MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04
SHA3-384 hash: 8fced8e08aa134df4a23b2ee12ea5dbc3bd884a155033c5553d44016014dac527c9a7bcfa20873a329d0c4d6af09e50a
SHA1 hash: 3fbc09448b096a5505bb8d4ea6f7433bb3fc1f69
MD5 hash: d66d2a07e9201ccf004f531f0226c857
humanhash: mockingbird-purple-red-indigo
File name:d66d2a07e9201ccf004f531f0226c857.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:260'096 bytes
First seen:2021-11-08 09:15:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d65fd1d21865226dce1f880ff10ff6f8 (9 x RedLineStealer)
ssdeep 6144:RTAybR+X45KIrTxetuzbgwu6L7ITsqSigaTwVf:JAHXmKIrwtunnn7s
Threatray 7'640 similar samples on MalwareBazaar
TLSH T140448CF076D8C878D0932E304CA5EAA41A3BF861F4205166F676675E9E73BCC85E131E
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c8 (12 x RedLineStealer, 9 x RaccoonStealer, 2 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.29:1102

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:1102 https://threatfox.abuse.ch/ioc/244872/

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-11-08 05:14:50 UTC
Tags:
evasion trojan loader opendir rat redline stealer raccoon formbook danabot
Link:
https://app.any.run/tasks/7c729cd7-dd92-4e3e-ac8e-91fe4230fc0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203209/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.9878.29998.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware lockbit packed virus
Link:
https://www.filescan.io/uploads/6188ead4d8143ea269ce68ec/reports/02848a04-290a-40b6-8440-ca396617d31c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b17611b-25de-4cc8-8a1f-b3be85fce960
Result
Threat name:
Clipboard Hijacker SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885113
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Clipboard Hijacker
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517590 Sample: O6CxbcsRy1.exe Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 47 misha.at 2->47 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 8 other signatures 2->63 9 O6CxbcsRy1.exe 2->9         started        12 rufethr 2->12         started        14 SmartClock.exe 2->14         started        signatures3 process4 signatures5 71 Detected unpacking (changes PE section rights) 9->71 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->73 75 Maps a DLL or memory area into another process 9->75 16 explorer.exe 2 9->16 injected 77 Machine Learning detection for dropped file 12->77 79 Checks if the current machine is a virtual machine (disk enumeration) 12->79 81 Creates a thread in another existing process (thread injection) 12->81 process6 dnsIp7 41 nutriescapa.com 85.143.175.87, 49820, 49857, 80 TRADERSOFTRU Russian Federation 16->41 43 misha.at 61.36.14.230, 49756, 49757, 49819 LGDACOMLGDACOMCorporationKR Korea Republic of 16->43 45 8 other IPs or domains 16->45 31 C:\Users\user\AppData\Roaming\rufethr, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\Temp\9F12.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp\1A9F.exe, PE32 16->35 dropped 37 C:\Users\user\...\rufethr:Zone.Identifier, ASCII 16->37 dropped 49 System process connects to network (likely due to code injection or exploit) 16->49 51 Benign windows process drops PE files 16->51 53 Deletes itself after installation 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 21 1A9F.exe 4 16->21         started        25 9F12.exe 16->25         started        27 SmartClock.exe 16->27         started        file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\SmartClock.exe, PE32 21->39 dropped 65 Detected unpacking (changes PE section rights) 21->65 67 Detected unpacking (overwrites its own PE header) 21->67 69 Machine Learning detection for dropped file 21->69 29 SmartClock.exe 21->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-08 08:39:39 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ze23xcxliltbfvim6euqxicokdjmlqwtcllyr44z2m2bmxd3f4ca._file
Verdict:
malicious
Similar samples:
1a6f0d3cc3199df98797c474feea4c7e415dc1144f06e1fd04529fe363fe9010
RedLineStealer
1e5296130fabed3cedc5762615f59bc3c803698b3c68ffdb1f69dccf31994c60
RedLineStealer
3f19653a117fe3c7b00b53a2ac212503b2d4a0d4650a2e95788d2b2b5cc7a981
RedLineStealer
8999c280aca7419a8b6fe0be172723fb66f18fc1439fb2ffa463d9315b79535d
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
fd3c9f2f464842f920343e549ec0f047c97a388de21d05725a5e8e3a0c845b68
RedLineStealer
+ 7'630 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211108-k8f6labfb8/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/22b7fa21-dbcf-4c8a-8675-d69b904e77ec/
SH256 hash:
c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04
MD5 hash:
d66d2a07e9201ccf004f531f0226c857
SHA1 hash:
3fbc09448b096a5505bb8d4ea6f7433bb3fc1f69
Link:
https://www.unpac.me/results/22b7fa21-dbcf-4c8a-8675-d69b904e77ec/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c935bb8aeb42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c935bb8aeb42e612d50cf1290ba04e50d2c5c2d312d788f399d334165c7b2f04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755713/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203209/

Comments