MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4
SHA3-384 hash: c9fedbb7a8cba2f3258fca8c74191d992d2e2d1703cbcf524168776281bf276548f6eb59fc077f209b97df2aedfd1a27
SHA1 hash: 9254593f03a506444c3d3e29a74c4cf028ca625c
MD5 hash: 5cc21139c643e1d2299cf569e4d0ff98
humanhash: oxygen-vermont-florida-bacon
File name:5cc21139c643e1d2299cf569e4d0ff98.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:269'824 bytes
First seen:2022-05-14 14:46:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39920d3af3f36626420c1ff585e51162 (1 x Tofsee, 1 x RedLineStealer)
ssdeep 6144:ZWKAsHsEgEWJJBszjgX4993Q727QYCU9PoVYo:s9ZL/JJBKV9a7RyGV
Threatray 4'350 similar samples on MalwareBazaar
TLSH T1FA449E14BBA0D035F0B722F4497A8368B92D7EE19B2451CB62D53BEE56346E4EC3131B
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
23.88.112.179:19536

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.88.112.179:19536 https://threatfox.abuse.ch/ioc/566948/

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270646/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Setting browser functions hooks
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17729/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed ransomware smokeloader tofsee
Link:
https://www.filescan.io/uploads/627fc0ffd06ea2f4a06b36cd/reports/552f8ff1-c890-4b17-a541-61b1828b7b5a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0867649-f08d-4a3d-bc53-0e1886527260
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994124
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626620 Sample: mDsT9Powgi.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 8 other signatures 2->60 9 mDsT9Powgi.exe 2->9         started        12 bwiedhr 2->12         started        14 bwiedhr 2->14         started        process3 signatures4 82 Detected unpacking (changes PE section rights) 9->82 84 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->84 86 Maps a DLL or memory area into another process 9->86 16 explorer.exe 5 9->16 injected 88 Multi AV Scanner detection for dropped file 12->88 90 Machine Learning detection for dropped file 12->90 92 Checks if the current machine is a virtual machine (disk enumeration) 12->92 94 Creates a thread in another existing process (thread injection) 14->94 process5 dnsIp6 46 49.12.47.66, 49757, 80 HETZNER-ASDE Germany 16->46 48 happyday9risce.com 46.173.219.232, 49751, 49752, 49756 GARANT-PARK-INTERNETRU Russian Federation 16->48 50 motionberry999xerz.ru 16->50 38 C:\Users\user\AppData\Roaming\bwiedhr, PE32 16->38 dropped 40 C:\Users\user\AppData\Local\Temp\5A40.exe, PE32 16->40 dropped 42 C:\Users\user\...\bwiedhr:Zone.Identifier, ASCII 16->42 dropped 62 System process connects to network (likely due to code injection or exploit) 16->62 64 Benign windows process drops PE files 16->64 66 Injects code into the Windows Explorer (explorer.exe) 16->66 68 3 other signatures 16->68 21 explorer.exe 12 16->21         started        25 5A40.exe 1 3 16->25         started        28 Lrjaaawiu.exe 16->28         started        30 8 other processes 16->30 file7 signatures8 process9 dnsIp10 52 happyday9risce.com 21->52 70 System process connects to network (likely due to code injection or exploit) 21->70 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->72 74 Tries to steal Mail credentials (via file / registry access) 21->74 80 3 other signatures 21->80 44 C:\Users\user\AppData\...\Lrjaaawiu.exe, PE32 25->44 dropped 76 Multi AV Scanner detection for dropped file 25->76 78 Machine Learning detection for dropped file 25->78 32 cmd.exe 1 25->32         started        file11 signatures12 process13 process14 34 conhost.exe 32->34         started        36 timeout.exe 1 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 03:42:39 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
34 of 41 (82.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqhw7jepdpe77lraqgc72tswqoc2m7cavevbfrfbxuak26w3ws2a._file
Verdict:
malicious
Similar samples:
1f7d2fb2ea88483fb17e6df444dbd217ca203d8828d29d1c998cd007d1124dbc
RedLineStealer
450fe551f9989c51ae6b8ad556b22c4f34076f1cc61d2ffdfab5c55522d6e210
RedLineStealer
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
RedLineStealer
aac5a9949dd50c434924869ec0ccdd28dacaf9729ba2cbf0744b3c9731b91010
RedLineStealer
b961d6795d7ceb3ea3cd00e037460958776a39747c8f03783d458b38daec8025
RedLineStealer
cc15573c85379c9dd96f926c62a62f402a95052ed65b616daf881e0dae9ee674
RedLineStealer
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
RedLineStealer
d618d086cdfc61b69e6d93a13cea06e98ac2ad7d846f044990f2ce8305fe8d1b
RedLineStealer
+ 4'340 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence spyware suricata trojan
Link:
https://tria.ge/reports/220514-r5vm5sacg6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://motionberry999xerz.ru/
http://happyday9risce.com/
http://kokihap7siexz3.com/
https://motionberry999xerz.ru/
https://happyday9risce.com/
https://kokihap7siexz3.com/
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc0f6fa48f1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270646/

Comments