MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 12
| SHA256 hash: | 15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d |
|---|---|
| SHA3-384 hash: | 9da6e88a98e91f82102e776782240edb3edacedad6dde26fa9df67ea642c737049a13e6b5797ae207c67486852b05e43 |
| SHA1 hash: | f4723a92fb1c26fcd2f1cd9e8ce7b4a9c0e4f49b |
| MD5 hash: | 0cc27690e2886c785a303112d1480b55 |
| humanhash: | nine-nine-paris-football |
| File name: | 15F4E965344A38B07713363133E6624F72DB10CB29796.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 4'222'941 bytes |
| First seen: | 2022-03-03 20:01:59 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 98304:yOBCpDMQ02DV6VvtPjVfhVOf2MzuXdgOONLp:yOUl3DoVlnVOf2rGOy |
| TLSH | T1C71633A5163CCAE9D7C83432FE1489F87A95BC0206355BA6BB0F619FD4A5FD950823B0 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 109.248.175.92:30766 | https://threatfox.abuse.ch/ioc/392367/ |
| http://fuyt.org/test3/get.php | https://threatfox.abuse.ch/ioc/392368/ |
| 62.204.41.34:28567 | https://threatfox.abuse.ch/ioc/392369/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
RedLine Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Reline
Status:
Malicious
First seen:
2022-03-02 22:54:00 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
30 of 42 (71.43%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
vidar
Score:
10/10
Tags:
family:djvu family:onlylogger family:redline family:socelars family:vidar botnet:333333 botnet:706 botnet:fullwork1488 botnet:mix2 botnet:pab777 botnet:ruzki (check bio) botnet:test aspackv2 discovery evasion infostealer loader ransomware spyware stealer trojan upx
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
45.132.1.57:15771
185.215.113.15:6043
109.248.175.92:30766
http://fuyt.org/test3/get.php
103.133.111.182:44839
https://kipriauka.tumblr.com/
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
91.243.32.165:41754
31.210.20.42:13040
185.215.113.15:6043
109.248.175.92:30766
http://fuyt.org/test3/get.php
103.133.111.182:44839
https://kipriauka.tumblr.com/
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
91.243.32.165:41754
31.210.20.42:13040
Dropper Extraction:
http://62.204.41.192/-LOD/LOD.exe
http://62.204.41.192/-A/AutoRun.oo
http://62.204.41.192/-RED/RED.oo
http://62.204.41.192/AMSI/ecco.exe
http://62.204.41.192/AMSI/css.bat
http://62.204.41.192/-A/AutoRun.oo
http://62.204.41.192/-RED/RED.oo
http://62.204.41.192/AMSI/ecco.exe
http://62.204.41.192/AMSI/css.bat
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
SH256 hash:
498944efaa6db3367630d509c70e0c38dbd6a4866aff12c74b4fad11be8457d0
MD5 hash:
a483f99dbd6e0736b1633ff974f8cabf
SHA1 hash:
e215abd888bddf7f9a60c676ff6bce1f3be443d9
SH256 hash:
472c60cc7331914dc278623886a1ded6abacaedc9175bdbe25f229e9404b4998
MD5 hash:
de4fbaa09570bf64fc6abd79eba26e1e
SHA1 hash:
b9b5b9dbb3e41118ff0d196d75f56f23802d0cbf
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
SH256 hash:
7e8ab2ed54429298b113294747842b8fd93b3f3fbb9fe8f7258a9c72d55c7198
MD5 hash:
559a977f71fac38f3e1041d69767ba36
SHA1 hash:
97ee13ae63acbce0a8a51217ec8ecb32a3669601
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
SH256 hash:
919c6c2b3965ca1d56300c6e52fafb39f0cf9dc4d3ca18c49a777b8bcc1e584e
MD5 hash:
99cf5194c8cb3e2c7afb0fa1d8cdb626
SHA1 hash:
2beb75174ecea3192428611c6ca4030aa1694873
SH256 hash:
8fdfaa3e5cda057c8736c72c5e124f37801e7bf2f25c0c8d37f8351cc42224e5
MD5 hash:
369bff77587fc199940a3ad5050398b1
SHA1 hash:
21a75c9856c57d71d0435e72b6439d935aeb695d
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
af4a9f20acedbf91b6d406a5fe0ff816e185f8467745d9f4bd2a241f4d202442
MD5 hash:
4e33f90a4d5e911be81753144f9bd382
SHA1 hash:
488bb6cbee4e6ff248f11d3dc4adafd802914dbf
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
856406c9c7b31f0c00351ad33116eef6266e808f62707dbdd452d78d87c15b49
MD5 hash:
dcb44b893efae5ddd8cb122af5c988f2
SHA1 hash:
b7a5c73b39271c594545f0d35e5c1f739f37fa7f
Detections:
win_oski_g0
Parent samples :
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SH256 hash:
eecf6da2199eea5c97cb21836e0c4afbe912ac6027332f9a038ae25abe5ea537
MD5 hash:
c27543a65a36b15396e0a410f9087f01
SHA1 hash:
12ef5ec7e3ef72d61e7b6d4846cd14bda92cf1ae
SH256 hash:
ba26989b512e3ac32a7b3f382793a5c84d5872f30b2c40f84f143e4d4cd136ec
MD5 hash:
82a328ac2238831982903b4ae71c94a3
SHA1 hash:
f15856d3165372fa01e31f65d1da34727b66fe49
SH256 hash:
9b650dfed61bb608beb9afaec46538b6af8344aa41dfacce5ec4c5642999aa97
MD5 hash:
869199417d5b7f9ab6a0795a17187dd2
SHA1 hash:
b2abed170b14c5d232b0bd6f501cc123deb6d519
SH256 hash:
eca6bdf287882d0fe55a77a5b28bb5df775e886f1e955870d81d421de6a40685
MD5 hash:
8259ac575ddd3ed61b6204c69a758e7c
SHA1 hash:
dbb3a655a3539df9e281871decf3fdd8954e49c9
SH256 hash:
f6053dcd97cb2fe237b8d9b1ba6321896fb5defd006054f89de044af3ecf5049
MD5 hash:
7c2c5a92e14d472de7ea4b8ce5c47a9f
SHA1 hash:
244cdb746d35ed9dd225d3f5117c7c6ebca4ff61
SH256 hash:
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
MD5 hash:
0cc27690e2886c785a303112d1480b55
SHA1 hash:
f4723a92fb1c26fcd2f1cd9e8ce7b4a9c0e4f49b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.