MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e
SHA3-384 hash: bbef2c6a2db5dc0d619913b80110666d5ad7307bfd3d4470858100ed8475edf1b486c3413f046be629a1a0f234ca35c2
SHA1 hash: 0632a64d73974b72d71aacdf40e637f9f63cb2dd
MD5 hash: e45d67e149cdc560daa844db397e1c29
humanhash: xray-two-neptune-quiet
File name:e45d67e149cdc560daa844db397e1c29.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:137'216 bytes
First seen:2021-09-27 05:17:46 UTC
Last seen:2021-09-27 06:28:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d219b4c81d3038e0b353f2c453352508 (12 x RaccoonStealer, 4 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 1536:t+6RF4Gc7MP+d9dRcHvu45Toew0JD0NbF5+0vRevv/ob8yvgzKzpPt/CD6H:tJyf9nmvumoewWD0Nx5JwPUjzp0O
Threatray 5'713 similar samples on MalwareBazaar
TLSH T144D3CFAD7681D432C592593C7824DAAC666EBC327E25CD473748279F0E302D3963729F
File icon (PE):PE icon
dhash icon fcfcd4f4d4d4d8c0 (23 x RedLineStealer, 21 x RaccoonStealer, 6 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.246.89.6:38437

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.246.89.6:38437 https://threatfox.abuse.ch/ioc/226920/

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e45d67e149cdc560daa844db397e1c29.exe
Verdict:
No threats detected
Analysis date:
2021-09-27 05:22:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c02c5ca6-2623-4916-8ee5-218472c3e881

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191893/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.24891.8241.10760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f82642d-5911-4fa7-ba26-5d0f368b5b6e
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858664
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491095 Sample: m7Nq5OXXDt.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 35 api.ip.sb 2->35 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 8 other signatures 2->59 9 m7Nq5OXXDt.exe 2->9         started        12 besbjij 2->12         started        signatures3 process4 signatures5 73 Detected unpacking (changes PE section rights) 9->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->75 77 Maps a DLL or memory area into another process 9->77 14 explorer.exe 4 9->14 injected 79 Multi AV Scanner detection for dropped file 12->79 81 Checks if the current machine is a virtual machine (disk enumeration) 12->81 83 Creates a thread in another existing process (thread injection) 12->83 process6 dnsIp7 39 zigorat.us 38.117.65.66, 49813, 80 RC-01-ASCA United States 14->39 41 govsurplusstore.com 203.228.9.102, 49737, 49741, 49782 KIXS-AS-KRKoreaTelecomKR Korea Republic of 14->41 43 6 other IPs or domains 14->43 29 C:\Users\user\AppData\Roaming\besbjij, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\Temp\6AD3.exe, PE32 14->31 dropped 33 C:\Users\user\...\besbjij:Zone.Identifier, ASCII 14->33 dropped 45 System process connects to network (likely due to code injection or exploit) 14->45 47 Benign windows process drops PE files 14->47 49 Deletes itself after installation 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 19 C894.exe 3 14->19         started        22 6AD3.exe 3 14->22         started        file8 signatures9 process10 dnsIp11 61 Detected unpacking (changes PE section rights) 19->61 63 Query firmware table information (likely to detect VMs) 19->63 65 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->65 71 2 other signatures 19->71 25 conhost.exe 19->25         started        37 94.26.228.204, 32917, 49816 PTC-YEMENNETYE Russian Federation 22->37 67 Multi AV Scanner detection for dropped file 22->67 69 Detected unpacking (overwrites its own PE header) 22->69 27 conhost.exe 22->27         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 19:22:03 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dm77elerp7yid47ppcb6ir4zkanhr22xd3ecwoy72hip3fvl6pa._file
Verdict:
malicious
Similar samples:
2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133
RedLineStealer
64cb3ce12c5cdfdf4e0dd3e9f0bcd9e43745ee83c3289a27c73f6c6f4243049c
RedLineStealer
78d48d885d654ecfdea110dfd74810a17736133edbd2014c405e758f7e938252
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
RedLineStealer
a15449ae67bf0149ead362ba69e532eeb2557f13bc1c3ed8ece6e642db66b7da
RedLineStealer
c75b223b462ba88c62c1c8d848a845e7aeacc0ec0c96a7ecf1644e782accdd52
RedLineStealer
dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63
RedLineStealer
ebcecaf7cc142a2954b15d4390e5275aed5a7c8f70a7c777c0288b5f3c2312ac
RedLineStealer
fe182a93d10cf8b048cb1a72b07f80ded9f6e2e0177f74f2baf9f17ede242ee9
RedLineStealer
+ 5'703 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar botnet:paladin backdoor discovery evasion infostealer persistence ransomware spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210927-jx7nqsfhhk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
94.26.228.204:32917
Unpacked files
SH256 hash:
5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a
MD5 hash:
0723090cb25a2ec591eb170730b0e737
SHA1 hash:
d6e2422a17cfe0de3cc43053cf595b7a28897386
Link:
https://www.unpac.me/results/87c5b542-60ae-4cd9-be76-f78d8e8653a7/
SH256 hash:
d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e
MD5 hash:
e45d67e149cdc560daa844db397e1c29
SHA1 hash:
0632a64d73974b72d71aacdf40e637f9f63cb2dd
Link:
https://www.unpac.me/results/87c5b542-60ae-4cd9-be76-f78d8e8653a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d8d9ff91648bff840f9f7bc41f223cca80d3c75ab8f64159d8fe8e87ecb55f9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644574/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191893/

Comments