MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 054df720cdaf5db7623d8f937ccc21427661cb5a7542c3401b70b5027c55d0c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 6 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 054df720cdaf5db7623d8f937ccc21427661cb5a7542c3401b70b5027c55d0c5
SHA3-384 hash: 13525243d5b326bbda4c569de1116af0c7aeee1183f87755ea0e8ca1d13d9dce1b44aa48e8a2372dbd0e888278077221
SHA1 hash: 4071e1fa50d63443277393c38782949f6406f6c2
MD5 hash: a1c1c6c1bc1eebb3d35ed56242e2a6ee
humanhash: blossom-mockingbird-delta-timing
File name:a1c1c6c1bc1eebb3d35ed56242e2a6ee.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'251'727 bytes
First seen:2021-09-25 23:00:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x6CvLUBsgwlEh0v5d5WCkSlQpPk6Ti/T5wyvlz6+r7rGH:xbLUCgwJRCAQm6GdLvlukrGH
Threatray 564 similar samples on MalwareBazaar
TLSH T1681633517763C9FBCA015034EEC82BBB703B83C07A998C97B365890C575A867E76A50F
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.173.37.128:40504

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.252.178.152/ https://threatfox.abuse.ch/ioc/226423/
185.173.37.128:40504 https://threatfox.abuse.ch/ioc/226556/
45.142.215.47:27643 https://threatfox.abuse.ch/ioc/226593/
5.252.179.93:1203 https://threatfox.abuse.ch/ioc/226595/
45.9.20.20:13441 https://threatfox.abuse.ch/ioc/226443/
135.181.142.223:30397 https://threatfox.abuse.ch/ioc/226444/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1c1c6c1bc1eebb3d35ed56242e2a6ee.exe
Verdict:
No threats detected
Analysis date:
2021-09-25 23:03:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4c623a5-17aa-4935-994b-fa102bd2baed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191628/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0020a12f-4987-4e36-94b8-b5a2af95f36c
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858192
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490623 Sample: SiAvWuq9Up.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 81 194.145.227.161 CLOUDPITDE Ukraine 2->81 83 162.0.210.44 ACPCA Canada 2->83 85 162.0.214.42 ACPCA Canada 2->85 111 Antivirus detection for URL or domain 2->111 113 Antivirus detection for dropped file 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 15 other signatures 2->117 9 SiAvWuq9Up.exe 21 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 59 C:\Users\user\AppData\...\setup_install.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\...\Mon04e9ad878ce.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\Mon04cef3671321.exe, PE32+ 9->63 dropped 65 16 other files (9 malicious) 9->65 dropped 19 setup_install.exe 1 9->19         started        121 Changes security center settings (notifications, updates, antivirus, firewall) 12->121 signatures6 process7 dnsIp8 87 172.67.142.91 CLOUDFLARENETUS United States 19->87 89 127.0.0.1 unknown unknown 19->89 119 Adds a directory exclusion to Windows Defender 19->119 23 cmd.exe 1 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 9 other processes 19->29 signatures9 process10 signatures11 32 Mon04e9ad878ce.exe 4 64 23->32         started        37 Mon044940eb5e52.exe 25->37         started        39 Mon046508004ddf54.exe 27->39         started        123 Adds a directory exclusion to Windows Defender 29->123 41 Mon047e49d6c7.exe 29->41         started        43 Mon04b85a64500f6ea7.exe 12 29->43         started        45 Mon0423542b9eea70028.exe 29->45         started        47 4 other processes 29->47 process12 dnsIp13 67 37.0.10.244 WKD-ASIE Netherlands 32->67 69 37.0.8.119 WKD-ASIE Netherlands 32->69 73 4 other IPs or domains 32->73 49 C:\Users\...\uZ9iI3w8VIudIgsHFaJ7g74h.exe, PE32 32->49 dropped 51 C:\Users\...\rlOxiRfdi2ncdd5F9Yopc3BP.exe, PE32 32->51 dropped 53 C:\Users\...\rNsHyCKBuN9qOIeCxdkGy2AA.exe, PE32 32->53 dropped 57 33 other files (27 malicious) 32->57 dropped 91 Drops PE files to the document folder of the user 32->91 93 Creates HTML files with .exe extension (expired dropper behavior) 32->93 95 Disable Windows Defender real time protection (registry) 32->95 97 Machine Learning detection for dropped file 37->97 99 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->99 101 Maps a DLL or memory area into another process 37->101 103 Checks if the current machine is a virtual machine (disk enumeration) 37->103 105 Antivirus detection for dropped file 39->105 107 Injects a PE file into a foreign processes 39->107 75 3 other IPs or domains 41->75 55 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 41->55 dropped 71 74.114.154.18 AUTOMATTICUS Canada 43->71 77 2 other IPs or domains 45->77 79 2 other IPs or domains 47->79 109 Tries to harvest and steal browser information (history, passwords, etc) 47->109 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/054df720cdaf5db7623d8f937ccc21427661cb5a7542c3401b70b5027c55d0c5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 00:24:56 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avg7oignv5o3oyr5r6jxztbbij3gds22ovbmgqa3oc2qe7cv2dcq._file
Verdict:
malicious
Similar samples:
093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c
RedLineStealer
2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f
RedLineStealer
5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
b45aeaafb0e1a0ded6645279d0f828e57550a0b5902373d9e30667d0c3cbdae0
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f38f738f52674e3f4689cdb299e82d40a6446ccec24abd4cac244fe64cdc07ed
RedLineStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RedLineStealer
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
RedLineStealer
+ 554 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam botnet:nanani aspackv2 backdoor infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210925-2zlhdsdhhq/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
45.142.215.47:27643
65.108.20.195:6774
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
fea58ea431672f1c19c3188e2799febb7109562536c61891c5b09e9234b00606
MD5 hash:
a02fcf1984e958501da2ef4ac1565559
SHA1 hash:
b97003d8ce7c98c70a7a17a90b13f07046b9e129
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
03d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
MD5 hash:
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1 hash:
f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
d18fe1fadaf4b97b1c70ef2da87bcb749f74c2d9c37aa91cd0057bdfa6f18968
MD5 hash:
a151554a5e7b1782d677a0ce9547cbb0
SHA1 hash:
d0ac74c5d0c3d4f14662c6b05b10e07dee0bc12b
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
0cf935e0ea6fb37b6c7e743850530f3767bcd41e3358e93bd2fe36bb0db8adbf
MD5 hash:
6524061ddd3caba8b08a5d8d76c71def
SHA1 hash:
84eb5fa9eb80bcd05d17780179ef2ad242bced7d
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
99f944101f58bba9aa12ab645c5640e5366ca741ee3a6d67e50752c21ed58adb
MD5 hash:
b8c74058b87fe2ade1b8f5be5d4242c5
SHA1 hash:
40fa61e60c5c62cb4980529922d725c5ef59e865
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
2b4e79a091d1c35c97d4e56b4bc67fd1045991e85f06f83cf1f582f30d77108a
MD5 hash:
e1ebd5b1868a544699f1cf217a7ec547
SHA1 hash:
36334302b89e9238b60a281d09af05a44c50c4b4
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
596bff37505e6b5d51ffd4b066cd0106bf7c6b3e3c1b633814144c384856edda
MD5 hash:
c70afa5ba7ef9708a4d5fcf771aaa859
SHA1 hash:
096dc11eead9e0869fd47cbd41e72cff35d9cace
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
MD5 hash:
9535f08bd5920f84ac344f8884fe155d
SHA1 hash:
05acf56d12840558ebc17a138d4390dad7a96d5a
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
c9513c0be9864d06ffc483260f0e79ddeb0b2b8d805976384ee31c0628fee901
MD5 hash:
ac64c3fff08ee8ce352766ef57aa45d7
SHA1 hash:
02b0ed5fc2a4fe3b9c7145c15c5ecb631d1ca7b8
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
e296a2f23884b61c22178b7fac931dec5873218651cca5d7afa82dda206c4862
MD5 hash:
762c4fa581cd46b4c6eb6326e9a21f7f
SHA1 hash:
dbe7bb774fd84e5ed0a596837f49db0c90538d23
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
41fe8e15031879491d5437fdcf1150970e17d2e0b86905afe825a2cde3ebc232
MD5 hash:
d54397a342e495b77d8573b4e0b52b7d
SHA1 hash:
cab749b3d53656315b093b37ba278f2625ed8d88
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
401246783e4e23fda6bff9369b171bd3fd6880cd87c04b7a164b0cd063f6b22b
MD5 hash:
19a4abbfe0e8f72a514b4bd4a86280a7
SHA1 hash:
4677c408158fe304e35e88027ad947c5c9b56949
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
96346f36cb889f573e245ca49d8a1e0a76efb91cf0ca8cda413a9973a85d33ec
MD5 hash:
a17acbdaec8b7eab7d3b57c7ecf728d5
SHA1 hash:
e5ee54c1c5a564e87f774a970d386789cac94428
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
8eb3d35e60d4f74e7b59bd354172b0bcc077e39b4d6b692dfafffb497a7380d9
MD5 hash:
df59756d2c65a7b84fb80ed6439d41a3
SHA1 hash:
89289e24733299a6a6cd33d55309a451aef7f47a
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
c84a6a6a50ec76ad88340b6fe613fb8ed818dd8be50e34a67fe5c2e56599e112
MD5 hash:
a1a317a1fbd506298ee7a2f0e14c1680
SHA1 hash:
9b91c4efc40645a9417a5fccd9aecd2c9f86c6e5
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
SH256 hash:
054df720cdaf5db7623d8f937ccc21427661cb5a7542c3401b70b5027c55d0c5
MD5 hash:
a1c1c6c1bc1eebb3d35ed56242e2a6ee
SHA1 hash:
4071e1fa50d63443277393c38782949f6406f6c2
Link:
https://www.unpac.me/results/8442bc88-5d29-4a9c-ad44-b7fc3a89df44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/054df720cdaf5db7623d8f937ccc21427661cb5a7542c3401b70b5027c55d0c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191628/

Comments