MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc
SHA3-384 hash: d84329731562afe937c113606d0d8d8bf72fc93168e07865e7a34f77e7e2586c6c034b5cf376b419f8629d345e85f4dc
SHA1 hash: 74c44fc17238b59a2bb9ad037dbc8c6c5e3ea240
MD5 hash: ecc5658c2d0b0b9ffdc2729950a19a84
humanhash: shade-fifteen-september-seven
File name:ECC5658C2D0B0B9FFDC2729950A19A84.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:763'482 bytes
First seen:2021-07-24 07:35:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'458 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:d/QiQXCXyQ815m+ksmpk3U9j0Id4AsoxvjFEOTb9WmZX/8shzdsY4CpHPhndLEkV:VQi3CJc6m6UR0Ibp1hf39Wkv8xwJLV
Threatray 229 similar samples on MalwareBazaar
TLSH T1FAF40153BA89C832E06255708EA2D0B1463B7F281D77354A36CE7F4F3BB23515129BB6
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.224.105.106:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.224.105.106:80 https://threatfox.abuse.ch/ioc/162450/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ECC5658C2D0B0B9FFDC2729950A19A84.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-24 07:37:59 UTC
Tags:
installer
Link:
https://app.any.run/tasks/50dbac1a-7af0-4292-8136-db9b9c0b71f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Adware
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173872/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a189d911-6237-41e6-b4eb-cd3f9ba21c40
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821194
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453603 Sample: ikvsJLwo6l.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 92 zina-boutique.com 2->92 94 yarinefatt.xyz 2->94 96 26 other IPs or domains 2->96 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Multi AV Scanner detection for domain / URL 2->130 132 Antivirus detection for URL or domain 2->132 134 7 other signatures 2->134 11 ikvsJLwo6l.exe 2 2->11         started        14 Gyzheluxovy.exe 2->14         started        signatures3 process4 dnsIp5 72 C:\Users\user\AppData\...\ikvsJLwo6l.tmp, PE32 11->72 dropped 18 ikvsJLwo6l.tmp 3 19 11->18         started        124 superstationcity.com 14->124 126 google.com 14->126 74 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->74 dropped 76 C:\...\Windows Update.exe.config, XML 14->76 dropped 138 Drops executable to a common third party application directory 14->138 22 Windows Update.exe 14->22         started        file6 signatures7 process8 dnsIp9 98 superstationcity.com 194.163.135.248, 49723, 49739, 49777 NEXINTO-DE Germany 18->98 100 requested404.com 63.250.33.126, 80 NAMECHEAP-NETUS United States 18->100 56 C:\Users\user\AppData\Local\...\aker_mi.exe, PE32 18->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 18->58 dropped 60 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->60 dropped 62 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->62 dropped 24 aker_mi.exe 20 20 18->24         started        file10 process11 dnsIp12 108 connectini.net 162.0.210.44, 443, 49734, 49747 ACPCA Canada 24->108 110 privateinvestig8tor.com 162.0.220.187, 49740, 49822, 80 ACPCA Canada 24->110 112 superstationcity.com 24->112 64 C:\Program Files (x86)\...behaviorgraphyzheluxovy.exe, PE32 24->64 dropped 66 C:\...behaviorgraphyzheluxovy.exe.config, XML 24->66 dropped 68 C:\Users\user\AppData\...\Lypeshewedi.exe, PE32 24->68 dropped 70 2 other files (none is malicious) 24->70 dropped 136 Drops executable to a common third party application directory 24->136 29 Bavaeviryko.exe 14 5 24->29         started        32 irecord.exe 2 24->32         started        35 Lypeshewedi.exe 24->35         started        file13 signatures14 process15 dnsIp16 114 www.google.com 172.217.168.68, 49746, 80 GOOGLEUS United States 29->114 116 connectini.net 29->116 37 chrome.exe 29->37         started        40 chrome.exe 29->40         started        42 chrome.exe 29->42         started        47 12 other processes 29->47 54 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 32->54 dropped 44 irecord.tmp 27 29 32->44         started        118 www-google-analytics.l.google.com 216.58.215.238, 443, 49807 GOOGLEUS United States 35->118 120 privateinvestig8tor.com 35->120 122 3 other IPs or domains 35->122 file17 process18 dnsIp19 102 192.168.2.6, 443, 49678, 49680 unknown unknown 37->102 104 192.168.2.1 unknown unknown 37->104 106 239.255.255.250 unknown Reserved 37->106 49 chrome.exe 37->49         started        78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->80 dropped 82 C:\Program Files (x86)\...\is-TPEOJ.tmp, PE32 44->82 dropped 84 11 other files (none is malicious) 44->84 dropped 52 I-Record.exe 44->52         started        file20 process21 dnsIp22 86 mc.yandex.ru 93.158.134.119, 443, 49773, 49781 YANDEXRU Russian Federation 49->86 88 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49819 YAHOO-DEBDE United Kingdom 49->88 90 50 other IPs or domains 49->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-17 10:43:01 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4c27glbl7obeas3kre4xaczcvm2h55dca343bo4yzhnb5zcj7oa._file
Verdict:
malicious
Similar samples:
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
RedLineStealer
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
RedLineStealer
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
RedLineStealer
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
RedLineStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RedLineStealer
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
RedLineStealer
+ 219 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars backdoor discovery dropper evasion infostealer loader persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210724-velaffw3wa/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
VMProtect packed file
Checks for common network interception software
Nirsoft
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0a981efc-20d8-45bb-81bc-ff6d0fd6a601/
SH256 hash:
7edcf1cc16d441cbf468656ef351b318e1f1096e115bb017cf15aab6e319a5f1
MD5 hash:
c14c3a3f4050cd2931a5b3b5b9d46732
SHA1 hash:
e6946c1c21c6d4a6bb215ea91c9e7e1fc99f8100
Link:
https://www.unpac.me/results/0a981efc-20d8-45bb-81bc-ff6d0fd6a601/
SH256 hash:
0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc
MD5 hash:
ecc5658c2d0b0b9ffdc2729950a19a84
SHA1 hash:
74c44fc17238b59a2bb9ad037dbc8c6c5e3ea240
Link:
https://www.unpac.me/results/0a981efc-20d8-45bb-81bc-ff6d0fd6a601/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173872/

Comments