MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63
SHA3-384 hash:	087f48f1c000404cc7dd4f738620ad0b546ca1f53a306700b61694df9c0e1db9dcb84535bca60d07c96b50430b24d133
SHA1 hash:	032165f81544f62e12a88640d12613377a79b7b5
MD5 hash:	3a632313c80a974c4f7ac8f456b3a72c
humanhash:	edward-nuts-edward-magazine
File name:	dad310f9c291800939286d91b2b3206ca1f53661eed6c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	152'064 bytes
First seen:	2021-09-25 21:45:09 UTC
Last seen:	2021-09-25 23:10:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	062d438af0a5427d47d2119e831026d3 (27 x RedLineStealer, 8 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep	1536:tCm0tG3hr2RD/Z8fPTJ3QNXQjAGvveHn4KmKT56wv33Nw19LMnahv+RooRy/494Y:1T2ROJ3Q6jAGvv9IT53vtwLtS9H6dYs
Threatray	12'430 similar samples on MalwareBazaar
TLSH	T12AE38C3076E09432D3A7C6704936C2A16A3BB8722F7385CBF65C364B1E316D19AF6352
File icon (PE):
dhash icon	fcfc94f4d4dcd8c0 (3 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.26.228.204:32917

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.26.228.204:32917	https://threatfox.abuse.ch/ioc/226448/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_x86_x64_install.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 13:18:34 UTC

Tags:

trojan loader evasion rat redline stealer vidar opendir

Link:

https://app.any.run/tasks/787684a5-892c-40d4-bbfb-51f6981dc71c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191615/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.25639.26818.9121.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72f37c0c-f87b-40e0-9108-53ccdb15d9dc

Result

Threat name:

RedLine SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858168

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2021-09-25 13:46:09 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ljrb6ocsgaasojinwi3fmzansq7kntb53lmtsaz2juxqdvtpnrq._file

Verdict:

malicious

RedLineStealer

205510fe8ec85f69aab507415625af8a25c3e2dc68497dd0073afb60f5e80726

RedLineStealer

5d682001504dc58701765ca9721e4b4b9eb5b5e73469731fe787d15217cd7435

RedLineStealer

6bf5f4826e8a08a51efd8c251af36a1730d57487a0e598dbd74b6fbe8a11d7ed

RedLineStealer

9b856f3ae99b275734c18efbcf1185e395cc5c4c05cfde4be62f9fe8a130a028

RedLineStealer

c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68

RedLineStealer

dab48eb20191f37e19aed12dc58640ab40957cec26dc3fa63a88f70decbd875c

RedLineStealer

+ 12'420 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:redline family:smokeloader botnet:paladin backdoor discovery evasion infostealer spyware stealer suricata themida trojan

Link:

https://tria.ge/reports/210925-1mnasadhdr/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine Payload

SmokeLoader

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
94.26.228.204:32917

Unpacked files

SH256 hash:

5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a

MD5 hash:

0723090cb25a2ec591eb170730b0e737

SHA1 hash:

d6e2422a17cfe0de3cc43053cf595b7a28897386

Link:

https://www.unpac.me/results/8083d5c4-9f0c-4382-b4ae-6429b588c464/

SH256 hash:

dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63

MD5 hash:

3a632313c80a974c4f7ac8f456b3a72c

SHA1 hash:

032165f81544f62e12a88640d12613377a79b7b5

Link:

https://www.unpac.me/results/8083d5c4-9f0c-4382-b4ae-6429b588c464/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191615/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample