MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70
SHA3-384 hash: 1c682ccceb8690d2c084910c50a4f71fa1a25dbd69179d68470d417ff1f7157c07dc60962db17ed26a6d1086fe5f7016
SHA1 hash: 639988a1246ea19c860919ad847d644bc9c055bc
MD5 hash: 71ee7781e626ac33722fe36e4baa010e
humanhash: stairway-fillet-ack-mike
File name:71ee7781e626ac33722fe36e4baa010e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:339'456 bytes
First seen:2021-12-27 09:45:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4b8a20830d5d5ec659fda08d2e209e3 (10 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 6144:0yUiKhok3wU5etn8XcI69myTBBCHpsufY29+:0yiok3h5etn8XcIYmyTaJsug2g
Threatray 710 similar samples on MalwareBazaar
TLSH T166746B10B7A0D439F1B316F849B99278A92F7EE16B24A1CB53D127EE96355D0EC3031B
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
81.176.229.76:31970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
81.176.229.76:31970 https://threatfox.abuse.ch/ioc/287793/

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
71ee7781e626ac33722fe36e4baa010e.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-27 11:53:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c3a03ec-6f5a-484f-8d28-5a2de182364f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216529/
Detection(s):
Win.Packed.Generic-9918587-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3337/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61c98b5e4ab5c44cbf533bd2/reports/c02776e6-aa71-47c4-9b48-15fc507e8bde/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b6ddcc3-6e92-4f97-b138-2d2fab0ac2db
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913083
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545561 Sample: sfCAJHSsuY.exe Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 90 185.7.214.239, 49859, 49871, 80 DELUNETDE France 2->90 92 microsoft-com.mail.protection.outlook.com 2->92 144 Antivirus detection for URL or domain 2->144 146 Antivirus detection for dropped file 2->146 148 Multi AV Scanner detection for dropped file 2->148 150 18 other signatures 2->150 11 sfCAJHSsuY.exe 2->11         started        13 jhfumzvy.exe 2->13         started        16 jcijggd 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 20 sfCAJHSsuY.exe 11->20         started        162 Detected unpacking (changes PE section rights) 13->162 164 Detected unpacking (overwrites its own PE header) 13->164 166 Writes to foreign memory regions 13->166 170 2 other signatures 13->170 23 svchost.exe 13->23         started        168 Machine Learning detection for dropped file 16->168 26 jcijggd 16->26         started        process6 dnsIp7 152 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->152 154 Maps a DLL or memory area into another process 20->154 156 Checks if the current machine is a virtual machine (disk enumeration) 20->156 28 explorer.exe 10 20->28 injected 108 microsoft-com.mail.protection.outlook.com 104.47.53.36, 25, 49819 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->108 110 patmushta.info 47.251.38.135, 443, 49825, 49888 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 23->110 158 System process connects to network (likely due to code injection or exploit) 23->158 160 Creates a thread in another existing process (thread injection) 26->160 signatures8 process9 dnsIp10 112 185.233.81.115, 443, 49772 SUPERSERVERSDATACENTERRU Russian Federation 28->112 114 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 28->114 116 13 other IPs or domains 28->116 82 C:\Users\user\AppData\Roaming\jcijggd, PE32 28->82 dropped 84 C:\Users\user\AppData\Local\TempFFF.exe, PE32 28->84 dropped 86 C:\Users\user\AppData\Local\Temp\DD70.exe, PE32 28->86 dropped 88 9 other files (8 malicious) 28->88 dropped 172 System process connects to network (likely due to code injection or exploit) 28->172 174 Benign windows process drops PE files 28->174 176 Deletes itself after installation 28->176 178 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->178 33 6F14.exe 2 28->33         started        37 6416.exe 127 28->37         started        40 3BF1.exe 2 28->40         started        42 2 other processes 28->42 file11 signatures12 process13 dnsIp14 74 C:\Users\user\AppData\Local\...\jhfumzvy.exe, PE32 33->74 dropped 118 Detected unpacking (changes PE section rights) 33->118 120 Detected unpacking (overwrites its own PE header) 33->120 122 Machine Learning detection for dropped file 33->122 142 2 other signatures 33->142 44 cmd.exe 33->44         started        47 cmd.exe 33->47         started        49 sc.exe 33->49         started        56 3 other processes 33->56 94 192.168.2.1 unknown unknown 37->94 96 file-file-host4.com 37->96 76 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 37->76 dropped 78 C:\ProgramData\sqlite3.dll, PE32 37->78 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 37->124 126 Tries to steal Crypto Currency Wallets 37->126 128 Contains functionality to detect sleep reduction / modifications 37->128 51 cmd.exe 37->51         started        98 45.9.20.149, 7526 DEDIPATH-LLCUS Russian Federation 40->98 130 Multi AV Scanner detection for dropped file 40->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->132 134 Tries to evade analysis by execution special instruction which cause usermode exception 40->134 136 Hides threads from debuggers 40->136 100 91.219.236.148, 80 SERVERASTRA-ASHU Hungary 42->100 102 91.219.236.18, 80 SERVERASTRA-ASHU Hungary 42->102 104 2 other IPs or domains 42->104 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->138 140 Injects a PE file into a foreign processes 42->140 53 786B.exe 42->53         started        file15 signatures16 process17 dnsIp18 80 C:\Windows\SysWOW64\...\jhfumzvy.exe (copy), PE32 44->80 dropped 58 conhost.exe 44->58         started        60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        66 timeout.exe 51->66         started        106 86.107.197.138, 38133, 49860 MOD-EUNL Romania 53->106 68 conhost.exe 56->68         started        70 conhost.exe 56->70         started        72 conhost.exe 56->72         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 09:46:11 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2v5dnaefwjvjobajhymtpksoxwxc4d3lat6asfkrnhytt7o2fvya._file
Verdict:
malicious
Similar samples:
06694768182079f742731e4bc2f6c0ffc012417020d04cd798cb8df4f8919f11
RedLineStealer
1237f60be32fedd4729cc33b077a902382c15c495327cfa55650ca66642506d1
RedLineStealer
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
RedLineStealer
43585503544a7c7596afb2b46457bb865df0c30b19d5c3b0bcdabf2f911d58ca
RedLineStealer
9230d8e8791a48bcca68a199b29e0be82d17d4079bbe715953ca35a2101b6d6b
RedLineStealer
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
RedLineStealer
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
RedLineStealer
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
RedLineStealer
+ 700 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211227-lrmsgsbafj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Arkei
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
patmushta.info
parubey.info
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/4a43b464-0cbf-4553-acee-755950f1ad1e/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70
MD5 hash:
71ee7781e626ac33722fe36e4baa010e
SHA1 hash:
639988a1246ea19c860919ad847d644bc9c055bc
Link:
https://www.unpac.me/results/4a43b464-0cbf-4553-acee-755950f1ad1e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d57a368085b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1919115/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216529/

Comments