MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
SHA3-384 hash: 2d63d1b7b4043ba54ea763bf809b58bf55d66ef731c5b817484b9843465273277ff82f1edce71fc7913354426c9aecd9
SHA1 hash: fa20a09d326cb5b6555e0aeb060a37b144e93fc9
MD5 hash: 21419922ebad4c6331fe31528ca62a29
humanhash: glucose-lactose-california-nitrogen
File name:21419922ebad4c6331fe31528ca62a29.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:131'584 bytes
First seen:2021-09-27 15:32:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26b2a22c1afb78875d9384441bc03abe (4 x ArkeiStealer, 4 x RedLineStealer, 2 x Stop)
ssdeep 3072:p5qyy+GbVOoGaNB0dpS/kuqfPxBzvcrz:pUBsYB0pcqfJBw
Threatray 1'660 similar samples on MalwareBazaar
TLSH T180D3BFE178E0D432D7071931482AC7F1663FBE31DF26566737B8264F5F302A19A263A6
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.92.74.142:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.92.74.142:80 https://threatfox.abuse.ch/ioc/227056/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5294047117869056.zip
Verdict:
Malicious activity
Analysis date:
2021-09-27 14:21:42 UTC
Tags:
trojan rat redline stealer vidar loader evasion
Link:
https://app.any.run/tasks/00f12d98-4c44-4d4f-8b75-03f0f9bf8793

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192180/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.30600.8685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77b64b39-3328-4613-937e-43e674e073ae
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859125
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491561 Sample: 7kDS0NWm3l.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 57 94.26.228.204, 32917, 49791 PTC-YEMENNETYE Russian Federation 2->57 59 s3-w.us-east-1.amazonaws.com 2->59 61 7 other IPs or domains 2->61 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 8 other signatures 2->77 10 7kDS0NWm3l.exe 2->10         started        13 uiesfgc 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 95 Detected unpacking (changes PE section rights) 10->95 97 Contains functionality to inject code into remote processes 10->97 99 Injects a PE file into a foreign processes 10->99 20 7kDS0NWm3l.exe 10->20         started        101 Multi AV Scanner detection for dropped file 13->101 23 uiesfgc 13->23         started        103 Changes security center settings (notifications, updates, antivirus, firewall) 15->103 53 127.0.0.1 unknown unknown 17->53 55 192.168.2.1 unknown unknown 17->55 signatures6 process7 signatures8 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->87 89 Maps a DLL or memory area into another process 20->89 91 Checks if the current machine is a virtual machine (disk enumeration) 20->91 93 Creates a thread in another existing process (thread injection) 20->93 25 explorer.exe 8 20->25 injected process9 dnsIp10 65 216.128.137.31, 80 AS-CHOOPAUS United States 25->65 67 privacy-toolz-for-you-403.top 194.147.85.186, 49727, 49728, 49730 NETRACK-ASRU Russian Federation 25->67 69 9 other IPs or domains 25->69 45 C:\Users\user\AppData\Roaming\uiesfgc, PE32 25->45 dropped 47 C:\Users\user\AppData\Local\Temp\FF0C.exe, PE32 25->47 dropped 49 C:\Users\user\AppData\Local\Temp\C10E.exe, PE32 25->49 dropped 51 2 other malicious files 25->51 dropped 105 System process connects to network (likely due to code injection or exploit) 25->105 107 Benign windows process drops PE files 25->107 109 Deletes itself after installation 25->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->111 30 B0D1.exe 25->30         started        33 C10E.exe 2 25->33         started        file11 signatures12 process13 signatures14 113 Detected unpacking (changes PE section rights) 30->113 35 B0D1.exe 30->35         started        115 Antivirus detection for dropped file 33->115 117 Multi AV Scanner detection for dropped file 33->117 119 Machine Learning detection for dropped file 33->119 121 Injects a PE file into a foreign processes 33->121 38 C10E.exe 2 33->38         started        41 conhost.exe 33->41         started        43 C10E.exe 33->43         started        process15 dnsIp16 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->79 81 Maps a DLL or memory area into another process 35->81 83 Checks if the current machine is a virtual machine (disk enumeration) 35->83 85 Creates a thread in another existing process (thread injection) 35->85 63 92.246.89.6, 38437, 49778 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 38->63 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 15:32:12 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zs662ulabw2ebvkigh7xethq5gecednezudjerfn4nq4swnyzbja._file
Verdict:
malicious
Similar samples:
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
RedLineStealer
39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
RedLineStealer
467425771038209d08868a51e6bbb8834fa53a33762f15818bd9905f5663828a
RedLineStealer
5758800ba2a45f64a6cf7f011159fb521eeacbd18c441adf2748690eee7faa00
RedLineStealer
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db
RedLineStealer
674006b8cf885bb27c186c2ef23ee6b9b5b9894985b909021eebcaccb74d6845
RedLineStealer
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
RedLineStealer
8350538160b089becbb7142d16ecf8089b16fbf11ead40dc1169a9e6104c0304
RedLineStealer
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
RedLineStealer
89bad428ef1f3d8d2217fa8fbf5421824383232f60c1d72fb4ad80ee0c56663f
RedLineStealer
+ 1'650 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader botnet:@dcm4gentoo botnet:instashop botnet:raketa backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210927-synfxshda7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
92.246.89.6:38437
185.92.74.142:80
138.124.186.42:14462
45.144.29.94:61419
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/fd09a8c1-8337-4581-a29b-92bc26aec51d/
SH256 hash:
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
MD5 hash:
21419922ebad4c6331fe31528ca62a29
SHA1 hash:
fa20a09d326cb5b6555e0aeb060a37b144e93fc9
Link:
https://www.unpac.me/results/fd09a8c1-8337-4581-a29b-92bc26aec51d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ccbded51600d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192180/

Comments