MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f
SHA3-384 hash: d992c95b7e99975b9277d107e70699dfa85dd7d50dbbe6cdf8d8e539a2062d0a960270a1dadfe15a910b66d9c33e9d2d
SHA1 hash: 92c40f639e9a9aaf7296e0c7342586366e58e318
MD5 hash: d8345debb4a650f89075ea71681620cc
humanhash: double-happy-aspen-ohio
File name:d8345debb4a650f89075ea71681620cc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:342'528 bytes
First seen:2022-01-26 17:45:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa2b22e8e3b96fd546a63d71626f45a6 (5 x RedLineStealer, 2 x Smoke Loader, 2 x RaccoonStealer)
ssdeep 6144:HVtGvrPX5T+J+YAo0BYs8NWnfZPj4x38/JwtSZCv9vxxNCMX3D7T5njI3:Hn+S+k0ShUfZPj4x38CtSEJQMvO
Threatray 28 similar samples on MalwareBazaar
TLSH T11A747C00B7A0D435F5B721F449BA93BCA53E7AA15B2461CB53D16AEE6B346E0DC3130B
File icon (PE):PE icon
dhash icon 2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.29:20819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:20819 https://threatfox.abuse.ch/ioc/334657/

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8345debb4a650f89075ea71681620cc.exe
Verdict:
No threats detected
Analysis date:
2022-01-26 17:53:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/581b358d-e747-45f1-8a23-117f9ca0426c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/223598/
Detection(s):
Win.Dropper.Mikey-9917324-0
Create hunting rule

Win.Packed.Tofsee-9937387-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5259/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61f188e5d73ca9d4648e907a/reports/790ebeac-d197-4e8e-bffe-fe165a49f7c9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d85de1f-5a6e-4d67-9c63-b7e33aaa77db
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/928170
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-01-26 17:46:12 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7codqkatdxu2m7gvcdu5vbt6fot54qizg5z55n7x4wqu5wdosz7q._file
Verdict:
malicious
Similar samples:
2e7447c239a5c4718568d6f728a8f6f71178bf299e699c945325564da2e6e8df
RedLineStealer
a7bf19187e84d12c7fb6adb7fe37dbdfe83cf2d9a5c229f25733bb6dc7baef61
RedLineStealer
bd77b945024898d5ade268a5b1d932026ba3acc6bc9e05d6040c7fb57d94d01b
RedLineStealer
d64c8c01766cefa6cc6afda7ec2291fc7d18c59d179bdf90403a76b032b04785
RedLineStealer
ede12e010ddaffd96dbc21854ff8a5f24d75cd9766d6eb41fce18824c5c18889
RedLineStealer
fc0ca51fbc6a446ee39b3cdfc49a571c75ba7398ebb3b1a212882608061bb1e4
RedLineStealer
fe035a3111a37c273676890230dd284b8bc0481377b921e9dd3818b39ef8c3e9
RedLineStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection evasion trojan
Link:
https://tria.ge/reports/220126-wccdbagec6/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Unpacked files
SH256 hash:
1ff9a75082212ea111b1d0bd15bb4b6583298b8c2c6585994a5003f8bb966211
MD5 hash:
372914937cc56157b0e449ec1d3825ce
SHA1 hash:
4ffa778e5af71d7fe7333be5920246e6afa45ead
Link:
https://www.unpac.me/results/e0bc1c33-1f20-490f-b852-47e5239b2dad/
SH256 hash:
f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f
MD5 hash:
d8345debb4a650f89075ea71681620cc
SHA1 hash:
92c40f639e9a9aaf7296e0c7342586366e58e318
Link:
https://www.unpac.me/results/e0bc1c33-1f20-490f-b852-47e5239b2dad/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f89c3828131d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f89c3828131de9a67cd510e9da867e2ba7de41193773deb7f7e5a14ed86e967f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1995364/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1995362/
Cape
Cape
https://www.capesandbox.com/analysis/223598/

Comments