MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c631cb26f2e253d64adb3caf2ef5f15930caf089a6dc9fa7e0ac2e9512cd57d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA File information Comments

SHA256 hash:	c631cb26f2e253d64adb3caf2ef5f15930caf089a6dc9fa7e0ac2e9512cd57d3
SHA3-384 hash:	413cb84ea8d12dab395784d971f4472f34fe450e842ca5aea3edfec362277a909eff6310d71cb626529a404e97ef768b
SHA1 hash:	25c17db05b9349749659e5b709c06acc1b156505
MD5 hash:	de17db0528befd61dc23638a2ba135c8
humanhash:	mobile-kilo-september-paris
File name:	de17db0528befd61dc23638a2ba135c8.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	249'856 bytes
First seen:	2021-09-25 10:15:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a738f70ddfe8b728e3a778b20cdcc17b (3 x RaccoonStealer, 2 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	6144:lZZQBMaLy2W8E76aP7VAuStuGDRjFrG7O:jZ+Ly2W8EmSAuM1
Threatray	4'595 similar samples on MalwareBazaar
TLSH	T176349E20B7A0C035F2F752F849B993A8A93E7E719B3490CB62D616EE16346E4DD31347
File icon (PE):
dhash icon	ead8a89cc6a68ee0 (12 x RedLineStealer, 3 x RaccoonStealer, 3 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.29:18087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.29:18087	https://threatfox.abuse.ch/ioc/226441/

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

de17db0528befd61dc23638a2ba135c8.exe

Verdict:

No threats detected

Analysis date:

2021-09-25 10:18:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0bad932c-9f92-454c-9bf0-86686537d73c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191499/

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1cbd4f76-1f4d-4b8f-945f-9d3f1ae69c40

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857936

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c631cb26f2e253d64adb3caf2ef5f15930caf089a6dc9fa7e0ac2e9512cd57d3/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-09-20 02:37:00 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yyy4wjxs4jj5msw3hsxs55prleymv4eju3oj7j7avqxjkewnk7jq._file

Verdict:

malicious

RedLineStealer

296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff

RedLineStealer

5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96

RedLineStealer

91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9

RedLineStealer

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

RedLineStealer

dcf60583940d9683d950022fc0ff511ea3a7364b728635eb904d28460200dd98

RedLineStealer

e0caf6fb02b0ef2bd64b0e04e1793a502b4a3b350a5be41c1baea88842530383

RedLineStealer

edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565

RedLineStealer

+ 4'585 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/210925-mat1xaback/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/