MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4
SHA3-384 hash: bf5575de7492e9855c94f797475c1bd1ec6aebd92835133c9b23cd392cc87f5134a1cf744b27644c7a2c6f2d53b54f89
SHA1 hash: 5ea6bd0847b687576143421fd709976e466c7928
MD5 hash: 447277242f41c97d99d42ad49e14bcab
humanhash: spring-fix-montana-quebec
File name:447277242F41C97D99D42AD49E14BCAB.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'558'767 bytes
First seen:2021-06-26 20:20:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+5p+goreqMswPavGIM45Uz8hyraVTe5fh8ndc3sTURdcsGc4Z/mjjAHlo/:it5p+gyhio5UzQbMBZRfGcbjjalo/
Threatray 753 similar samples on MalwareBazaar
TLSH 4F66332663018677D29026758A0F71B7B43AB7890F7921CF6BC95B391C32A0D27F47E9
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.82.202.241:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.82.202.241:80 https://threatfox.abuse.ch/ioc/154291/

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
447277242F41C97D99D42AD49E14BCAB.exe
Verdict:
No threats detected
Analysis date:
2021-06-26 20:21:22 UTC
Tags:
installer
Link:
https://app.any.run/tasks/7a98f379-ae39-49f2-8589-6737c9903195

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a949d045-5221-4cb0-b182-ada947a32f34
Result
Threat name:
Backstage Stealer Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/808497
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440908 Sample: IZNzZi2xvv.exe Startdate: 26/06/2021 Architecture: WINDOWS Score: 92 150 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->150 152 Multi AV Scanner detection for domain / URL 2->152 154 Found malware configuration 2->154 156 12 other signatures 2->156 9 IZNzZi2xvv.exe 14 15 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        process3 file4 88 C:\Program Files (x86)\...\lylal220.exe, PE32 9->88 dropped 90 C:\Program Files (x86)\...\hjjgaa.exe, PE32 9->90 dropped 92 C:\Program Files (x86)\...\guihuali-game.exe, PE32 9->92 dropped 94 5 other files (4 malicious) 9->94 dropped 19 RunWW.exe 87 9->19         started        24 guihuali-game.exe 6 9->24         started        26 lylal220.exe 9->26         started        32 4 other processes 9->32 174 System process connects to network (likely due to code injection or exploit) 12->174 176 Sets debug register (to hijack the execution of another thread) 12->176 178 Modifies the context of a thread in another process (thread injection) 12->178 28 svchost.exe 12->28         started        30 svchost.exe 12->30         started        signatures5 process6 dnsIp7 120 159.69.20.131, 49734, 80 HETZNER-ASDE Germany 19->120 122 sergeevih43.tumblr.com 74.114.154.22, 443, 49733 AUTOMATTICUS Canada 19->122 70 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 19->70 dropped 84 11 other files (none is malicious) 19->84 dropped 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->166 168 Tries to harvest and steal browser information (history, passwords, etc) 19->168 170 Tries to steal Crypto Currency Wallets 19->170 34 cmd.exe 19->34         started        72 C:\Users\user\AppData\Local\...\install.dll, PE32 24->72 dropped 74 C:\Users\user\AppData\...\adobe_caps.dll, PE32 24->74 dropped 36 rundll32.exe 24->36         started        39 conhost.exe 24->39         started        76 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 26->76 dropped 41 lylal220.tmp 26->41         started        124 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 28->124 172 Query firmware table information (likely to detect VMs) 28->172 126 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 32->126 128 88.99.66.31 HETZNER-ASDE Germany 32->128 130 3 other IPs or domains 32->130 78 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 32->78 dropped 80 C:\Program Files (x86)\...\v7gxYovrHNOU.exe, PE32 32->80 dropped 82 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 32->82 dropped 86 2 other files (none is malicious) 32->86 dropped 45 jfiag3g_gg.exe 1 32->45         started        47 LabPicV3.tmp 32->47         started        49 Browzar.exe 32->49         started        51 3 other processes 32->51 file8 signatures9 process10 dnsIp11 53 conhost.exe 34->53         started        55 taskkill.exe 34->55         started        57 timeout.exe 34->57         started        158 Writes to foreign memory regions 36->158 160 Allocates memory in foreign processes 36->160 162 Creates a thread in another existing process (thread injection) 36->162 132 52.218.54.11, 49726, 80 AMAZON-02US United States 41->132 134 thingsx84zqn5ejq63cs.s3.eu-west-1.amazonaws.com 41->134 96 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 41->96 dropped 98 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->98 dropped 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->100 dropped 102 C:\Users\user\AppData\Local\...\_&HUmmel.exe, PE32 41->102 dropped 59   _&HUmmel.exe 41->59         started        164 Tries to harvest and steal browser information (history, passwords, etc) 45->164 136 s3-r-w.eu-west-1.amazonaws.com 52.218.90.136, 49724, 80 AMAZON-02US United States 47->136 138 192.168.2.1 unknown unknown 47->138 140 thingsx84zqn5ejq63cs.s3.eu-west-1.amazonaws.com 47->140 104 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->104 dropped 106 C:\Users\user\AppData\Local\...\gucca.exe, PE32 47->106 dropped 108 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->108 dropped 110 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->110 dropped 63 gucca.exe 47->63         started        142 www.browzar.com 139.59.176.201, 49725, 49727, 80 DIGITALOCEAN-ASNUS Singapore 49->142 file12 signatures13 process14 dnsIp15 144 185.227.110.219 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 59->144 112 C:\Program Files (x86)\...112enylaefavo.exe, PE32 59->112 dropped 114 C:\...114enylaefavo.exe.config, XML 59->114 dropped 116 C:\Users\user\AppData\...\Turacynobe.exe, PE32 59->116 dropped 118 2 other files (none is malicious) 59->118 dropped 65 irecord.exe 59->65         started        146 173.222.108.226 AKAMAI-ASN1EU United States 63->146 148 162.0.210.44 ACPCA Canada 63->148 file16 process17 file18 68 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 65->68 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 08:51:20 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csnhoyltghu6dlexk4nlqx7ufxir2lgafysghw7rl3yigc46bd2a._file
Verdict:
malicious
Similar samples:
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
RedLineStealer
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
RedLineStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RedLineStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RedLineStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
RedLineStealer
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
RedLineStealer
+ 743 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:vidar botnet:j_4 discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210626-bsgs4g5sm6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
aritashl.xyz:80
Unpacked files
SH256 hash:
65f98eb1bd74be760347444759dc816353596007fbf812f468f1970642fd93be
MD5 hash:
34c05215a0f10cb14b86fb01d323bded
SHA1 hash:
b32fbeeb716aac1c205ff55da3bb7ac0c0741b03
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
fb72c4967b9c994a0ed1dee50c920d77be611979809b6ffb9cd2355114047d22
MD5 hash:
e4ea786be806af52b417610df146a218
SHA1 hash:
579ad12118572830620285cc0c3dd522dd36eeda
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
0fc7f0c129ca2e6c3113562750ddf74b65fd6741b270a44ea57c26e0d3d01969
MD5 hash:
292d16c32ec43a98e5cbab23d2d71367
SHA1 hash:
e8b03dcc8f0c81381a31c0c07974adcfab112504
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
0e9de0ee8317e2b29582f4fb4b0932e191e4a68861f76f4cf05d3eec64b53762
MD5 hash:
0f5ae717541fbb1bce073fc1da59c089
SHA1 hash:
86f4aeea1898ef7c46582f5094095de8b0848c7d
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
a02fceaa71181bfcab5293031bc2ed2cdef26a970ed161a6e86813d6b2ecee10
MD5 hash:
8a87f202cc923e95f499138212e23980
SHA1 hash:
2596f81c71affb1b79eb2fb8d4b79e922ae66d61
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
6bea897b06441f33f33764c26f62c206666a204768cf3e5c0ae6912d8e86780f
MD5 hash:
128250f29b71047e68f7b2ba44b10535
SHA1 hash:
fc7fbe41eec8ac9e286451ade80a2f5c7abddc1c
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
322b79e056455563687b40b43edcef421c944c43797a1b2cce351bd8c292f113
MD5 hash:
0a23de14c3154c61d6cbb966c7c76574
SHA1 hash:
a31dbbc2ad5b56205d02fdd89f8fdc8ecb734504
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
ff499ee00fe13c18c79d627a2f5f12f3f39755b9f64d3b84d45b2ce32c85f643
MD5 hash:
c9631bfa7f9b56ac5658531a73d0a0f6
SHA1 hash:
2a7a9c9558e01dcf225fa6e7142c3d386c798c57
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
04cd9aa0aabd033162f3d621409d013d80bec7c2cc9c9f4ade147ba7bed0c088
MD5 hash:
f2752ae579b79067dc4626714dda0da5
SHA1 hash:
a2315234abaa184e1d5c1ab508db99616df0d597
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
SH256 hash:
149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4
MD5 hash:
447277242f41c97d99d42ad49e14bcab
SHA1 hash:
5ea6bd0847b687576143421fd709976e466c7928
Link:
https://www.unpac.me/results/b0f565f1-8687-48e1-a2ba-1c3072d5a289/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments