MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 6 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
SHA3-384 hash: fb70e9fc601228d8d49a38c4c7b8a75aa20c22a1d7327f7596043114d612fe246ab06bd0225190f060fe80c6b532743a
SHA1 hash: c9e9321fc4d550ef75ca83deb1cdbd2d235c9fd9
MD5 hash: b376e4858ece14f0459fc8f24e72bed8
humanhash: yankee-oven-missouri-don
File name:B376E4858ECE14F0459FC8F24E72BED8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'500'431 bytes
First seen:2021-08-20 14:40:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ywv9xHwVwoNa0X3Hcj/4l1zNn0QJmnVNYKH7ghdOChc:ywXHiwgH/nPmnVQ7hc
Threatray 139 similar samples on MalwareBazaar
TLSH T1352633C198CBAC56EF3FA77305201F1546B5AA00FB6E36DE23500E5EFE24B11885A5F9
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/
159.69.190.155:35975 https://threatfox.abuse.ch/ioc/192384/
94.103.83.88:60362 https://threatfox.abuse.ch/ioc/192436/
51.254.68.139:8067 https://threatfox.abuse.ch/ioc/192437/
65.21.141.215:8374 https://threatfox.abuse.ch/ioc/192438/
185.173.36.156:228 https://threatfox.abuse.ch/ioc/192466/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B376E4858ECE14F0459FC8F24E72BED8.exe
Verdict:
No threats detected
Analysis date:
2021-08-20 14:43:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a05f0ba-3884-4f0e-8a15-ae0ac2e2f414

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180969/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f53c982-ef81-41d9-a113-9c509a7c96e2
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836476
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468914 Sample: KwItICpfLi.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 77 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->77 79 88.99.66.31 HETZNER-ASDE Germany 2->79 81 3 other IPs or domains 2->81 117 Antivirus detection for dropped file 2->117 119 Multi AV Scanner detection for dropped file 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 7 other signatures 2->123 11 KwItICpfLi.exe 10 2->11         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->53 dropped 14 setup_installer.exe 18 11->14         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\...\Mon168eacf5abe6.exe, PE32 14->57 dropped 59 C:\Users\user\...\Mon166f0c73c18054.exe, PE32 14->59 dropped 61 13 other files (7 malicious) 14->61 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 75 127.0.0.1 unknown unknown 17->75 115 Adds a directory exclusion to Windows Defender 17->115 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        26 cmd.exe 1 17->26         started        28 6 other processes 17->28 signatures10 process11 signatures12 30 Mon1623952f4e80cb7fc.exe 21->30         started        125 Obfuscated command line found 23->125 127 Uses ping.exe to sleep 23->127 129 Uses ping.exe to check the status of other devices and networks 23->129 131 Adds a directory exclusion to Windows Defender 23->131 35 powershell.exe 12 23->35         started        37 Mon162a49cb298e25a7e.exe 1 14 26->37         started        39 Mon168eacf5abe6.exe 28->39         started        41 Mon16299b35036.exe 2 28->41         started        43 Mon166f0c73c18054.exe 14 28->43         started        45 Mon1634f04758a25c25c.exe 28->45         started        process13 dnsIp14 83 185.233.185.134 YURTEH-ASUA Russian Federation 30->83 85 37.0.10.214 WKD-ASIE Netherlands 30->85 93 14 other IPs or domains 30->93 63 C:\Users\...\geBB0ycltRB7b8baVZ6n6BdV.exe, PE32 30->63 dropped 65 C:\Users\user\AppData\...\inst001[1].exe, PE32 30->65 dropped 67 C:\Users\user\AppData\Local\...\help[1].bmp, PE32 30->67 dropped 73 39 other files (17 malicious) 30->73 dropped 99 Tries to harvest and steal browser information (history, passwords, etc) 30->99 101 Disable Windows Defender real time protection (registry) 30->101 87 208.95.112.1 TUT-ASUS United States 37->87 95 4 other IPs or domains 37->95 69 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 37->69 dropped 71 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 37->71 dropped 103 Contains functionality to steal Chrome passwords or cookies 37->103 105 Drops PE files to the startup folder 37->105 107 Machine Learning detection for dropped file 39->107 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->109 111 Checks if the current machine is a virtual machine (disk enumeration) 39->111 113 Creates processes via WMI 41->113 47 Mon16299b35036.exe 41->47         started        89 116.203.127.162 HETZNER-ASDE Germany 43->89 91 74.114.154.18 AUTOMATTICUS Canada 43->91 file15 signatures16 process17 dnsIp18 97 104.21.70.98 CLOUDFLARENETUS United States 47->97 51 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->51 dropped file19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 03:52:53 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkbdzplkgkqqzetskp5eartmriyxpzeh5z4jlkfc4jcktngecx6a._file
Verdict:
malicious
Similar samples:
455c9a38ec39915d187e3d1093eb3456798f01ffd9f925b2e15e10beced936f0
RedLineStealer
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
RedLineStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RedLineStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RedLineStealer
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
RedLineStealer
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
RedLineStealer
+ 129 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar family:xmrig botnet:706 botnet:937 botnet:983 botnet:pab3 botnet:second_7.5k aspackv2 backdoor evasion infostealer miner persistence stealer suricata themida trojan
Link:
https://tria.ge/reports/210820-x42jpm4d12/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
185.215.113.15:61506
https://eduarroma.tumblr.com/
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
45.14.49.200:27625
Unpacked files
SH256 hash:
11056c89b02dffdd9f97e429fbd1262d329016d117079abbbd50451bb3486ac2
MD5 hash:
ab636769db5d8c33fb964876115e3e1c
SHA1 hash:
00f0f9de24c0429f43ec1ab3e8fdbfac5854b23a
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
3ac82c275c09d21438858d48eea37fe653d188a4ec4a783fad1ed022405f941b
MD5 hash:
99ce1ecb2cc198a8984618f53b786c00
SHA1 hash:
ce0cc43ea97bdaf7f6813047d6c2606e5d3f38de
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
d96d3c9b680ef2bd774d627b59f18c8b161e67dd8ae752c2d5a8abb22730ce99
MD5 hash:
8c4d8f10f3c4715a91953efa8b12e38c
SHA1 hash:
973109999c7f771f69af1d422dc0318e5c516188
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
8ca29bbbef3607841c4d6e490fcada15442c48a46c9fe304a217906eeb8ec2b7
MD5 hash:
cab3674a3b78eb028ed2a3fb971d9c43
SHA1 hash:
60536362e1fa52dbeaf1bcb634939dc17792f481
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
c1cf4a5d3b36b4b5edffd13e15e9563b46b5e003cc35c01641663b074a620a49
MD5 hash:
26f68b2729ae13012516cda8455fc56b
SHA1 hash:
5f485681f2c36c80eb5347e122896675eaa28022
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
798b08b53f7a589e8a24d23be077d7d0fe3071079fdd009200f6942ce514d576
MD5 hash:
4bc2a92e10023ac361957715d7ea6229
SHA1 hash:
4b0e1b0640c0e744556deadfccf28a7c44944ed9
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
02b25e511b126fc8d719b8e4e63b28aeb22aea6542b1cd050ebdf18cbb6a32bc
MD5 hash:
6c288524bf2f2442ad247a2f33dbfdc0
SHA1 hash:
c5ab8cc9ba7458e984202cc16f758215ff5e4132
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
5cb591eb2b430583abbb147506dedd5aa934970c032abd723b8e82da6e5a99e1
MD5 hash:
883eca82df1958f5dc4c2e72e1069e7b
SHA1 hash:
f916c15865cc380f6df898346f608c9f61689bb2
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
7c8be9ee0260ba6518577ffecdb43323e57a8f0421b32cf95b909050e643b52e
MD5 hash:
2a1ca9da0883e46cecedfe40e3a40bc4
SHA1 hash:
be3b7550689e86982788580d9d675bb10aafedb1
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
2c0c38bec458195868e129b8eb43cac9a0a3a4c29f4c2a75140855beaebefbcf
MD5 hash:
2f7aee03ed4b6754f97708dfba5fae76
SHA1 hash:
fb8b838f9dafbf1ee608570dbd665540d366da4a
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
9dc7ed2cf28307b26953d007faebe51f2badcd6e29128996b7a21cd0084b82d6
MD5 hash:
4a7ece7b78441c2b50554f7eba62712b
SHA1 hash:
5b69282361ca7f51f75afaaac4a519ef897ea7ee
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
SH256 hash:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
MD5 hash:
b376e4858ece14f0459fc8f24e72bed8
SHA1 hash:
c9e9321fc4d550ef75ca83deb1cdbd2d235c9fd9
Link:
https://www.unpac.me/results/8c3d164a-26ef-4581-9054-37e1c0a156f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180969/

Comments