MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02
SHA3-384 hash: 6ed35ea22ddd060098834f119a45d8c5868ec09cd8ad29663a71b808f6ecd7f495c688cbc289485f65027b1a12a72c3c
SHA1 hash: d34d922ee3f84ce3e6068f29336001b9f049c795
MD5 hash: a8bef000976a36dd25363d0b8ba4f508
humanhash: avocado-robin-double-cardinal
File name:a8bef000976a36dd25363d0b8ba4f508.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:291'840 bytes
First seen:2021-11-27 08:46:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ac14a22dc3791ebf7f4a67e197a18bc7 (7 x RedLineStealer, 1 x TeamBot)
ssdeep 6144:a621sZ6LA/mkTYwitK6dYmMbSXuZet0yS8wYgBJBai1X2sRob:aTBA/meYwic6dYmuSXuZet0yS8wNBxr
Threatray 313 similar samples on MalwareBazaar
TLSH T16E549E14ABA0C438F4B756F889B9D3A8B93F79A16B6890CF52D516EE46347E0DC30317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.134.225.35:7821

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.134.225.35:7821 https://threatfox.abuse.ch/ioc/254996/

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8bef000976a36dd25363d0b8ba4f508.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-27 08:49:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7bba508-7ffc-4dad-8484-eccd82a36e02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a1f088f36138de3f41211c/reports/a394a257-d293-4929-af5f-fd56a3f22143/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cf5db3f-0c41-4516-a3a2-5f503fbba7ee
Result
Threat name:
AsyncRAT Djvu RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529578 Sample: U2fkDYwhFW.exe Startdate: 27/11/2021 Architecture: WINDOWS Score: 100 100 api.2ip.ua 77.123.139.190, 443, 49875, 49883 VOLIA-ASUA Ukraine 2->100 102 srtuiyhuali.at 2->102 104 microsoft-com.mail.protection.outlook.com 2->104 128 Multi AV Scanner detection for domain / URL 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 23 other signatures 2->134 11 U2fkDYwhFW.exe 2->11         started        14 viropugt.exe 2->14         started        16 bdrctwc 2->16         started        18 6 other processes 2->18 signatures3 process4 signatures5 172 Contains functionality to inject code into remote processes 11->172 174 Injects a PE file into a foreign processes 11->174 20 U2fkDYwhFW.exe 11->20         started        23 backgroundTaskHost.exe 11->23         started        176 Detected unpacking (changes PE section rights) 14->176 178 Detected unpacking (overwrites its own PE header) 14->178 180 Writes to foreign memory regions 14->180 182 Allocates memory in foreign processes 14->182 25 svchost.exe 14->25         started        184 Machine Learning detection for dropped file 16->184 186 Maps a DLL or memory area into another process 16->186 188 Checks if the current machine is a virtual machine (disk enumeration) 16->188 190 Creates a thread in another existing process (thread injection) 16->190 28 ubrctwc 18->28         started        process6 dnsIp7 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->136 138 Maps a DLL or memory area into another process 20->138 140 Checks if the current machine is a virtual machine (disk enumeration) 20->140 142 Creates a thread in another existing process (thread injection) 20->142 30 explorer.exe 14 20->30 injected 108 quadoil.ru 85.143.175.153, 443, 49819, 49880 TRADERSOFTRU Russian Federation 25->108 110 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49813 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->110 144 System process connects to network (likely due to code injection or exploit) 25->144 signatures8 process9 dnsIp10 114 xacokuo80.top 30->114 116 185.233.81.115, 443, 49797 SUPERSERVERSDATACENTERRU Russian Federation 30->116 118 10 other IPs or domains 30->118 92 C:\Users\user\AppData\Roaming\ubrctwc, PE32 30->92 dropped 94 C:\Users\user\AppData\Roaming\bdrctwc, PE32 30->94 dropped 96 C:\Users\user\AppData\Local\Temp\FE81.exe, PE32 30->96 dropped 98 10 other malicious files 30->98 dropped 120 System process connects to network (likely due to code injection or exploit) 30->120 122 Benign windows process drops PE files 30->122 124 Deletes itself after installation 30->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->126 35 A506.exe 30->35         started        39 4899.exe 2 30->39         started        41 7C2F.exe 30->41         started        43 4 other processes 30->43 file11 signatures12 process13 dnsIp14 76 C:\Users\user\AppData\...\LbfoAdmin.exe, PE32 35->76 dropped 78 C:\Users\user\...\Aonjqeqpobotbuyred.exe, PE32 35->78 dropped 80 C:\Users\user\...\Spgpmxgqeumbkyvalxt.vbs, ASCII 35->80 dropped 82 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 35->82 dropped 146 Antivirus detection for dropped file 35->146 148 Multi AV Scanner detection for dropped file 35->148 150 Creates an undocumented autostart registry key 35->150 164 2 other signatures 35->164 84 C:\Users\user\AppData\Local\...\viropugt.exe, PE32 39->84 dropped 152 Detected unpacking (changes PE section rights) 39->152 154 Detected unpacking (overwrites its own PE header) 39->154 156 Machine Learning detection for dropped file 39->156 166 2 other signatures 39->166 46 cmd.exe 1 39->46         started        49 netsh.exe 3 39->49         started        51 cmd.exe 2 39->51         started        60 3 other processes 39->60 168 4 other signatures 41->168 112 file-file-host4.com 43->112 86 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 43->86 dropped 88 C:\ProgramData\sqlite3.dll, PE32 43->88 dropped 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->158 160 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->160 162 Tries to harvest and steal browser information (history, passwords, etc) 43->162 170 2 other signatures 43->170 53 6B27.exe 43->53         started        56 conhost.exe 43->56         started        58 6B27.exe 43->58         started        62 3 other processes 43->62 file15 signatures16 process17 dnsIp18 90 C:\Windows\SysWOW64\...\viropugt.exe (copy), PE32 46->90 dropped 64 conhost.exe 46->64         started        66 conhost.exe 49->66         started        68 conhost.exe 51->68         started        106 185.159.80.90, 38655, 49867 HOSTING-SOLUTIONSUS Netherlands 53->106 70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        74 conhost.exe 60->74         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 02:07:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dbhqhcavqzk6n6ehr3xuustpamvbqgohogalqgt6ufvhz4ghuba._file
Verdict:
malicious
Similar samples:
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
RedLineStealer
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RedLineStealer
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
RedLineStealer
8b808185dc8cc0b23c275ce6b8d384814d37ccec8a842e1e8702f63e76de843c
RedLineStealer
9b0de4434ee36e29881a3667164eaf04158c0c1256f74331074117d96693c6d3
RedLineStealer
bf47b285157f4274914515e77af23fc9924e7e10ea95065a37aa1e2d0deb8836
RedLineStealer
f3580c945b60d9f9b43c886f0f86244308c4ec859b6b3e005e5ebc2315ff0f0b
RedLineStealer
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
RedLineStealer
f9194db6a27bfd9322186caf3fa8337f6b5197301798818920e84724362ee801
RedLineStealer
+ 303 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:bazarloader family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:706 botnet:default botnet:zormion backdoor collection discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/211127-kpv6eacge6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Bazar/Team9 Loader payload
Vidar Stealer
XMRig Miner Payload
Arkei
Bazar Loader
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
quadoil.ru
lakeflex.ru
185.159.80.90:38655
http://file-file-host4.com/tratata.php
https://mstdn.social/@anapa
https://mastodon.social/@mniami
185.31.160.143:51281
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/70886c52-e889-401e-9006-65cf5ebc630f/
SH256 hash:
d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02
MD5 hash:
a8bef000976a36dd25363d0b8ba4f508
SHA1 hash:
d34d922ee3f84ce3e6068f29336001b9f049c795
Link:
https://www.unpac.me/results/70886c52-e889-401e-9006-65cf5ebc630f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d8c2781c40ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d8c2781c40ac32af37c43c777a5253781950c0ce3b8c05c0d3f50b53e7863d02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1817982/
  
Delivery method
Distributed via web download

Comments