MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 4 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686
SHA3-384 hash: 1c3265e6e16f734846f3c356afeabfb0e2b0dd2d403b80c2d30aeb08ca3e910f041da2fb23d1f8186d3d07d4dcf010d6
SHA1 hash: 1f84cab6835a76efc403fe1a0d22522e8dfa1581
MD5 hash: c9a7b309d45200b0629a168424af7d8e
humanhash: wisconsin-five-hot-seven
File name:C9A7B309D45200B0629A168424AF7D8E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:17'218'560 bytes
First seen:2022-04-10 11:15:50 UTC
Last seen:2022-04-10 11:40:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 393216:8nsnjvt2LNGSOfdPx+csNx+ACSK3mQtzrd:CJGSoPW+AwmQ1r
Threatray 10'786 similar samples on MalwareBazaar
TLSH T1EC07CD69C968A15A4373CF724B2A656A590FFD737E31ED360139611E8A3B290C33713E
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.132:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.132:23196 https://threatfox.abuse.ch/ioc/518238/
46.8.19.115:7225 https://threatfox.abuse.ch/ioc/518239/
149.202.88.172:15126 https://threatfox.abuse.ch/ioc/518241/
94.103.87.154:9697 https://threatfox.abuse.ch/ioc/518242/

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
C9A7B309D45200B0629A168424AF7D8E.exe
Verdict:
Malicious activity
Analysis date:
2022-04-10 11:21:38 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/91e2768c-bb62-47f4-83ff-6e6cbde87d8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.28645.21800.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Searching for the window
Searching for analyzing tools
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm mokes obfuscated packed
Link:
https://www.filescan.io/uploads/6252bc7304b81dabe272e624/reports/31990975-1350-4e81-bacf-0bb4f28e633f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4786dcc5-bfc2-42ab-be8c-1f64acfc2bf4
Result
Threat name:
Cookie Stealer Cyberduck RedLine Socelar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974020
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected Cyberduck
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 606505 Sample: uzu6AvUlng.exe Startdate: 10/04/2022 Architecture: WINDOWS Score: 100 56 23.35.236.56 ZAYO-6461US United States 2->56 58 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->58 60 12 other IPs or domains 2->60 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 18 other signatures 2->82 8 uzu6AvUlng.exe 17 2->8         started        11 rundll32.exe 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\tvstream22.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\siww1049.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 8->34 dropped 36 13 other files (12 malicious) 8->36 dropped 13 TrdngAnlzr98262.exe 6 8->13         started        18 1.exe 3 8->18         started        20 siww1049.exe 8->20         started        22 3 other processes 8->22 process6 dnsIp7 66 172.105.52.100 LINODE-APLinodeLLCUS United States 13->66 68 5.101.153.227 BEGET-ASRU Russian Federation 13->68 40 C:\Users\user\AppData\Local\TempGCML.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Local\Temp\A8211.exe, PE32 13->42 dropped 44 C:\Users\user\AppData\...\7MM27C7A6MG6F5D.exe, PE32+ 13->44 dropped 54 2 other files (1 malicious) 13->54 dropped 84 Query firmware table information (likely to detect VMs) 13->84 86 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->86 108 3 other signatures 13->108 24 conhost.exe 13->24         started        46 C:\Users\Public\SteamKeyNeg.exe, PE32 18->46 dropped 48 C:\Users\Public\SteamKeyGen.exe, PE32 18->48 dropped 88 Multi AV Scanner detection for dropped file 18->88 90 Drops PE files to the user root directory 18->90 92 Creates files with lurking names (e.g. Crack.exe) 18->92 70 208.95.112.1 TUT-ASUS United States 20->70 94 Antivirus detection for dropped file 20->94 96 Machine Learning detection for dropped file 20->96 98 Tries to detect virtualization through RDTSC time measurements 20->98 72 152.32.193.91 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 22->72 74 148.251.234.83 HETZNER-ASDE Germany 22->74 50 C:\Users\user\Documents\...\note6060.exe, PE32 22->50 dropped 52 C:\Users\user\AppData\Local\...\setup.tmp, PE32 22->52 dropped 100 Obfuscated command line found 22->100 102 Drops PE files to the document folder of the user 22->102 104 Tries to harvest and steal browser information (history, passwords, etc) 22->104 106 Creates processes via WMI 22->106 26 chenb.exe 2 22->26         started        file8 signatures9 process10 dnsIp11 62 8.8.8.8 GOOGLEUS United States 26->62 64 104.21.40.196 CLOUDFLARENETUS United States 26->64 38 C:\Users\user\AppData\Local\Temp\db.dll, PE32 26->38 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 17:38:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
32 of 42 (76.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahvr22sjb3v4s36wxem247vyg2jsumu3m3voairvnnpvplgio2da._file
Verdict:
malicious
Similar samples:
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
RedLineStealer
38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd
RedLineStealer
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
RedLineStealer
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
RedLineStealer
800175a19a10dae3a8acbbfec1291416b5babb144cbedd017c5a75c816687381
RedLineStealer
ca5309eca6c4688b50a8dd11520273ad243177d016b7b35282cc73a17ca768ed
RedLineStealer
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
RedLineStealer
+ 10'776 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:redline family:socelars botnet:123 discovery evasion infostealer loader miner persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220410-nc45bsdcd5/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
LoaderBot
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/
188.68.205.12:7053
Unpacked files
SH256 hash:
8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31
MD5 hash:
1dfe798ac62b7cf923ec813c9d97c481
SHA1 hash:
72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9
Link:
https://www.unpac.me/results/023b899f-ec2f-46a6-ac36-82b913eed409/
SH256 hash:
ca1e30ff9e3ee12e03e0cf1c88c7c0c0356abc140f332e28bc733e91927388c3
MD5 hash:
3371d293953af95cf6ca7886bd3f545a
SHA1 hash:
8abe761e60051d8b68298ed05ae4f9d09a2f8c0f
Link:
https://www.unpac.me/results/023b899f-ec2f-46a6-ac36-82b913eed409/
SH256 hash:
01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686
MD5 hash:
c9a7b309d45200b0629a168424af7d8e
SHA1 hash:
1f84cab6835a76efc403fe1a0d22522e8dfa1581
Link:
https://www.unpac.me/results/023b899f-ec2f-46a6-ac36-82b913eed409/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments