MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 6 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
SHA3-384 hash: a5c779766e5e0c4b76b1b129d01578653169c1e78ad7cbe022df017a91f482fbaa5485ff70c87756fd7c48552678ed50
SHA1 hash: ae1c2695d1cb276c4cb2644d9b2145a98a13ce36
MD5 hash: 5d19bb41c6033f032708488f5cd7a72d
humanhash: seventeen-cold-stream-north
File name:0D054D4B3068EA7F877963A9BE8A71581CB0396A309F6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'654'988 bytes
First seen:2021-12-03 20:26:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JHolU8TTc5lrUwMUeaWspkjLk3Nfe5KxNBEMbv:JIGrUNzEp93NfpeMz
TLSH T1526633792F1A0ABCD72CD1710179B65878F2310921079B170F238F9EB6D5C62D9DE987
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.178.93:12952

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.181.178.93:12952 https://threatfox.abuse.ch/ioc/259047/
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/
http://194.180.174.53/ https://threatfox.abuse.ch/ioc/259049/
http://ads-postback.biz/check.php https://threatfox.abuse.ch/ioc/259050/
95.143.178.132:21588 https://threatfox.abuse.ch/ioc/259051/
178.238.8.177:4633 https://threatfox.abuse.ch/ioc/259052/

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Main-Installer.exe
Verdict:
Malicious activity
Analysis date:
2021-10-25 11:47:11 UTC
Tags:
trojan rat redline evasion loader kelihos opendir stealer vidar
Link:
https://app.any.run/tasks/8ec1edca-2b21-4cd8-93ff-d7d9fdd39158

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211121/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/695/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed smokeloader
Link:
https://www.filescan.io/uploads/61aa7d99fa72c81b5b09e5cf/reports/646e9936-3d59-40c1-85a0-2c8901de6740/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efe67bcf-89e2-43d0-9a0b-b093ffde3ee1
Result
Threat name:
MedusaHTTP RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901164
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected MedusaHTTP
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533642 Sample: 0D054D4B3068EA7F877963A9BE8... Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 75 37.0.10.199 WKD-ASIE Netherlands 2->75 77 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 2->77 79 20 other IPs or domains 2->79 117 Multi AV Scanner detection for domain / URL 2->117 119 Antivirus detection for dropped file 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 20 other signatures 2->123 10 0D054D4B3068EA7F877963A9BE8A71581CB0396A309F6.exe 10 2->10         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->47 dropped 125 Writes many files with high entropy 10->125 14 setup_installer.exe 22 10->14         started        signatures6 process7 file8 49 C:\Users\user\AppData\...\setup_install.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\...\Mon11d3ef0a4850.exe, PE32+ 14->51 dropped 53 C:\Users\user\...\Mon11d3d124c61d0.exe, PE32 14->53 dropped 55 17 other files (8 malicious) 14->55 dropped 17 setup_install.exe 1 14->17         started        process9 dnsIp10 71 8.8.8.8 GOOGLEUS United States 17->71 73 127.0.0.1 unknown unknown 17->73 113 Adds a directory exclusion to Windows Defender 17->113 115 Disables Windows Defender (via service or powershell) 17->115 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 1 17->25         started        27 11 other processes 17->27 signatures11 process12 signatures13 30 Mon119ebac086ba6c.exe 21->30         started        35 Mon11d3d124c61d0.exe 23->35         started        37 Mon1103f99f03d879f.exe 25->37         started        127 Adds a directory exclusion to Windows Defender 27->127 129 Disables Windows Defender (via service or powershell) 27->129 39 Mon1116c73e32a73b7d.exe 1 27->39         started        41 Mon11d3ef0a4850.exe 27->41         started        43 Mon111a83b1d942b.exe 27->43         started        45 4 other processes 27->45 process14 dnsIp15 81 163.181.57.227 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 30->81 83 212.193.30.29 SPD-NETTR Russian Federation 30->83 91 9 other IPs or domains 30->91 57 C:\Users\...\yxAALBff2jpBcVFXtb05kPpq.exe, PE32 30->57 dropped 59 C:\Users\...\lfFpFYHZVntVEqxV6Ojohedv.exe, PE32 30->59 dropped 61 C:\Users\...\kHyGgePJUGfO2sXDW6KpJPj4.exe, PE32 30->61 dropped 69 71 other files (37 malicious) 30->69 dropped 95 Creates HTML files with .exe extension (expired dropper behavior) 30->95 97 Disable Windows Defender real time protection (registry) 30->97 99 Writes many files with high entropy 30->99 101 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->101 103 Maps a DLL or memory area into another process 35->103 105 Checks if the current machine is a virtual machine (disk enumeration) 35->105 85 5.9.162.45 HETZNER-ASDE Germany 37->85 87 142.250.203.110 GOOGLEUS United States 37->87 93 5 other IPs or domains 37->93 107 Antivirus detection for dropped file 37->107 109 Machine Learning detection for dropped file 37->109 89 208.95.112.1 TUT-ASUS United States 41->89 111 Tries to harvest and steal browser information (history, passwords, etc) 41->111 63 C:\Users\user\AppData\Roaming\...\Qekdqa.exe, PE32+ 45->63 dropped 65 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32+ 45->65 dropped 67 Fphrgjtnjgrqbtroch...021-10-24_21-38.exe, PE32 45->67 dropped file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 23:22:59 UTC
File Type:
PE (Exe)
Extracted files:
146
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bucu2szqndvh7b3zmou35ctrlaolaolkgcpwlyfjljc2yhtvrvra._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:media24 aspackv2 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211203-y8evesccd8/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:23325
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Unpacked files
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
711b013262bcf0f5b89169579f3dc14296d07eb8927f54a55b05b51b9a0c4c98
MD5 hash:
7dacf98407ac430943ac533c673e6dec
SHA1 hash:
df90afad4b2c0c08b6347fbb7afff73be9dc4c6c
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
4891e0f7331a52f3217fb21131eca6c81fac3d727574df06090b33ead1146525
MD5 hash:
ab83a602657e135963fe9255d897df55
SHA1 hash:
d4fa7aa3b46d613cb698a56a3c9bfc524da7bc7f
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
b595cb87bf3e9cef2e4b66f589207706adc8a45d71bcc7ba79625f500d678e81
MD5 hash:
7b7f00aeb3310c4e693b7bee19c31f3d
SHA1 hash:
d4bf1adab164cb7cec9e1e547b6b78d09b1a280e
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
eaa7893579278c3967aa10040176223717eb1829c10abbe3bdd0559eb5946993
MD5 hash:
001fdca5b5b16e2b70cd2896071ed72b
SHA1 hash:
ad345b50bfd767b3ab24522a36c35cdf7f83cab4
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
88e911c877121560639ed2c4e3a38b73bc2b7811f04d0551b8d0ea9c54528b42
MD5 hash:
8cd9774e26025ae3be4858fe6c964b85
SHA1 hash:
9f205d2621d28177a9ecc2da3ac4af43570ab8eb
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
a98fb67204d7a8cd684644e2edf7c8eb515595680c4559c6dd61889c0dbdfcbe
MD5 hash:
70120b082c5743bfb852a4f05167067d
SHA1 hash:
5d1960ff87cdfb63e4b88c074a0d5871d460a2ae
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
647b33c29f43fc27269434b98b91e4ef2fe2572bd3b41cab55475149f6c92f48
MD5 hash:
e11fc831e80b2ae905cd2391fc559f30
SHA1 hash:
0d9913e650c4e14ecdd90ec154d47677dfc9da07
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
dc1112feaaeb9c2145098c2664b7cc7540b4b2561d1afd555198a1ca8032124d
MD5 hash:
f35a4046014aace5b828f1574f8d99be
SHA1 hash:
5c791a8c7e3623959307b90e2107b6bd950194db
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
c0feb135c5ea8962a3ee18197480a0deaf4c9ad7ad2b52c9e47b09380e43453f
MD5 hash:
419c638f7d260e12efc335ee53f13c00
SHA1 hash:
b2e913339c2167b639b8195f2dec207acefa6071
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
6cd587ecdd136bd1fcba0693ca65c8217eef048350b9033278d0df0d71f7a309
MD5 hash:
a6f7a7ba19a4174ef29c87d6a68739e5
SHA1 hash:
ca4b8f9471997e8bee613d7f124d1dbfc1d105d3
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
6e2c64761f8bd5d83b1732ee88316989e7bbce0cfc7048dda4349a1e6d25a37b
MD5 hash:
129518f7581ec2d5a069ee0c62be5438
SHA1 hash:
e06e8ca7ba10a5f0960dbd36b55ff32e6524a9c5
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
dc4fbd7ffb38d851d0c4aededa82442554d1300d6c52871e6f8674dceac0b811
MD5 hash:
7cc3cf9f87721f276ec4b320d68de85f
SHA1 hash:
2fbd61067244f9f5e1b6668a7d5353905fefd757
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
ac55309a1183a26ff00b0d8361568013d1a8a6cc832ed5af196e2b6a718e9ae8
MD5 hash:
2ce2b0e1e6c5b58a2f6d26f5d066b289
SHA1 hash:
41a8afb9ce98694a6010889bc36256d6ccf89995
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
SH256 hash:
0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
MD5 hash:
5d19bb41c6033f032708488f5cd7a72d
SHA1 hash:
ae1c2695d1cb276c4cb2644d9b2145a98a13ce36
Link:
https://www.unpac.me/results/4e1f4f01-8d58-4d35-ac79-46baeeca5825/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0d054d4b3068/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211121/

Comments