MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a
SHA3-384 hash:	5d5164315f3120cf766d75b1aeab108d5b746f522ef54fce97935753dc4a0f22d8f4c749433d6ca462e2c2377d81017e
SHA1 hash:	bd5afc45bedf78642e65ee101089e5367660cbd9
MD5 hash:	a0e35748aa50923f00e9b04027c2fc5c
humanhash:	alanine-music-virginia-michigan
File name:	a0e35748aa50923f00e9b04027c2fc5c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	9'969'527 bytes
First seen:	2022-03-23 14:32:30 UTC
Last seen:	2022-04-19 08:11:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:JvDc7bkwvstcvAimbyDs7qkP3+1PX9urier4G6WzYVqCMwvBiLn1k2MQjIrR:J+k6suOasekP6fdjVVqCMwvBMn1ucIrR
Threatray	7'173 similar samples on MalwareBazaar
TLSH	T18BA633C5B31D9CDAE94593B38C225874DA8F7EB9CACA610F5B10A07BF8934794639370
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer zerit-top

abuse_ch

RedLineStealer C2:
116.202.106.111:9582

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
116.202.106.111:9582	https://threatfox.abuse.ch/ioc/442879/

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/256671/

Detection(s):

Win.Dropper.Pswtool-9857487-0

Win.Dropper.Pswtool-9857535-0

Win.Packed.Barys-9859263-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Launching a process

Creating a window

Searching for analyzing tools

Searching for synchronization primitives

DNS request

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10952/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623b2ffcb94fb38cb4d9b38a/reports/f5c3f46f-8c8e-4ee6-8c17-e9bdcdcaf722/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963029

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-03-20 06:50:23 UTC

File Type:

PE (Exe)

Extracted files:

303

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=agwcwomquhhugfkj2jompmnsqdl2ts4azgvtzg65qbfrt2kbcq5a._file

Verdict:

malicious

RedLineStealer

1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d

RedLineStealer

41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99

RedLineStealer

62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913

RedLineStealer

7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad

RedLineStealer

738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea

RedLineStealer

b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010

RedLineStealer

c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224

RedLineStealer

feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca

RedLineStealer

+ 7'163 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan vmprotect

Link:

https://tria.ge/reports/220323-rwv8bacabm/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Kills process with taskkill

Modifies Internet Explorer settings

Modifies registry class

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE Danabot Key Exchange Request

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

ce00d8bd7b2eb1862e61070b7bf63e2ae79bb5f898be079d4c411d7d5afa3d04

MD5 hash:

d2b45501c71ec16a6b30392e5540f1d3

SHA1 hash:

c1fa10078afa7d22952c3e4494a56d10615daecc

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d

MD5 hash:

31ebd93c9fb74de0bf3c9eac412f72fb

SHA1 hash:

b7c4e5e258b4b7a3742c23315c7a204d73bf72d4

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

e3768c8241ae7f6b8a9d67c528e8c1a319ef1bcad6f43855c4c08d2a0e98788e

MD5 hash:

0c9594dbacd2c8fe858ac63de2200f4c

SHA1 hash:

fde083116045216fd878fd1dd46cb5175005e0cf

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

e8b12b6009b654ce8ecdac8054299fc53f1516dbb3bbfb13f14e6057d38ac57b

MD5 hash:

07856fac2e5915c21544831d78d96aad

SHA1 hash:

f63d091265cbfe9420fcedfe20825b7e27bd2d64

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

6979c287fb9feb45465d68696710aacc4ba7479e317944f454775c220fa9eaeb

MD5 hash:

750e290ad4370a6bd37c3955dc0d4aba

SHA1 hash:

be41e7e99d81585b5b38ae8e856094f6b732b56f

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

ebf200f746e90c1d9ca16d6ad9879b0261dec5dfe2c162d8147e1a641ca2f937

MD5 hash:

3da2f0c6ab93bf7bb18dd2f1ccecfd05

SHA1 hash:

94331cb612eb28d1f8f78572f8505c98740e3d70

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

031a40dfa8e349cfdd6e52b90196bf08bc192226690c42d6796e01c886c797fa

MD5 hash:

35597c8fd996fd9629cc6e787c272991

SHA1 hash:

4a630aae526f03b8f821112080111134199feed6

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

652fe1eb4d2423221ed6df459e9ea49352153bb337ad07efd5aab76e42120857

MD5 hash:

9fa07ee81c6b743ec509c8fb20fb2ac8

SHA1 hash:

37f5607313814b723dbf9035339a88318a793a1c

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

00c2304578d86b6dc535189ea32094efbf06d1ff1c74e4f73c94297a94cfae71

MD5 hash:

7c3f50e2d9d26cbd71b81cf311855be1

SHA1 hash:

05a68d079f55cb9f394c3fe2813721b989ef13fa

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

84f745ceea980ed2342724f877d798e5c18ab46ba10af0986ee306c05d5a486f

MD5 hash:

fe2c8b8a149d61280c73d89ef54664ed

SHA1 hash:

03c9d039a43364b35ddeb4ae27a82aa3f9b284a3

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

3d5b56053c54d8bfed3166a096166eb8be12605c532fe53dcb3df81c73d74adf

MD5 hash:

5afbf58f6d13e1c2a5334102a08191ce

SHA1 hash:

d91048a1d46ab86ac5a430a2968974a71619a153

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

1bc300833f27d0ae98bd22daef6b81b6417a0409b470a7d41dafd3d9c6d14b65

MD5 hash:

b2197d3a18b826e9e7908b4640a498cb

SHA1 hash:

e9d732061e82a8aa855b0dbf48df5878240afb2f

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

5c3552ad012d9f43e7856b7b237d63c71268fd37a381844afb10addb7ffbedf2

MD5 hash:

51cb73a800e3b659c57071bbb904e495

SHA1 hash:

557a16132734f22d291b9fb0a3c10c8dc391d27d

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

3a3d1755db025d92051a56d221747e1b0f5f1e6e43f13202d342f0520b1888df

MD5 hash:

c5060ce77446314ebe0e8efb86a071d8

SHA1 hash:

d0fe43fd53693352c364bb1b923f1dd1736daa0c

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

44202616bc7b93b828232e83389901ea59ee9641ba09dc6c8f2bbd9b6c1ea875

MD5 hash:

76360cf9791b2f141270bb45d9a06d83

SHA1 hash:

000054efce7c6cbeaf49795e59aa122a46a110a7

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4

MD5 hash:

e74d9b73743dfbb9f025a7908c85da37

SHA1 hash:

8a5b323b090cb0d2c4ff59f0ef520d323dd86097

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

9caf1b6c585ca66a53b9b239b4263d3c5a08fb08d1b0d01f61879f93a1ef8a20

MD5 hash:

10ccfddc0a3c3a8d9da0b1d299141ec8

SHA1 hash:

7f0ec988007add37b111ad9f98f69fd7f90242d3

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

6fd8beab26be6285a9b7dba0c7d17b1fd2cff3bbec1804d6f2e639533387284a

MD5 hash:

e77777d3253ec46800279a63a9b9fc6e

SHA1 hash:

de12383b61b3ac84bce23aa2af8c62456e4eb587

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

277d570f2ea487474447d9a28f783acc0dcf418441b72c9ca202fd1fe6b85b0d

MD5 hash:

0c4f8038a2afab213ed35c9139787200

SHA1 hash:

4a358c23286498ef6c0dbfa0e3283d1271350d32

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

SH256 hash:

01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a

MD5 hash:

a0e35748aa50923f00e9b04027c2fc5c

SHA1 hash:

bd5afc45bedf78642e65ee101089e5367660cbd9

Link:

https://www.unpac.me/results/8a523efd-dde7-436b-a282-5727669261db/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	PowerTool Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerTool, sometimes used by attackers to disable security software.
Reference:	https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/256671/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample