MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc
SHA3-384 hash: da28a010fd7c6b58e32c28a1ecb3d2a905459075d54c56b4c2d980772fb097c9e7fbb1bb95c2885e958a8db4beb334ff
SHA1 hash: 527c7a0c96b0ebb810f9fa6575b13502e350da44
MD5 hash: f4e868760f3af522ab9d5e8852e25b69
humanhash: purple-hotel-artist-west
File name:f4e868760f3af522ab9d5e8852e25b69.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:348'672 bytes
First seen:2021-10-29 01:17:28 UTC
Last seen:2021-10-29 02:23:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7e707cb5a6cd20211e77d5d46383cea (16 x RaccoonStealer, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep 6144:OsHUpEfVm0VYjVP+PlevIFtXnA5etjJL02:P0pN0VqEPlevIDXnvj
Threatray 2'250 similar samples on MalwareBazaar
TLSH T112748D10B7A1C435F1F212F8597A9369A93F79B2AB3490CF12D526EE4674AE0EC31347
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://194.180.174.181/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79361.14419.26667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41cbb399-1651-41ce-9c57-ad3d9c8cc4f6
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878952
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511386 Sample: AY5uCs0HrY.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 77 telegalive.top 2->77 79 mas.to 2->79 81 3 other IPs or domains 2->81 109 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Found malware configuration 2->113 115 16 other signatures 2->115 11 AY5uCs0HrY.exe 2->11         started        13 ustahdb 2->13         started        signatures3 process4 file5 17 AY5uCs0HrY.exe 11->17         started        75 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 13->75 dropped 167 Detected unpacking (changes PE section rights) 13->167 signatures6 process7 signatures8 101 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->101 103 Maps a DLL or memory area into another process 17->103 105 Checks if the current machine is a virtual machine (disk enumeration) 17->105 107 Creates a thread in another existing process (thread injection) 17->107 20 explorer.exe 10 17->20 injected process9 dnsIp10 83 sysaheu90.top 185.185.69.21, 49754, 49755, 49756 SPRINTHOSTRU Russian Federation 20->83 85 iyc.jelikob.ru 81.177.141.36, 443, 49824 RTCOMM-ASRU Russian Federation 20->85 87 9 other IPs or domains 20->87 51 C:\Users\user\AppData\Roaming\ustahdb, PE32 20->51 dropped 53 C:\Users\user\AppData\Roaming\estahdb, PE32 20->53 dropped 55 C:\Users\user\AppData\Local\Temp\F7D4.exe, PE32 20->55 dropped 57 15 other files (8 malicious) 20->57 dropped 133 System process connects to network (likely due to code injection or exploit) 20->133 135 Benign windows process drops PE files 20->135 137 Deletes itself after installation 20->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->139 25 D383.exe 20->25         started        30 A4FF.exe 1 20->30         started        32 estahdb 20->32         started        34 6 other processes 20->34 file11 signatures12 process13 dnsIp14 89 raw.githubusercontent.com 25->89 91 45.95.235.77, 49866, 49881, 80 YURTEH-ASUA Russian Federation 25->91 97 3 other IPs or domains 25->97 59 C:\ProgramData\upd.exe, PE32 25->59 dropped 61 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 25->61 dropped 63 C:\Users\user\AppData\Local\...\new[1].exe, PE32 25->63 dropped 65 C:\ProgramData\sqlite3.dll, PE32 25->65 dropped 141 Query firmware table information (likely to detect VMs) 25->141 143 Hides threads from debuggers 25->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->145 36 upd.exe 25->36         started        39 cmd.exe 25->39         started        147 DLL reload attack detected 30->147 149 Detected unpacking (changes PE section rights) 30->149 151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->151 163 4 other signatures 30->163 153 Contains functionality to inject code into remote processes 32->153 155 Injects a PE file into a foreign processes 32->155 41 estahdb 32->41         started        93 194.180.174.181, 49880, 49900, 80 MIVOCLOUDMD unknown 34->93 95 93.115.20.139, 28978, 49877 MVPShttpswwwmvpsnetEU Romania 34->95 99 3 other IPs or domains 34->99 67 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 34->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32 34->69 dropped 71 C:\Users\user\AppData\...\ucrtbase.dll, PE32 34->71 dropped 73 27 other files (none is malicious) 34->73 dropped 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->157 159 Tries to steal Mail credentials (via file access) 34->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->161 165 3 other signatures 34->165 43 RegAsm.exe 2 34->43         started        45 F7D4.exe 34->45         started        47 C440.exe 34->47         started        file15 signatures16 process17 signatures18 117 Multi AV Scanner detection for dropped file 36->117 119 Query firmware table information (likely to detect VMs) 36->119 121 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->121 131 2 other signatures 36->131 49 conhost.exe 39->49         started        123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->123 125 Maps a DLL or memory area into another process 41->125 127 Checks if the current machine is a virtual machine (disk enumeration) 41->127 129 Creates a thread in another existing process (thread injection) 41->129 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 00:39:38 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6c7r76c2fhp3a3hyhlvlicj5tpm636sxqh53mx7iumotftau6k6a._file
Verdict:
malicious
Similar samples:
24c64b6ac83952dbcc423586270744c889038b0198d046fd44f264ec92e012e9
RedLineStealer
51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326
RedLineStealer
5ef717a2fd0232d5490bd6418c981f040fef653def2cd62b5fa6591d42af3aa8
RedLineStealer
7ccbf3b294594e8217e4ca62fae730624db9a300e388f3215570154cd00617dd
RedLineStealer
bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
RedLineStealer
c6498d4425f32bb7027530a8f717b3374a2fc968f5f6f804ce17626644e17133
RedLineStealer
ff2ac01bceeacfb50486d9ec87bcfce8523b341530a4a7b9a7bbb804c882ad41
RedLineStealer
+ 2'240 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:21321313 botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:754 botnet:safeinstaller backdoor discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211029-bny18shbek/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
https://mas.to/@lilocc
93.115.20.139:28978
185.183.32.161:80
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/88ce7803-1c0a-4a0a-b11e-61b1efbb769e/
SH256 hash:
f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc
MD5 hash:
f4e868760f3af522ab9d5e8852e25b69
SHA1 hash:
527c7a0c96b0ebb810f9fa6575b13502e350da44
Link:
https://www.unpac.me/results/88ce7803-1c0a-4a0a-b11e-61b1efbb769e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments