MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb5573d3222e294a28c60e7138a8be83653415febc2a5d7658724de8ee645732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb5573d3222e294a28c60e7138a8be83653415febc2a5d7658724de8ee645732
SHA3-384 hash: 7a786ac71b352dd3d8eeb9f34d7f5ef6b16e341ba673952e4da04bde2f573d0614bb68ac2007f8f1e56f2ea725c875bf
SHA1 hash: 4564e612f8d0d14b2679ebfaf7d1c0a8c7b0fea1
MD5 hash: 19bf6f083560099b7988ca987a401f1e
humanhash: idaho-eighteen-april-hydrogen
File name:19bf6f083560099b7988ca987a401f1e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'992 bytes
First seen:2021-11-12 16:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f3ed7d9c3a0be141edff0347fe399ebd (4 x RedLineStealer, 1 x Glupteba)
ssdeep 6144:Io+QVBWF/BllgyZn/ZV0duUphnrzkXCcLHmGp0nDp:x+QVknlgyZn/ZV0duuhrYXCc6myt
TLSH T1EF748E00B7A1C035F0B216FC49769379B93EBDE2AB2490CF12D526EA5675AE0ED30717
File icon (PE):PE icon
dhash icon e2e8e8e8aa66a489 (1 x RedLineStealer, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
86.107.197.248:56626

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.248:56626 https://threatfox.abuse.ch/ioc/247483/

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://accesstostofilestorage.com/Click_here.zip?c=AEzQVmEHGgUAgUsCAEVHFwASABDUfdQA
Verdict:
Malicious activity
Analysis date:
2021-11-11 19:48:24 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/70280bad-96d6-42fc-9c35-37b7d6263b2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205329/
Detection(s):
Win.Malware.Generic-9908111-0
Create hunting rule

Win.Dropper.Ulise-9908333-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/618e97f8dec3347825a2e49a/reports/6c37a92d-b206-43ad-a40c-bc312e9caeba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9305263-a0d4-4be7-9664-228dd1f1c0d9
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888259
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520733 Sample: 3B0jZOP3Ou.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 67 ttmirror.top 2->67 69 teletele.top 2->69 71 4 other IPs or domains 2->71 87 Multi AV Scanner detection for domain / URL 2->87 89 Antivirus detection for URL or domain 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 6 other signatures 2->93 10 3B0jZOP3Ou.exe 2->10         started        12 dwgveug 2->12         started        15 wcgveug 2->15         started        signatures3 process4 signatures5 17 3B0jZOP3Ou.exe 10->17         started        135 Multi AV Scanner detection for dropped file 12->135 137 Machine Learning detection for dropped file 12->137 20 dwgveug 12->20         started        process6 signatures7 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->79 81 Maps a DLL or memory area into another process 17->81 83 Checks if the current machine is a virtual machine (disk enumeration) 17->83 22 explorer.exe 8 17->22 injected 85 Creates a thread in another existing process (thread injection) 20->85 process8 dnsIp9 73 216.128.137.31, 443, 49748, 49749 AS-CHOOPAUS United States 22->73 75 nusurtal4f.net 45.141.84.21, 80 MEDIALAND-ASRU Russian Federation 22->75 77 6 other IPs or domains 22->77 49 C:\Users\user\AppData\Roaming\wcgveug, PE32 22->49 dropped 51 C:\Users\user\AppData\Roaming\dwgveug, PE32 22->51 dropped 53 C:\Users\user\AppData\Local\Temp2D0.exe, PE32 22->53 dropped 55 7 other malicious files 22->55 dropped 103 System process connects to network (likely due to code injection or exploit) 22->103 105 Benign windows process drops PE files 22->105 107 Deletes itself after installation 22->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->109 27 4D47.exe 22->27         started        30 CC88.exe 1 22->30         started        33 9A4A.exe 2 22->33         started        36 4 other processes 22->36 file10 signatures11 process12 dnsIp13 111 Machine Learning detection for dropped file 27->111 113 Contains functionality to inject code into remote processes 27->113 115 Injects a PE file into a foreign processes 27->115 38 4D47.exe 27->38         started        57 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 30->57 dropped 117 Multi AV Scanner detection for dropped file 30->117 119 DLL reload attack detected 30->119 121 Detected unpacking (changes PE section rights) 30->121 133 3 other signatures 30->133 59 45.9.20.149, 10844, 49834 DEDIPATH-LLCUS Russian Federation 33->59 123 Query firmware table information (likely to detect VMs) 33->123 125 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->125 127 Hides threads from debuggers 33->127 129 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->129 61 93.115.20.139, 28978, 49846 MVPShttpswwwmvpsnetEU Romania 36->61 63 162.159.134.233, 443, 49833 CLOUDFLARENETUS United States 36->63 65 2 other IPs or domains 36->65 131 Antivirus detection for dropped file 36->131 41 E2D0.exe 2 36->41         started        43 AEFC.exe 2 36->43         started        45 conhost.exe 36->45         started        47 2 other processes 36->47 file14 signatures15 process16 signatures17 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->95 97 Maps a DLL or memory area into another process 38->97 99 Checks if the current machine is a virtual machine (disk enumeration) 38->99 101 Creates a thread in another existing process (thread injection) 38->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb5573d3222e294a28c60e7138a8be83653415febc2a5d7658724de8ee645732/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 22:38:41 UTC
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nkxhuzcfyuuukggbzytrkf6qnstifp6xqvf25syojg6r3tek4za._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:1 botnet:intalls botnet:superstar backdoor discovery infostealer spyware stealer themida trojan upx
Link:
https://tria.ge/reports/211112-t39qdsdgh8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
185.159.80.90:38637
185.215.113.29:36224
50.18.71.252:12081
144.202.123.191:49885
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/e56c6818-15dc-489f-983e-a331cd0e444f/
SH256 hash:
fb5573d3222e294a28c60e7138a8be83653415febc2a5d7658724de8ee645732
MD5 hash:
19bf6f083560099b7988ca987a401f1e
SHA1 hash:
4564e612f8d0d14b2679ebfaf7d1c0a8c7b0fea1
Link:
https://www.unpac.me/results/e56c6818-15dc-489f-983e-a331cd0e444f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fb5573d3222e294a28c60e7138a8be83653415febc2a5d7658724de8ee645732

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205329/

Comments