MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd
SHA3-384 hash: 41da47692a3a956156dce541e0485ef722d76bd996f550f44b9a6987b2ae829ba85ec9aaf8c6e5ba399c763e3ce741bb
SHA1 hash: ff2de3ebc1179ca333b674e0b272bc731088039c
MD5 hash: 2fcfa4add8198b5659fb7d036628f3ba
humanhash: social-september-bravo-twelve
File name:2fcfa4add8198b5659fb7d036628f3ba.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:285'184 bytes
First seen:2022-07-07 22:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e3197bd2e8d6d96873982b03f5c6089a (1 x GCleaner, 1 x RedLineStealer, 1 x TeamBot)
ssdeep 6144:7+Mo1fmc5mkJwhqeUNe3fRQoK+aAwH7CXodW3Wer978ad:7+z1f+zhqe+YfRQJ6e7CXGer9
TLSH T163548D10BA90C035F1B712F84ABA97ACB93E7AA15B3454CF52D556EE47386E1EC3130B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.178.170.234:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.178.170.234:80 https://threatfox.abuse.ch/ioc/815206/

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9954251-0
Create hunting rule

Win.Packed.Crypterx-9954282-0
Create hunting rule

Win.Dropper.ClipBanker-9954298-0
Create hunting rule

Win.Malware.Bootkitx-9954421-0
Create hunting rule

Win.Malware.Bootkitx-9954483-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware packed
Link:
https://www.filescan.io/uploads/62c764bedd037e2703377e74/reports/645686b8-94ab-494f-a539-ede2ee5ddb61/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32117024-83d4-4893-b048-a08f47d07321
Result
Threat name:
Clipboard Hijacker, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1026831
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Clipboard Hijacker
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 659323 Sample: ypSP0Yp08Q.exe Startdate: 08/07/2022 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Antivirus detection for URL or domain 2->78 80 11 other signatures 2->80 9 ypSP0Yp08Q.exe 2->9         started        12 vvgbgbv 2->12         started        process3 signatures4 96 Detected unpacking (changes PE section rights) 9->96 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->98 100 Maps a DLL or memory area into another process 9->100 102 Creates a thread in another existing process (thread injection) 9->102 14 explorer.exe 4 6 9->14 injected 104 Multi AV Scanner detection for dropped file 12->104 106 Machine Learning detection for dropped file 12->106 108 Checks if the current machine is a virtual machine (disk enumeration) 12->108 process5 dnsIp6 60 222.236.49.123, 49759, 49763, 49770 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->60 62 58.235.189.192, 49760, 49762, 49764 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->62 64 4 other IPs or domains 14->64 48 C:\Users\user\AppData\Roaming\vvgbgbv, PE32 14->48 dropped 50 C:\Users\user\AppData\Local\Temp\FB8F.exe, PE32 14->50 dropped 52 C:\Users\user\AppData\Local\Temp\6EB2.exe, PE32 14->52 dropped 54 C:\Users\user\...\vvgbgbv:Zone.Identifier, ASCII 14->54 dropped 66 System process connects to network (likely due to code injection or exploit) 14->66 68 Benign windows process drops PE files 14->68 70 Deletes itself after installation 14->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->72 19 FB8F.exe 24 14->19         started        24 6EB2.exe 4 14->24         started        26 SmartClock.exe 14->26         started        file7 signatures8 process9 dnsIp10 56 t.me 149.154.167.99, 443, 49809 TELEGRAMRU United Kingdom 19->56 58 95.217.244.218, 49814, 49840, 80 HETZNER-ASDE Germany 19->58 38 C:\ProgramData\vcruntime140.dll, PE32 19->38 dropped 40 C:\ProgramData\softokn3.dll, PE32 19->40 dropped 42 C:\ProgramData\nss3.dll, PE32 19->42 dropped 46 4 other files (none is malicious) 19->46 dropped 82 Detected unpacking (changes PE section rights) 19->82 84 Detected unpacking (creates a PE file in dynamic memory) 19->84 86 Detected unpacking (overwrites its own PE header) 19->86 94 4 other signatures 19->94 28 cmd.exe 1 19->28         started        44 C:\Users\user\AppData\...\SmartClock.exe, PE32 24->44 dropped 88 Multi AV Scanner detection for dropped file 24->88 90 Machine Learning detection for dropped file 24->90 92 Delayed program exit found 24->92 30 SmartClock.exe 24->30         started        file11 signatures12 process13 process14 32 taskkill.exe 1 28->32         started        34 conhost.exe 28->34         started        36 timeout.exe 1 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 19:35:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6u55gekvkj3lcp6t25eikc5yqq4gfnvau3wsgpsv5b4geqodhl6q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220707-2wntcahdb8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops startup file
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
473b596b3d8a443a2e9886dfc9013f3ae8ba19a8bdbad1083e46d5cdef043932
MD5 hash:
fcbb34c3a50da96e87b810ba24fe1da7
SHA1 hash:
9698ae95cd61f402d8d30c0bb514dc098dcff4b2
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0d8a5760-8c0a-4453-b640-ad713c0145b8/
Parent samples :
f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd
422db20463fd32670b6144d947bf719718fdf42fc73da42030e6acdfdb5aac5c
SH256 hash:
f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd
MD5 hash:
2fcfa4add8198b5659fb7d036628f3ba
SHA1 hash:
ff2de3ebc1179ca333b674e0b272bc731088039c
Link:
https://www.unpac.me/results/0d8a5760-8c0a-4453-b640-ad713c0145b8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f53bd3115552/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f53bd311555276b13fd3d748850bb8843862b6a0a6ed233e55e8786241c33afd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments