MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e8cfcf628f5194908892cbd2cadc68e685bef5101a6230d0d71110c88d4a9ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 3 YARA 7 File information Comments

SHA256 hash:	0e8cfcf628f5194908892cbd2cadc68e685bef5101a6230d0d71110c88d4a9ac
SHA3-384 hash:	41b5514a903339539cab24a65aea09306aac12e8db38b3668acf07924bee8a4b7c6b0a81e1867ab0c007c80d847b9e88
SHA1 hash:	5db6a5a016449148fe73c00bb840ffc27f770ef6
MD5 hash:	a9ad2c5948af7770c665d6e87b668090
humanhash:	angel-tango-alpha-east
File name:	a9ad2c5948af7770c665d6e87b668090.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	8'587'139 bytes
First seen:	2021-10-02 15:30:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	196608:xp3a/EavTvJcRX3wSL7J1edzZjWWvMWF/Q2poGTa+8o5:xlaTqRX3f1e9jvMyneto5
Threatray	587 similar samples on MalwareBazaar
TLSH	T12F863310BEC7CDF6C2412B356F141ED246B3D394212284AB277D1E6F99AD209F74A39E
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://185.215.113.45/g4MbvE/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.215.113.45/g4MbvE/index.php	https://threatfox.abuse.ch/ioc/229555/
http://194.180.174.82/	https://threatfox.abuse.ch/ioc/229691/
185.51.246.132:31671	https://threatfox.abuse.ch/ioc/229743/

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a9ad2c5948af7770c665d6e87b668090.exe

Verdict:

No threats detected

Analysis date:

2021-10-02 15:33:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1723dd4-df61-471b-8d60-160012dc014f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLInjector04

Link:

https://www.capesandbox.com/analysis/194200/

Detection(s):

Win.Dropper.Pswtool-9857487-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Dropper.Generickdz-9890303-0

Win.Packed.Socelars-9895020-1

Win.Packed.Socelars-9895021-1

Win.Packed.Socelars-9895023-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/051be7d9-e056-43bd-8051-047362b3ebad

Result

Threat name:

Cryptbot Raccoon RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863204

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to a pastebin service (likely for C&C)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Found C&C like URL pattern

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

Yara detected Cryptbot

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e8cfcf628f5194908892cbd2cadc68e685bef5101a6230d0d71110c88d4a9ac/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-09-18 04:21:57 UTC

AV detection:

28 of 45 (62.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2gpz5ri6umuscejfs6szlogrzufx32ragtcgdinoeiqzcguvgwa._file

Verdict:

malicious

RedLineStealer

093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c

RedLineStealer

3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d

RedLineStealer

987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993

RedLineStealer

a3507dc0b236809b00d1e1b8481607e75b2085a6cfeebab4d50ba816502adb29

RedLineStealer

a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409

RedLineStealer

c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055

RedLineStealer

e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24

RedLineStealer

+ 577 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:pab123 botnet:�u'h�y��&s҈��kcc d�6�1�>�-� aspackv2 backdoor evasion infostealer stealer suricata themida trojan vmprotect

Link:

https://tria.ge/reports/211002-sx2l6aefan/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Download via BitsAdmin

Kills process with taskkill

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Process spawned unexpected child process

Raccoon

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1

suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2

suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3

suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4

Malware Config

C2 Extraction:

http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.14.49.169:22411
https://dimonbk83.tumblr.com/
45.142.215.47:27643

Unpacked files

SH256 hash:

588626e5e2d07844f2b59eb51dce36bc8f6c123ceff817813bf4c31aebdd1bf5

MD5 hash:

8ecea1e237042ecd057de60e97b89e7a

SHA1 hash:

fb1a226b3c324c49d88ac6a6726f90641dc93977

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586

MD5 hash:

4c3423a6e5e3337c71c551358f1334c1

SHA1 hash:

e3f59c4781ab6b19adb9eb85054a060b34c3df73

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149

MD5 hash:

a91a81780273bb279790c1fbb6fb3105

SHA1 hash:

4bedae163300009aac8afa2c2b42ea6c184ca9dd

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

MD5 hash:

047bca47d9d12191811fb2e87cded3aa

SHA1 hash:

afdc5d27fb919d1d813e6a07466f889dbc8c6677

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc

MD5 hash:

21775ff041e7277d87aa8fdf1e09da6c

SHA1 hash:

6dd1d6716cb93adef6c9b39490a79e77fd5396c9

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db

MD5 hash:

70220a3ce6ffd34101b3770342505f2c

SHA1 hash:

b55c421634d8eeaec5c6193f34c04625d21a9ae9

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2

MD5 hash:

33600475b2cc5445df2d3809c3798311

SHA1 hash:

3cb60432de30b82e87b8b607e0180a7843128b5a

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

Parent samples :

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

SH256 hash:

79249202eec021c6d6c3f5732a55c635f501725ac61e20d27cce48adf109fdfd

MD5 hash:

75b02651b3d608848c0104c7e1adc038

SHA1 hash:

6337f93871c3480d06bfa76ccd3495b754781eed

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

333cb108a14125f609e50628e325ee48874fb38f79d3aa1ab05f9d51a6829b16

MD5 hash:

308b16fb154771e7276dc721e33597d3

SHA1 hash:

d1ae0e6d1d1bfb1fad9ac706464615bde85e362b

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a

MD5 hash:

03cd7541a32149209ecec14115466bc3

SHA1 hash:

bff67b407cffb1d3f3afbbcee15046e968204af3

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

3274005fc4effba965ad331a099fb01ef34218f7612512635cd178244ab3761c

MD5 hash:

ea7ae694330b551e0d282f1634737f1a

SHA1 hash:

b28eabbe05e93baee7b654b6c12b5665fed44db8

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

8109ce4f6e937530731141c0be96e6b0ffb703daf4595ffea44556101ce5f03b

MD5 hash:

76c54755f14a21d92a85a717620452bf

SHA1 hash:

93a635b272b67b7c326ec333d23029698b4ffeb3

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

1fd2e17f4c02bd2c83b51f54f6abf8e5dff6f7c2106e9a3648e41fd961961e98

MD5 hash:

c1e9bd5955a20911a589f9a1a4a17d6b

SHA1 hash:

8dfa543969a1dc6de00c3651edcbf8dd587c9c6e

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

c583c3f2345654957827ee152d29ce87a374c27bac4d90d052b9fec83131ac7c

MD5 hash:

e1eea9b88a4c828217215028196518e5

SHA1 hash:

72779b0a61e2f42aa10b0de3c4cd1460b9ce13b6

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc

MD5 hash:

71a718d5f6f6a69ce1e844fec2a06f53

SHA1 hash:

5e3d339c99bb37e485eeadb71c9aa72a8e06fdab

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

2f74ece678bdec08b4bdfee5a084d109e6f5adc42a12ae8ecce95c09ff12d0ae

MD5 hash:

a8133374add8bcc44638a1fd2b5e8172

SHA1 hash:

3f3062a3c233fe434011106775e8baea466a6a75

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

3dcf1c5cb1b65d5d59edcc8c7d5b521ee27f26c996cefcf6f9ff4d9e05adcbe4

MD5 hash:

0ab03929e4442a16dba9c5a82feadd96

SHA1 hash:

3f191602955d9254ace5a88d91cab1bdf622c324

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

147c89071ccbb5790a9c81acdbe5975f96dc130866e7dda2f299dc7e8528205f

MD5 hash:

d1f3309c8b6896b1bfc93153baedb2ee

SHA1 hash:

3522c85609d8e6926e982daf604d90050b3c9da4

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

e723202408260802edaa3d7068061214f80053b813ccbc92a8e3d33570fff4a4

MD5 hash:

49ed94edea7d0eaa33e9ccc0d2f7488b

SHA1 hash:

31e3f5177e3e17a7611e0218a8d01cc4b80e91df

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

60c2bb10465d00632f49101774d1592a898722080e2f5fef336e045be9259f68

MD5 hash:

90b9df8e6a96b5862d95a5e41f848848

SHA1 hash:

2152867746ed01c0532009590220cee9150d2380

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f

MD5 hash:

4f9c74430d72b9500a0d99cc28fc7a7e

SHA1 hash:

a67cf6a62a6cabec501aa2f14e97c48b71dbd97c

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94

MD5 hash:

3367116dc59fc2b806bb5ec8c36bf2b6

SHA1 hash:

f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

Parent samples :

bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

cd79062f5de3b7ce8df686816120f13f4c6b048d5500afcc1c2bbb0dd1b5f6da

MD5 hash:

75a9629a0e41984b4cde9f2c92ae1f42

SHA1 hash:

34e93a98af7289382be1f8d953096061d9c854ac

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

86a352628dea7ac352e6cfdeaf3b335ffeb81bea2ac4f2ff0d2217f920e01c41

MD5 hash:

a905a86f07742e58cac582cd1e8d6d7f

SHA1 hash:

1ac748c0b20445437f357120ff76d0a25d8b0120

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

d255a6e612bff76fa1df6ffcabcd54e262588b1f3428c3e0eb771a8a60fdfc6a

MD5 hash:

e8937f6410d5c3ce59bb64e0be25d31e

SHA1 hash:

3c40bdaf3189120ef36cab0bc243f1c80f969d04

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

db956855f3137df6e5f1fccb5a69edd98dff0858b9f04a294f011d373b6ecdac

MD5 hash:

4a61af6e32a6d7ed79d8cca4c3e68cf3

SHA1 hash:

c7a697361ef3aba59ca0a9d01e52bd0a96093dcb

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

00fcd5b83c00ecf885bc3efdd6f49071f4e20b8042bca1f5517b9f5d4ed28a19

MD5 hash:

792e4321b5be90cedf02d491277fb316

SHA1 hash:

41a8a80594dbef973164d71ac2aa1eba3050e84b

Detections:

win_socelars_auto

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

SH256 hash:

0e8cfcf628f5194908892cbd2cadc68e685bef5101a6230d0d71110c88d4a9ac

MD5 hash:

a9ad2c5948af7770c665d6e87b668090

SHA1 hash:

5db6a5a016449148fe73c00bb840ffc27f770ef6

Link:

https://www.unpac.me/results/84209d87-52fc-4ab1-be99-c1f508e9b66f/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0e8cfcf628f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0e8cfcf628f5194908892cbd2cadc68e685bef5101a6230d0d71110c88d4a9ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194200/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample