MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6
SHA3-384 hash:	8610da51cfc9a485a81ab0691e21c1ddc09460ec42768309e4b876b8b7f543379f52198cfb597c53cd4eb226aef7c891
SHA1 hash:	452b301b3a9602a937c9710bd6d4570a2cb41eb6
MD5 hash:	44043fbb9d6d08a437d8301fc7f8bab4
humanhash:	london-angel-kilo-freddie
File name:	44043fbb9d6d08a437d8301fc7f8bab4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	239'104 bytes
First seen:	2022-01-31 02:50:44 UTC
Last seen:	2022-01-31 05:24:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9422d8f1b75bb5b0336087bbf87775ee (2 x ArkeiStealer, 1 x RedLineStealer, 1 x DarkWatchman)
ssdeep	3072:0J/SY0AdknWvj3ig5zyhLtawAEkqjSciRe4imZVggjcGkNIVqI:0JaY0JYShBawAEKe4i07ITsq
TLSH	T1AB34BFE0F683C072C052367188F9CBA19A7EBF21D963CA433B79176E6E712D04A5635D
File icon (PE):
dhash icon	fcfcb4b4b494d9c9 (5 x RedLineStealer, 3 x RaccoonStealer, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
62.113.119.74:7276

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.113.119.74:7276	https://threatfox.abuse.ch/ioc/370931/

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44043fbb9d6d08a437d8301fc7f8bab4.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-31 03:16:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e99dfa84-f658-4658-b23b-219410be4709

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228236/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.38783.14.10265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Sending an HTTP GET request

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5546/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61f74e9ad7fd65ae55f9f58f/reports/3f0736a8-759e-43f9-96d1-4446c5ad3de4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c8af503-d1b1-4884-8626-c58508423bef

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930581

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-01-31 02:51:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=52fq4dyvtuulrppta2225h7pey3zkjoln6gqpweflfr45nvj67la._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220131-db6lnaefa9/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e

MD5 hash:

c36de8bc9668ec4eaafca4c349dca0d5

SHA1 hash:

ea2cadfada69b93ca3abeb8b2462c5c18891fabf

Link:

https://www.unpac.me/results/b2e17114-6f9f-4202-80e1-b5b636c429c3/

Parent samples :

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8

SH256 hash:

ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6

MD5 hash:

44043fbb9d6d08a437d8301fc7f8bab4

SHA1 hash:

452b301b3a9602a937c9710bd6d4570a2cb41eb6

Link:

https://www.unpac.me/results/b2e17114-6f9f-4202-80e1-b5b636c429c3/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ee8b0e0f159d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2013850/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/228236/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample