MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8
SHA3-384 hash: bd88c21132218b9ac05d85a481c58374d78d65a2cb245c2c277c1f90eb7cac0c79ddf31e9adb49d1a3c7410e7df54cae
SHA1 hash: 07e78079f94dd55dc3e97efe4eec1488b679e84b
MD5 hash: ac3ae60b82a4cf7355e815e1977eda23
humanhash: virginia-triple-zebra-sweet
File name:ac3ae60b82a4cf7355e815e1977eda23.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:358'912 bytes
First seen:2023-04-15 12:50:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40cd8d3e41cd5908e2d82cb9558e77b9 (2 x Smoke Loader, 2 x Vidar, 1 x Tofsee)
ssdeep 6144:Mxx+ZMwK90rcYJW9DvusQd//zk4w2hNTi:Mx8ZBe0rhJWNxa7k+hs
Threatray 4'282 similar samples on MalwareBazaar
TLSH T137743A02D3A1BC70E516A7798E1ED6F4775EB5208F19FBEB26494A2F09F42E1C232714
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0165260b23090603 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
167.235.158.92:39675

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
ac3ae60b82a4cf7355e815e1977eda23.exe
Verdict:
Malicious activity
Analysis date:
2023-04-15 12:50:46 UTC
Tags:
installer loader smoke trojan
Link:
https://app.any.run/tasks/62f0d077-13c8-4c89-ad84-aff35159cb75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382420/
Detection(s):
Sanesecurity.Malware.29209.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79742/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed
Link:
https://www.filescan.io/uploads/643a9db78cbb8f4be303db41/reports/8f43d8f9-ab8c-48f8-a0ee-5a0b9fa25fd8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7967ef36-f290-4739-97fc-9392c5d4b0f8
Result
Threat name:
RHADAMANTHYS, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214335
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847263 Sample: Kc8mejj01q.exe Startdate: 15/04/2023 Architecture: WINDOWS Score: 100 106 Snort IDS alert for network traffic 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Found malware configuration 2->110 112 14 other signatures 2->112 9 Kc8mejj01q.exe 2->9         started        12 sbbeeec 2->12         started        14 AF22.exe 2->14         started        process3 signatures4 136 Detected unpacking (changes PE section rights) 9->136 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->138 140 Maps a DLL or memory area into another process 9->140 142 Creates a thread in another existing process (thread injection) 9->142 16 explorer.exe 5 16 9->16 injected 144 Multi AV Scanner detection for dropped file 12->144 146 Machine Learning detection for dropped file 12->146 148 Checks if the current machine is a virtual machine (disk enumeration) 12->148 process5 dnsIp6 76 189.245.154.150, 49702, 49709, 49715 UninetSAdeCVMX Mexico 16->76 78 179.43.155.247, 49718, 80 PLI-ASCH Panama 16->78 80 6 other IPs or domains 16->80 58 C:\Users\user\AppData\Roaming\sbbeeec, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\AF22.exe, PE32 16->60 dropped 62 C:\Users\user\AppData\Local\Temp\AB0C.exe, PE32 16->62 dropped 64 3 other malicious files 16->64 dropped 114 System process connects to network (likely due to code injection or exploit) 16->114 116 Benign windows process drops PE files 16->116 118 Deletes itself after installation 16->118 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->120 21 AB0C.exe 8 16->21         started        25 A78.exe 16->25         started        27 AF22.exe 16->27         started        29 A348.exe 2 16->29         started        file7 signatures8 process9 file10 66 C:\Windows\Temp\321.exe, PE32 21->66 dropped 68 C:\Windows\Temp\22.exe, PE32 21->68 dropped 70 C:\Windows\Temp\123.exe, PE32 21->70 dropped 72 C:\Windows\Temp\11.exe, PE32 21->72 dropped 122 Multi AV Scanner detection for dropped file 21->122 124 Machine Learning detection for dropped file 21->124 31 321.exe 66 21->31         started        35 123.exe 21->35         started        37 11.exe 21->37         started        39 22.exe 21->39         started        126 Detected unpacking (changes PE section rights) 25->126 128 Detected unpacking (overwrites its own PE header) 25->128 130 Writes to foreign memory regions 25->130 132 Allocates memory in foreign processes 25->132 41 dllhost.exe 25->41         started        134 Contains functionality to infect the boot sector 27->134 signatures11 process12 file13 74 C:\Users\user\AppData\...\DownloadMetadata, PDP-11 31->74 dropped 90 Antivirus detection for dropped file 31->90 92 Multi AV Scanner detection for dropped file 31->92 94 Query firmware table information (likely to detect VMs) 31->94 104 4 other signatures 31->104 43 chrome.exe 31->43         started        96 Machine Learning detection for dropped file 35->96 98 Writes to foreign memory regions 35->98 100 Allocates memory in foreign processes 35->100 45 RegSvcs.exe 35->45         started        48 WerFault.exe 35->48         started        102 Injects a PE file into a foreign processes 37->102 50 RegSvcs.exe 37->50         started        52 WerFault.exe 37->52         started        54 RegSvcs.exe 39->54         started        56 WerFault.exe 39->56         started        signatures14 process15 dnsIp16 82 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 45->82 84 84.252.73.140, 80 SUPERSERVERSDATACENTERRU Russian Federation 45->84 86 46.173.218.172, 80 GARANT-PARK-INTERNETRU Russian Federation 45->86 88 192.168.2.1 unknown unknown 48->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-15 06:57:26 UTC
File Type:
PE (Exe)
Extracted files:
76
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rtxyzcdceeqqry2x2t23mfubsyzsuqnfgw2rjliopusi7fybxea._file
Verdict:
malicious
Similar samples:
0fc0a57f7f7e627701546f9bd45cfe39c07d27fb6cdc01c1aa6d015ee8141db2
RedLineStealer
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
RedLineStealer
25e47e9a6f3a3e0fe5301a3c5da1de51e3dc9734c04512b3275a6b27dbbadbdd
RedLineStealer
3f2a744ffcc0b40dd989812714bc1d8aff95873df4594a0bc62383f258a75d22
RedLineStealer
53393da51f4232a3337acba3487080b4d34cc5cb6e2f5f7b5cf9f68e10bea558
RedLineStealer
5b26522436f02ab63249cda95ffb462e3050087390e125f7ff09ca2eff57ce10
RedLineStealer
d6b06f7b07cd71f55091d9d1c36556538dfe3fd8cd3b40bccd29d6ea123fb334
RedLineStealer
ee0bc4bb3398ba5214bdef3b94bc5bc5eaba5d611e0c71e8cdcaf36e574b90ab
RedLineStealer
ee15356d4e199b8a5d7ee0554a3cec7b8199a2f29b673a2e75668e0805cfac96
RedLineStealer
fa2c8289fb1a7c26774c74f39391df7a68c06f7b2e1aba9f722d8b30fcc5be97
RedLineStealer
+ 4'272 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:smokeloader botnet:pub4 backdoor collection stealer trojan
Link:
https://tria.ge/reports/230415-p3gx6aeb35/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Executes dropped EXE
Downloads MZ/PE file
Detect rhadamanthys stealer shellcode
Rhadamanthys
SmokeLoader
Malware Config
C2 Extraction:
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
http://179.43.142.201/img/favicon.png
Unpacked files
SH256 hash:
8d425e3a777589dc02bb08b9819d78478b14055dd9eebc67dc9caea5ddef1c6d
MD5 hash:
10bffe181eeb6feb30b4fbb0e7c7077c
SHA1 hash:
20a7946348367cdb9e50ef304310924904726843
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b69465f6-ce5a-413c-b1e2-f0f38fd3d879/
Parent samples :
fa2c8289fb1a7c26774c74f39391df7a68c06f7b2e1aba9f722d8b30fcc5be97
53393da51f4232a3337acba3487080b4d34cc5cb6e2f5f7b5cf9f68e10bea558
bb5a42beba01b1bdfa2474ca6554c79a8128e4ef4328886bce909190aee395af
d6b06f7b07cd71f55091d9d1c36556538dfe3fd8cd3b40bccd29d6ea123fb334
d0510da2366e0ffc6a3a085a69d6d395d3f99b9090da13b956e03fa50273e064
ee15356d4e199b8a5d7ee0554a3cec7b8199a2f29b673a2e75668e0805cfac96
3f2a744ffcc0b40dd989812714bc1d8aff95873df4594a0bc62383f258a75d22
ee0bc4bb3398ba5214bdef3b94bc5bc5eaba5d611e0c71e8cdcaf36e574b90ab
f8027f4570a8f2c361fd65abe28c4f04144347148989e87f3bc587f1e199c171
53c917dff75e6d8119759c3fdadf4a42cdfc29802eac12658c46cf684e2a361a
25e47e9a6f3a3e0fe5301a3c5da1de51e3dc9734c04512b3275a6b27dbbadbdd
3595c78c59a2b6dc06113f757f9b7e87bc0bcd447cd2036da1033fb4fa901482
727ac7cc033f0c339a39eee121adeaffc70ab3899bb1fab0c724555052f65ce1
21f840d040c17a726d100f31af155807a41bd6d9b642f0ded1a22fb57f099a6f
93b75a7c9f000e58aa2c13e033e2d822590886ca67e6dc6157c9d5bbe20a6af4
9c470bd34351c82f46d2c97771c80ab511498b837ee61daa060596892b602855
5ec9843a2aee2813c1d99bda8df3a2518457867e63522a5b2075d30b7eead0d5
2a05b42d2c3c8b84d7e5343ba39030b16004622607ef49a11d75249d3a8a03b8
f7d5ba31a01492a8f04c8f43369d3cbd2ce4c31c4ced5fd6fec50fbfa44d64e0
140d5cd42d9d061d42c2c4a482f21a05456437c6217e67ebbd75f5e2f43501ed
b2f4a838e875fb28a2cf719808bd9e5ef723c4622e738a132dfce0e30e12ea2b
fec035db5466c7836b82fc64a1c02ef51fbf3b65a46120c7db133e0e84f09fab
1e4af9a616a8ee9dd60437ff05b525b44d9d9a0224571f3c71b2f000e55466bd
4439f1249c7da0393e71fece4b67849cc50dbb1046a723e29d1a71020ae03cba
d98fd863d1438efefdec2d6a1f813d15a282e6e50bf39e2fd60568cbb0481171
631649edae809adf365c2def004837945e90c152dd3bc9d2477c86f8d58cb0df
4211d787ed48168f9a71e2f94df71f30b182404309409f0b649eb3ffe5da355f
ac3612b5c39bb69c05b6a9936451f8ff9a0e2e91e25ec78195b5840adab196f5
ee6d1485f9ff52ba4fe0ead6a841085b7722626933dae80d5d1d4162680baeee
9e50c6be3c3bfba4776826dc13d61f3073cfa18c66f2a37f5decda472a224175
38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48
0f931e984c46fc75191a17436514595218d8b88b73ad84f9ff68131cb463b387
b87577df851960649e52cebb4796bd489ab28293f708d1a404b0cc06f16aad39
4728f451f13556ab522bc74a447d90ba474478c886d3b313270aaf44914a95fd
f39dff118d357bd5d8ee143137933ce306331c002ba0162546c280234d4eed95
e39d66d4711d41ca30da9a9d16376774b4d5a0f106fea8bc943b885da998e00f
58cc5482d7de511b7adc6819c858b1c6de067fec262813396e0f580ada1e1ecd
3fcf17a312da09e7d7cb7a69b3575e791de5494420eb99e7bd00f6a63cb40988
9a03353f33056e104624269ac6c93c2f10e46a6e5bfb62ad4540efefd2fb13a2
bc5db4b7aa47a3311d6972621231889ab17768a1c5c424c8cac9a791edd9d65f
dd325f203871fc329de167912647075a4d9d7499ea801eb153903defe3f364c4
f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9
5cb990efb5548b238ff6e2637377088db3863e061fbd1f991ee0a6fd930688e4
1793eb416457ee255bbd21ed595ccec80244fc0beb39c65684fb85019ef2e92d
3b7e53587f37c46e763b81e682bc3c88b3ec53a41814ff8f73a7970168a3c7de
d6b20c60a8b3bf78ef58ac893a1c10a5707419d4235cf2366bb9789642d2c18f
7bd2979280dba6f125f1b8a8b2716206220169d9275da6dca4cd06ee239cfe3c
b3d29d2085dc447fe17069b8bb314dba757cad78e532ad7e0b15abc99f247cab
f5851b57e9662d765ef24b112f370554d51e93fe7065050cc20925c7165212b7
805a64c1ec03d02bf8e8ebe48a9c59fe520c573cafc01bf3ef2b6dd965b1a12a
84c63d7b5b76b8069dec9760aa1bb530b062889cfce4f2fa82e5288cb82b25fa
59a9abae3f724f1ff212766b64ab691d34cd0624337204caa65406a1378329a3
a5e2e1d4ae2ea2f1de7b448222962195698a6e82a0f890d5e2898f5b28d7b6f0
5cb4329e2e5e2d43468d75e2892527faeeb4642c9bdcff9661992324502366de
5b26522436f02ab63249cda95ffb462e3050087390e125f7ff09ca2eff57ce10
306839eeb37080b5d6e7d32ab0b261995877e9d143e91d1d1e06cdf636bcea28
dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8
c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0
87f8b19fad893802d91a2e618a1ca102419c3e22b00720991350c5a6eb36f4f1
76dd10a61c9c5b361d147bb841980200cc75fc1086c5db7291fc2461ed9e5292
888f3b4dc1ed18130baac862732ca69c8f5fced65364ae3a8fd8bb17ad075f06
62db8b5a7a321ce6c180f142e15f8c6dc00407f5ae673afdf5c3b40417291a78
78c4f76d5f6dacc7d2759dea334aede899237a62be411e37371e010de670fc57
a91f91198284c261501988a6fa42476f60a8ba0bb3e6bb9f167e50e8dcfa7407
SH256 hash:
dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8
MD5 hash:
ac3ae60b82a4cf7355e815e1977eda23
SHA1 hash:
07e78079f94dd55dc3e97efe4eec1488b679e84b
Link:
https://www.unpac.me/results/b69465f6-ce5a-413c-b1e2-f0f38fd3d879/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc677c644311/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dc677c6443110908471abea7adb0b40cb199520d29ada8a56873e9247cb80dc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2609065/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382420/

Comments