MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 2 YARA File information Comments

SHA256 hash: 0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
SHA3-384 hash: d36a4065e3341570e630134d34c17a0bd6c204913792fcf9b03d171ece27ab869c7490e2cfbcd7f9920f75093845cd11
SHA1 hash: d8122ee820db5d937056c2f1fd0b7bbf89d8b9c1
MD5 hash: 971e01647fbdc05bef3df71b008e2ca6
humanhash: sweet-robert-utah-neptune
File name:0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Download: download sample
Signature RedLineStealer
File size:2'831'917 bytes
First seen:2022-01-14 18:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (110 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcB7PkZVi7iKiF8cUvFyPj0TbOTDTfr6pKTfHblwVj+jcEwJ84vLRaBtIl9mTIGU:xbri7ixZUvFyPj0gnzesrCvLUBsKIA8l
TLSH T13ED533713BE6C0BBE7475132A8541FFF60FAD3A92A3118D33B849A155F369748009B6E
File icon (PE):PE icon
dhash icon 848c5454baf47474 (87 x RedLineStealer, 33 x DiamondFox, 31 x GCleaner)
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
185.215.113.64:25828

Intelligence


File Origin
# of uploads :
1
# of downloads :
283
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe
Verdict:
No threats detected
Analysis date:
2022-01-14 19:04:07 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
–°reating synchronization primitives
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a window
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult barys overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine SmartSearch Installer SmokeLoade
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmartSearch nstaller
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553373 Sample: 0CA57F85E88001EDD67DFF84428... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 64 176.111.174.254 WILWAWPL Russian Federation 2->64 66 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->66 68 4 other IPs or domains 2->68 88 Antivirus detection for URL or domain 2->88 90 Antivirus detection for dropped file 2->90 92 Antivirus / Scanner detection for submitted sample 2->92 94 16 other signatures 2->94 9 0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe 16 2->9         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\setup_install.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\arnatic_8.txt, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\arnatic_7.txt, PE32+ 9->42 dropped 44 11 other files (6 malicious) 9->44 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 82 8.8.8.8 GOOGLEUS United States 12->82 84 104.21.12.59 CLOUDFLARENETUS United States 12->84 86 127.0.0.1 unknown unknown 12->86 56 C:\Users\user\...\arnatic_5.exe (copy), PE32 12->56 dropped 58 C:\Users\user\...\arnatic_3.exe (copy), PE32 12->58 dropped 60 C:\Users\user\...\arnatic_2.exe (copy), PE32 12->60 dropped 62 5 other files (none is malicious) 12->62 dropped 102 Detected unpacking (changes PE section rights) 12->102 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 4 other processes 12->23 file8 signatures9 process10 process11 25 arnatic_5.exe 4 76 17->25         started        30 arnatic_2.exe 19->30         started        32 arnatic_3.exe 12 21->32         started        34 arnatic_4.exe 14 2 23->34         started        36 arnatic_1.exe 2 23->36         started        dnsIp12 70 136.144.41.201 WORLDSTREAMNL Netherlands 25->70 72 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 25->72 80 16 other IPs or domains 25->80 46 C:\Users\...\RcGzT5XRuDFwXkIj8ZcXjhgH.exe, PE32+ 25->46 dropped 48 C:\Users\user\AppData\Local\...\HR[1].exe, PE32 25->48 dropped 50 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 25->50 dropped 54 35 other files (10 malicious) 25->54 dropped 96 Found stalling execution ending in API Sleep call 25->96 98 Disable Windows Defender real time protection (registry) 25->98 52 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 30->52 dropped 100 DLL reload attack detected 30->100 74 74.114.154.18 AUTOMATTICUS Canada 32->74 76 162.159.129.233 CLOUDFLARENETUS United States 34->76 78 162.159.133.233 CLOUDFLARENETUS United States 34->78 file13 signatures14
Threat name:
Win32.Trojan.Azorult
Status:
Malicious
First seen:
2021-07-17 07:00:00 UTC
File Type:
PE (Exe)
Extracted files:
250
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Result
Malware family:
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:933 botnet:cana01 botnet:ruzki aspackv2 backdoor evasion infostealer spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
176.111.174.254:56328
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
185.215.113.29:34865
Unpacked files
SH256 hash:
5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80
MD5 hash:
9b8888a96bb81b13d824f42811dd73e4
SHA1 hash:
7a15193d26b0e2fb5f1894fee476aeb6987b2d5f
SH256 hash:
65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04
MD5 hash:
385b2e02d14579a16a0f73d48d266191
SHA1 hash:
248abbcee3367b48a98002560f521472b78d51e4
SH256 hash:
140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd
MD5 hash:
0b1df2ab5308c2e8927f9adeac08c657
SHA1 hash:
10212be3c4b01016525039786e3f28909be1b96a
SH256 hash:
9432641ffc06c783ff8a7cd55f33948730f7e00bb2782564f580ba104c817ee2
MD5 hash:
975d1be4341522d562c0a6effde08e2f
SHA1 hash:
8aff3e0abc92a9f01e9aefd1b1fc421bfd82e4f9
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
SH256 hash:
c3ed070d011e95d0771d526c9a92e803ae33982449e219767a3b0cd9c605a67d
MD5 hash:
6df91f77e3bcf1e6abb34559607f46c2
SHA1 hash:
e5b6d4d2a5e55edcb2bef883a58530bcf2c3666e
SH256 hash:
52f5b95ab8e5791be49a321279d65d57fd65753167abdd94dd705e3998229570
MD5 hash:
208ef3505e28717f9227377da516c109
SHA1 hash:
fe9d2e9a69268ee0d98a29013f5e6123a0a09c32
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
SH256 hash:
14f4aac647633049977b71b4cebce224a400b175352591d5b6267d19a9b88135
MD5 hash:
cfd5bf006f5efc51046796c64a7cb609
SHA1 hash:
3986e827277402e2e902b971d2a6899f0c093246
SH256 hash:
808791e690e48577e7f43b9aa055fa0efb928ef626b48f48e95d6d73c5f06f65
MD5 hash:
08e6ea0e270732e402a66e8b54eacfc6
SHA1 hash:
2d64b8331e641ca0ce3bde443860ca501b425614
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
SH256 hash:
31636fb36a87a00f6248da0ab47eb40f603f2158c54befc3f2f3da34fb41a05a
MD5 hash:
8c529efa8451d5031551304585a73c23
SHA1 hash:
019bce793195b0e69ff7af9ab7594f7bba9e16fa
SH256 hash:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
MD5 hash:
971e01647fbdc05bef3df71b008e2ca6
SHA1 hash:
d8122ee820db5d937056c2f1fd0b7bbf89d8b9c1

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.64:25828 https://threatfox.abuse.ch/ioc/295248
78.46.137.240:21314 https://threatfox.abuse.ch/ioc/295286

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments