MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd
SHA3-384 hash: 1c64918e806c4aafbd06eb60eb114dfa05eecc2aef8e5fcb6094703f538f98ee4b84f1acc876d39eafdf23aabb06c170
SHA1 hash: 361eee1c6cbee9dde1e5dde0d64d747f048a931f
MD5 hash: 598fb83a05742b468c86648c4d4c65e3
humanhash: robert-lima-nineteen-lithium
File name:598fb83a05742b468c86648c4d4c65e3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:265'728 bytes
First seen:2022-01-31 00:15:57 UTC
Last seen:2022-01-31 01:55:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93e4fd47da9ed37b0cad056ec99f9f38 (1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:D2TUdYkulUeuwjVpIyz5SrP7F9Xdb7OTD7hJ6VggjcGkNIVqIGpZa9uD6Vdyhk:D2QdDOhwrLXdb7OvvC7ITsq9wVf
Threatray 9 similar samples on MalwareBazaar
TLSH T10944BEC07A90F9B6D04135718829CBA1677AFC36DB7CD9073F36166E6E732D08A26346
File icon (PE):PE icon
dhash icon fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
62.113.119.74:7276

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.113.119.74:7276 https://threatfox.abuse.ch/ioc/370931/

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
598fb83a05742b468c86648c4d4c65e3.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-31 00:21:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be0c1883-6590-4bb5-99c3-5f97163e7e22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/228191/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.12329.26777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Sending a custom TCP request
Sending an HTTP GET request
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5537/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult exploit greyware qbot
Link:
https://www.filescan.io/uploads/61f72a82d7fd65ae55f93a22/reports/0dbf31c5-7440-45e2-be50-84a396f91521/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b11e32e-e43e-4a88-8482-bbc0c0f1ab59
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930621
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd/
Threat name:
Win32.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 00:16:12 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4zawb4mpaxzbgb36exoqrj4sqzbgjvfoyzw6fhpspe2f4f23p6q._file
Verdict:
malicious
Similar samples:
386f018af9a7c633ddc450e75491b978ebf22199bf789926b44c62ed0c7ecb6c
RedLineStealer
3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0
RedLineStealer
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
RedLineStealer
7972504035b05ba390f0e4083ef1d4ee7725ad5c581ab6beb730425f4b6945ba
RedLineStealer
83d0e70a23c542850312be419a86d0a77390d766ce8b5dd21ab0620c1aec75d3
RedLineStealer
98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8
RedLineStealer
c53c13aa261fe9d7afe51e88a781264aa8c37639543de2a0dff680b8599dee60
RedLineStealer
f2e9475cbf8ad93f5762a2b5c02b552d5afe5247c9c14e2c1e72f507807ffbaa
RedLineStealer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220131-akgr4sdbh2/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
Link:
https://www.unpac.me/results/a9a7a23e-5e9f-49ec-93fc-60a980cf430e/
Parent samples :
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8
SH256 hash:
cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd
MD5 hash:
598fb83a05742b468c86648c4d4c65e3
SHA1 hash:
361eee1c6cbee9dde1e5dde0d64d747f048a931f
Link:
https://www.unpac.me/results/a9a7a23e-5e9f-49ec-93fc-60a980cf430e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2013850/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/228191/

Comments