MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
SHA3-384 hash: 7f4da8db023910caf779772e3e88cc2381c4bd3089bc8beec001ec01f25070f6779333ba2f52065b8f0b8d6f88b2e31b
SHA1 hash: 005fed815cef211835a93b94b0185bd6abe98db4
MD5 hash: 01b31a5b16aa19085e8182dab279ddf8
humanhash: foxtrot-mirror-echo-jupiter
File name:01b31a5b16aa19085e8182dab279ddf8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:338'432 bytes
First seen:2022-02-18 18:10:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47fd5e74c27c4f6e1f926ccf3bdda17e (1 x RedLineStealer)
ssdeep 6144:AMRUNmgeaNhdY4cTgVFs1WLYBNdgmb9nhaWSv8J5sKn2:HJgeQhW5TgcVBNdgu9h+8J5B2
Threatray 16'486 similar samples on MalwareBazaar
TLSH T152749E40BBA0C03DE1B751F8757683AC693E7DA1AB2050CB62D53AEE1A356E0DCB5707
File icon (PE):PE icon
dhash icon 2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.133.203.40:20113

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.133.203.40:20113 https://threatfox.abuse.ch/ioc/388853/
95.216.16.35:80 https://threatfox.abuse.ch/ioc/388854/
188.127.235.44:23948 https://threatfox.abuse.ch/ioc/388855/

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242588/
Detection(s):
Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6633/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed smokeloader
Link:
https://www.filescan.io/uploads/620fe13a875593a3cce6b381/reports/ce6a8bbb-7afd-4ea1-b4b7-fed7654d5fc7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9df8467e-3055-4012-ba1c-1b40924b1520
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942411
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574889 Sample: N1hAmPNziA.exe Startdate: 18/02/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 7 other signatures 2->72 9 N1hAmPNziA.exe 2->9         started        12 ggebutg 2->12         started        14 hhebutg 2->14         started        process3 signatures4 102 Detected unpacking (changes PE section rights) 9->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->104 106 Maps a DLL or memory area into another process 9->106 16 explorer.exe 4 9->16 injected 108 Machine Learning detection for dropped file 12->108 110 Checks if the current machine is a virtual machine (disk enumeration) 12->110 112 Creates a thread in another existing process (thread injection) 12->112 process5 dnsIp6 58 91.243.44.60, 49833, 49845, 80 SHOCK-1US Russian Federation 16->58 60 dollybuster.at 211.40.39.251, 49775, 49781, 49782 LGDACOMLGDACOMCorporationKR Korea Republic of 16->60 62 11 other IPs or domains 16->62 46 C:\Users\user\AppData\Roaming\hhebutg, PE32 16->46 dropped 48 C:\Users\user\AppData\Roaming\ggebutg, PE32 16->48 dropped 50 C:\Users\user\AppData\Local\Temp\DFFF.exe, PE32 16->50 dropped 52 4 other files (3 malicious) 16->52 dropped 74 System process connects to network (likely due to code injection or exploit) 16->74 76 Benign windows process drops PE files 16->76 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->78 80 4 other signatures 16->80 21 DFFF.exe 77 16->21         started        25 9DCC.exe 16->25         started        27 577A.exe 16->27         started        29 2 other processes 16->29 file7 signatures8 process9 dnsIp10 54 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 21->54 dropped 56 C:\ProgramData\sqlite3.dll, PE32 21->56 dropped 82 Query firmware table information (likely to detect VMs) 21->82 84 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->84 86 Machine Learning detection for dropped file 21->86 100 5 other signatures 21->100 32 cmd.exe 1 21->32         started        88 Detected unpacking (changes PE section rights) 25->88 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->90 92 Maps a DLL or memory area into another process 25->92 94 Creates a thread in another existing process (thread injection) 25->94 96 Checks if the current machine is a virtual machine (disk enumeration) 27->96 64 badgoodreason.com 103.208.86.108, 49869, 80 ZAPPIE-HOST-ASZappieHostGB New Zealand 29->64 98 Tries to detect virtualization through RDTSC time measurements 29->98 34 WMIC.exe 1 29->34         started        36 WMIC.exe 1 29->36         started        38 WMIC.exe 1 29->38         started        40 2 other processes 29->40 file11 signatures12 process13 process14 42 conhost.exe 32->42         started        44 timeout.exe 1 32->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 23:49:18 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
35 of 43 (81.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rq74fpz4wbl44ljlkffeq44ze6gy2fvc2hve775fdzmmirw6rxq._file
Verdict:
malicious
Similar samples:
059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf
RedLineStealer
07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
RedLineStealer
177281ae34e8e42aeca619f1a5dd728bb7dc4647b64b1411b2b13103c6b06865
RedLineStealer
1e1885766a2d50045f07b07ef4d8f989a578e7cae4696054ff60c0341537d371
RedLineStealer
470723b25a6bf11f30ad1b2f1d0eb2129895eb3e6ba4f7dd23eb69137538505f
RedLineStealer
6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71
RedLineStealer
d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8
RedLineStealer
+ 16'476 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:icedid family:smokeloader family:warzonerat campaign:1860595763 backdoor banker collection discovery evasion infostealer rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220218-wsla6adfej/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Enumerates system info in registry
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Warzone RAT Payload
Arkei
IcedID, BokBot
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
WarzoneRat, AveMaria
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
http://statssblogsta.in/stat/
http://statssblogsta.com/stat/
badgoodreason.com
193.203.203.96:5200
Unpacked files
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/5314225a-8387-4976-ba8e-2d48642a5703/
SH256 hash:
e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
MD5 hash:
01b31a5b16aa19085e8182dab279ddf8
SHA1 hash:
005fed815cef211835a93b94b0185bd6abe98db4
Link:
https://www.unpac.me/results/5314225a-8387-4976-ba8e-2d48642a5703/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242588/

Comments