/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214450/

Comments