MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 3 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
SHA3-384 hash: 61c65549d7cc0480222fbd30a1de8aa2733624a05c33ca0cf693a765025b10123f1e1686ba8b29fab07dc6b6a09df122
SHA1 hash: 2efdcd8fc69ac26b0577c49db390df24bb18921a
MD5 hash: 18a00e77b2cd5ea4256d58be8b7260a3
humanhash: violet-speaker-echo-nitrogen
File name:07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'441'675 bytes
First seen:2022-01-22 20:00:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xfCvLUBsgReEOeNU0w7h28K0Qgu/h/IZr2O7gZpkfG3TIC4dMxf:xsLUCgR+2N+pQjeUZpkwcC4dS
Threatray 1'737 similar samples on MalwareBazaar
TLSH T16C2633103B8AC47BFE0262705C986FFD61B5E39C0A3854CB573485097F2A998E1BBD5B
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.105.119.120:48759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.105.119.120:48759 https://threatfox.abuse.ch/ioc/311270/
148.251.189.166:11784 https://threatfox.abuse.ch/ioc/313092/
91.243.59.147:33459 https://threatfox.abuse.ch/ioc/313093/

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exe
Verdict:
No threats detected
Analysis date:
2022-01-22 23:01:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3efca46c-dbc4-4e68-ba0c-251226f5f68b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221680/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9891172-0
Create hunting rule

Win.Dropper.Generickdz-9894088-0
Create hunting rule

Win.Packed.Jaik-9894089-0
Create hunting rule

Win.Dropper.Generickdz-9894095-0
Create hunting rule

Win.Packed.Jaik-9899450-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5021/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer azorult barys overlay packed poweliks shell32.dll
Link:
https://www.filescan.io/uploads/61ec6281d32385db631d5559/reports/b9cd6abf-5f9d-411c-8061-121efc58fd31/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d6d55db5-8ddc-4eac-9559-8b85ead09730
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925722
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Regsvr32 Anomaly
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558200 Sample: 07C18E8E0F92E75367DF02C4114... Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 63 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->63 65 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->65 85 Multi AV Scanner detection for domain / URL 2->85 87 Antivirus detection for URL or domain 2->87 89 Antivirus detection for dropped file 2->89 91 19 other signatures 2->91 10 07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exe 17 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_install.exe, PE32 10->45 dropped 47 C:\Users\user\...\Thu08e8f22dec23b.exe, PE32 10->47 dropped 49 C:\Users\user\...\Thu08d076312cbc3.exe, PE32 10->49 dropped 51 12 other files (7 malicious) 10->51 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 81 8.8.8.8 GOOGLEUS United States 13->81 83 127.0.0.1 unknown unknown 13->83 111 Adds a directory exclusion to Windows Defender 13->111 17 cmd.exe 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 13->21         started        23 8 other processes 13->23 signatures8 process9 signatures10 26 Thu080dd9a579466867.exe 17->26         started        31 Thu0868f8edbe.exe 3 19->31         started        33 Thu086b35d9fce5c35dd.exe 21->33         started        93 Adds a directory exclusion to Windows Defender 23->93 35 Thu0898a9af0cbc91e74.exe 23->35         started        37 Thu088fadf0b8243.exe 23->37         started        39 Thu08e8f22dec23b.exe 23->39         started        41 4 other processes 23->41 process11 dnsIp12 67 37.0.10.214 WKD-ASIE Netherlands 26->67 69 37.0.10.244 WKD-ASIE Netherlands 26->69 77 15 other IPs or domains 26->77 53 C:\Users\...\zUungkjiRuMgrsOSCH2e4Zuy.exe, PE32 26->53 dropped 55 C:\Users\...\rAIni1X5QUWKZpBir0v7CHDQ.exe, PE32 26->55 dropped 57 C:\Users\...\melcdJsCc41CLNUzJFear90i.exe, PE32 26->57 dropped 61 53 other files (26 malicious) 26->61 dropped 95 Antivirus detection for dropped file 26->95 97 Creates HTML files with .exe extension (expired dropper behavior) 26->97 99 Tries to harvest and steal browser information (history, passwords, etc) 26->99 109 2 other signatures 26->109 71 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 31->71 101 Detected unpacking (overwrites its own PE header) 31->101 103 Machine Learning detection for dropped file 31->103 73 148.251.234.93 HETZNER-ASDE Germany 33->73 105 Detected unpacking (changes PE section rights) 33->105 59 C:\Users\user\...\Thu0898a9af0cbc91e74.tmp, PE32 35->59 dropped 107 Obfuscated command line found 35->107 79 2 other IPs or domains 37->79 75 162.159.133.233 CLOUDFLARENETUS United States 39->75 43 mshta.exe 41->43         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a/
Threat name:
Win32.Downloader.SmallAgent
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 19:44:45 UTC
File Type:
PE (Exe)
Extracted files:
203
AV detection:
30 of 43 (69.77%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7ay5dqpsltvgz67alcbcskhwa4oq36ly7eolj3564455okvey5a._file
Verdict:
malicious
Similar samples:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
RedLineStealer
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
RedLineStealer
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
RedLineStealer
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
RedLineStealer
7d11586c00eeb3c5a62f8924e862f4926e5c0632b1eb9e95008d91a5f689b1eb
RedLineStealer
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
RedLineStealer
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
RedLineStealer
+ 1'727 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:4c585dd595f87d872b81110ef04a868eee9e5c6b botnet:fie botnet:pab777 aspackv2 discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220122-yrjr2schc7/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.15:6043
91.243.59.147:33459
Unpacked files
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
61c5fcaa49f0d49c151aed1076625455a245150942dd292a29182d8ca1ce6bfc
MD5 hash:
b00957824ab7790185ec07c6e6face35
SHA1 hash:
1107b6a89474fe310fcdd0589a628a06eef5c264
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
d6488d1275b4578144b03273fe898622c73291b312acc0da1d9d1c9256045da8
MD5 hash:
a1cb9d03144fe3471e5677890d5075dc
SHA1 hash:
de3064b43d8aef20d11cb9a6011452b2a6edccef
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
MD5 hash:
f0cddb85d1f6e01372db9988700b1849
SHA1 hash:
b561eab96075434a5405459cf2cd947c9cda78fa
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
ffd9ceeda950da333b3c41b0cebcb411159a27db32e3afa0b83d68602573202b
MD5 hash:
36724cae7f4898caa3c3518113922d1b
SHA1 hash:
81c710d53b7940ff0af2a8e83c7340aad5b10e4f
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
9c19ba06ab3d6baac6459990c82d195a1f6b9e76fa0b1a487975138ec9101919
MD5 hash:
ce3f9663cea0a68a96e1dbfa22548610
SHA1 hash:
80774d914ae08c3fc3681080e7bab60391cb4056
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
431ec1c10ab74dc8db5bc67c2ee525f8368723d83c430503447556f501a55b31
MD5 hash:
95d7311801b28a847745beedccd8b9bc
SHA1 hash:
70f3d3600befe358d9fd2733aaab886510377d98
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
367591f8a40151c4d788bbaa29e20b3dd57ce22f056b51f9f0380e4fd2275c07
MD5 hash:
4e0196b3ab0d47e4a2093ffa87c7326b
SHA1 hash:
58ba603c32b3036477b615cd46a9e834cc4645d8
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
90dbef969fb8b29739533bb61fc87bc6d3cacd7fbf683b0767d4cdbb8c592638
MD5 hash:
169549a8f4d2eb765200ef72aa822231
SHA1 hash:
4c88bae16debacbdf6bccef30fd04650d7b8f988
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
612696af1bca04a1e58d4bda585d793b04e3b25982a389820044a21ee1882a4a
MD5 hash:
315f88c84f98cc3b3aef8a3d868e3d73
SHA1 hash:
3b9c6db0b01edc71dea23ddecc704262c7a1eeb3
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
1320deb204fdec35c8903c72bb3e751871235d9b24e37199e562119f3745f090
MD5 hash:
3679aa3462386cd551c6a29faaafcc5c
SHA1 hash:
2564ec85dc4fbd882eac3d86f6bbe02c5d799fde
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
75d2895e180e942eb53558c87a639188da5a6800d20ede00cdde4d2ebf6b37ed
MD5 hash:
cd0ae3224b5bb33b8787b830c2d326db
SHA1 hash:
9ff0f1a2fb6fcb70effc43bf55437beae1383954
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
fadc104a12e272a8636d033364fcecb3f9ec308f43952a9e46c34cda7cc58a63
MD5 hash:
ea1d69da073cff191551e00eda91b8c5
SHA1 hash:
9f4ce431c3ceba5e1128fc99c92eec4db6049843
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
1e2fe8db290a5041055196256522ef6cfc0d41a7d273cadac7e9a02ab4bf7c35
MD5 hash:
374369d5e18431b5bc732c34774d517d
SHA1 hash:
8bfc0cbdb7755031052aeef614d16aec81dadfe2
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
SH256 hash:
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
MD5 hash:
18a00e77b2cd5ea4256d58be8b7260a3
SHA1 hash:
2efdcd8fc69ac26b0577c49db390df24bb18921a
Link:
https://www.unpac.me/results/4ee27817-9ca0-473b-990f-5cc4a06a0823/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/07c18e8e0f92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221680/

Comments