MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a
SHA3-384 hash:	5a0823bd800e584d1143520f3c809f3357722c96228544214dfad71cdd929587244a0d2354e079dc9d241d518503123a
SHA1 hash:	45fec5886bbb883664d616af5292383f3e1b985b
MD5 hash:	acad5e6af6cfb4fe316c104033a77949
humanhash:	ten-summer-two-spring
File name:	acad5e6af6cfb4fe316c104033a77949.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	7'117'302 bytes
First seen:	2022-02-03 16:05:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:J1xxHANOW7UR/VI5KtzCcoqFNVM5Ag384:J1xxjW7UR/qKtBoqKR384
TLSH	T15E66336F9408938BFD653978236CDF5C6968803B11F092BA6B43968D74376CBFF88446
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
116.203.252.195:22021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
116.203.252.195:22021	https://threatfox.abuse.ch/ioc/377489/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/232410/

Detection(s):

Win.Dropper.Pswtool-9857487-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Dropper.Generickdz-9890303-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Running batch commands

Sending a custom TCP request

DNS request

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Creating a window

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5887/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61fc3248a0f6a794b3369435/reports/ba483d84-fa5a-4a43-be32-2dfb30972460/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1902ee54-2b84-40de-a954-2461d6ae9417

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933489

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-02-01 18:02:12 UTC

File Type:

PE (Exe)

Extracted files:

344

AV detection:

33 of 43 (76.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b3csfx6zgb3xfp4lmafixep5n6wnbp2asdblhbvp2ihjkwzfebva._file

Verdict:

malicious

Label(s):

ryuk

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars botnet:media272260 botnet:newmast2 botnet:v1user1 aspackv2 backdoor discovery infostealer loader persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/220203-tj4p2abdg9/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates processes with tasklist

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Sets service image path in registry

UPX packed file

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Malware Config

C2 Extraction:

http://www.tpyyf.com/
116.203.252.195:22021
92.255.57.115:11841
169.197.141.182:47320
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/

Unpacked files

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

5d008672ae6ada9f0eb9b361376f849642ccd2f13db18154033b1fdce9c0caa6

MD5 hash:

a953474fbfc68274f8b0002112d4242f

SHA1 hash:

c9cee8c430c7da3662bed515d08f93e04701f75e

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc

MD5 hash:

64638fe3e9d9acbcfe027bac3d0a7fab

SHA1 hash:

ff0d35497c4d6676a01a57db299df9847b382126

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

fbd174a024960476b70c48477434cf7ad6d8f33c3cc2d074ccfe562249de3481

MD5 hash:

65f2496f6c40403868185203ba6c4cfe

SHA1 hash:

a60cd3bfa2377dbd2d8af2519d6855cb25250e91

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

b8576f14934c6cd0b22586dcbe8b8c65fcc045bf960b0a4bfb5115a8451bb9dd

MD5 hash:

0eb1283fa0372e6c405a79877420547b

SHA1 hash:

6ee559a6496c4533139124da12355a454c0f1cba

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

6297ab30f167af0fd880421d2487bd8b80c2dd49beead40ca712b88cc7645050

MD5 hash:

9e76ac72d328bdcdca53e10f2950bc9a

SHA1 hash:

1ca77f4c7727b625f99834e732dfda454811516e

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

64a624afa6c19960b53bd1341107113aae344301556c1d14de15d51ec53ae853

MD5 hash:

1acb3d7a56d112ac33c0e0e5aadac0f8

SHA1 hash:

0e8ae4cbcf57c888aa69f0763fead78e9bb974fe

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

1541deaa3463d8ce8546ac0564e0ce75500506064d79a4f4e741eaa602b84865

MD5 hash:

2ebf190d2e8e7ec1c87ca73a61841890

SHA1 hash:

0a686321bb7c13ff9caad72f9b87c78c1cd1dc84

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

2e2b9dc731a6b7d47a8467412e8e94aff9fc8b024dbf52445f4ca263145677af

MD5 hash:

dc7be261208e33be61030516d0bef515

SHA1 hash:

08ee0506ff54f82c9bdb447f2dab5b86b6038920

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112

MD5 hash:

ce54b9287c3e4b5733035d0be085d989

SHA1 hash:

07a17e423bf89d9b056562d822a8f651aeb33c96

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

69c11861632920ecd6ad64e4daa7a75f53118e7624e655e70eae21983dafef80

MD5 hash:

858cc72c8d173150c4d12f862d86dea1

SHA1 hash:

389f375e9f833472d34ef931748fbe192c7bb140

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0

MD5 hash:

da70ba6fa59896248f7c05fdcb7d581e

SHA1 hash:

174cb2b083e327a362b6ecac68fe939a40743ffb

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06

MD5 hash:

9d9c68549cf06b0485742e0865f5390c

SHA1 hash:

b23241ac8419df6bb0a930ac80cdae9edbd55893

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

85b8d24e6b0093d31cd819454a8ba9b18feea2a1ccaa5e767b55cc76f657caab

MD5 hash:

7512ed825c8530292b5cd416e9580ef0

SHA1 hash:

8dee98453b749fe3231caa5fafc9ba8bbba83657

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

eb93ac9974092fc7bf707ff9727d52e1d1b1bfa8300e107730fdb600ff6ee34d

MD5 hash:

2b357eabe6ad675406267a59446aab99

SHA1 hash:

48c548bf4971429951d5a5f79ced721f5cbc4988

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

34cffd65bcf5095e38bd71c5d08fa89e6c0a4a0d55f15d3462b7e29b250478e3

MD5 hash:

83d705c9e120fb4ac9069772ab9def42

SHA1 hash:

83a4d7f3e3b693d6572e39a9a2bc2c12399cec9b

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

20d14d46c8af0ba6429626e9672ad3682c4a0c78d3d68f8591adceef1a27666a

MD5 hash:

6a87d88cfb6977cee2413ef078a23ebb

SHA1 hash:

663c117e8af8500a13b20ffe8105eecfd5b29a28

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

673284fffad0190365e16f3790466090b457fbea101eae646173b7250bba4d80

MD5 hash:

21eaeee4eebf727db2fa288e858edcad

SHA1 hash:

c03be8a97a2cbd6d0fef1da7c24df6a7dd3ed2fb

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

b7514590bc52cbece1f1edd81269fdcdbededddaef62b1020432ebcbaf6885a8

MD5 hash:

05b694a09d7fa87d5be9bccca8d0cb2e

SHA1 hash:

deb0eaa1da0c97267890fb570b6e9bed84a5241e

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

a0aa468c9f90c9039c97d83bf67846e37d0ccb77fea2fb9658238f53da4adf47

MD5 hash:

4eca6482f122de6949a1862b26a19c7e

SHA1 hash:

712fc1985ebeaa0582f9576e72b6e24ef6aeb545

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

c93f4eb7cf4ba741fbf40ec8798fa07a62e189f7bea812a484127c5e88020b4a

MD5 hash:

416e71d14c453723e442a90c4906e586

SHA1 hash:

ac51054720346d5b75644c79f4a21db90e586090

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

588b4892b797764d469f062f948a206b79fe7ab8a4d972d29cd291d579edeadc

MD5 hash:

4591fc1d1d538ac3c3564e0fc281dddb

SHA1 hash:

6ca41d9bbec32353bc76d28f18f06dc76d7f0665

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

SH256 hash:

0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a

MD5 hash:

acad5e6af6cfb4fe316c104033a77949

SHA1 hash:

45fec5886bbb883664d616af5292383f3e1b985b

Link:

https://www.unpac.me/results/ed91de34-9769-4f92-ade0-ea4da6e1e18c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0ec522dfd930/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	MALWARE_Win_DLInjector03 Create hunting rule
Author:	ditekSHen
Description:	Detects unknown loader / injector

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/232410/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample