MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 6 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SHA3-384 hash: 119dda2b8ba332c9666e3eba0f39b35a01a81347dce28f2ff6236cb1b9d9733c49032fe48bcb90bee0c865e31615ebf8
SHA1 hash: caacd4418b1b992039d786779cd5228e83c109b1
MD5 hash: 29b4081bf50deb53377f03e7033690a8
humanhash: pizza-freddie-hamper-angel
File name:162AB00C0E943F9548B04F3437867508656480585369C.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'995'312 bytes
First seen:2021-11-22 19:35:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yTxrU9/iUFFfbSUKGcEAYly7HyeXJEMr2op9SLiVbLx4uCtIjhYVMFZ4XkC1IIpX:yTxwFSUNPaPNr2op9SLiRDPjh7Z4XD26
TLSH T17056330B1FDCD44BF81A013F9B6B6F756B68453F96AE4043139E378E6AA908694087F4
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
136.144.41.178:9295

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
136.144.41.178:9295 https://threatfox.abuse.ch/ioc/252060/
62.112.9.39:80 https://threatfox.abuse.ch/ioc/252171/
64.56.70.117:46964 https://threatfox.abuse.ch/ioc/253274/
141.95.82.50:63652 https://threatfox.abuse.ch/ioc/253275/
185.186.143.241:12420 https://threatfox.abuse.ch/ioc/253276/
45.87.154.220:16714 https://threatfox.abuse.ch/ioc/253277/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
162AB00C0E943F9548B04F3437867508656480585369C.exe
Verdict:
No threats detected
Analysis date:
2021-11-22 20:19:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8eb550e-776b-4040-96d0-66967f53dea0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9891186-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed stupid virut
Link:
https://www.filescan.io/uploads/619bf126dd04e7d00e02a842/reports/f03cfdcd-ff9c-47fa-92b0-1a0f0cca02f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c26649b8-5fa8-4dad-9226-ac1dfa52d853
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894160
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526638 Sample: 162AB00C0E943F9548B04F34378... Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 137 Multi AV Scanner detection for domain / URL 2->137 139 Antivirus detection for URL or domain 2->139 141 Antivirus detection for dropped file 2->141 143 15 other signatures 2->143 11 162AB00C0E943F9548B04F3437867508656480585369C.exe 10 2->11         started        process3 file4 73 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->73 dropped 14 setup_installer.exe 8 11->14         started        process5 file6 75 C:\Users\user\AppData\...\setup_install.exe, PE32 14->75 dropped 77 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 14->77 dropped 79 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 14->79 dropped 81 3 other files (none is malicious) 14->81 dropped 17 setup_install.exe 9 14->17         started        process7 dnsIp8 97 127.0.0.1 unknown unknown 17->97 65 C:\Users\user\AppData\...\e489f0967efbe9.exe, PE32 17->65 dropped 67 C:\Users\user\AppData\...\e2092c062afbff7.exe, PE32 17->67 dropped 69 C:\Users\user\AppData\...\b3cf6732dd6.exe, PE32 17->69 dropped 71 5 other files (4 malicious) 17->71 dropped 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 9 other processes 17->27 file9 process10 dnsIp11 30 e489f0967efbe9.exe 21->30         started        35 b3cf6732dd6.exe 23->35         started        37 e2092c062afbff7.exe 25->37         started        99 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->99 39 272cbf994.exe 15 3 27->39         started        41 1097d894a6a6de3.exe 12 27->41         started        43 7ff03dd45.exe 2 27->43         started        45 2 other processes 27->45 process12 dnsIp13 101 37.0.11.8 WKD-ASIE Netherlands 30->101 103 37.0.8.235 WKD-ASIE Netherlands 30->103 105 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 30->105 83 C:\Users\...\xhDCbz6fPT8uAG5GDKxFmQFI.exe, PE32 30->83 dropped 85 C:\Users\...\uwj9KlR2Hj3wPgOGCQoRXlVT.exe, PE32+ 30->85 dropped 87 C:\Users\...\tjxTIUeSf3iuaXkv9ZLEDb5u.exe, PE32 30->87 dropped 89 39 other files (37 malicious) 30->89 dropped 115 Antivirus detection for dropped file 30->115 117 Drops PE files to the document folder of the user 30->117 119 Creates HTML files with .exe extension (expired dropper behavior) 30->119 135 2 other signatures 30->135 47 5doqv3AMmSbi8L1DsmipoTby.exe 30->47         started        50 XegfyeXv2VW5JFZkf1FzkvrA.exe 30->50         started        52 6t3OVSkPbslkYn8APxb70B5T.exe 30->52         started        61 5 other processes 30->61 107 185.230.143.16 HostingvpsvilleruRU Russian Federation 35->107 121 Query firmware table information (likely to detect VMs) 35->121 123 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->123 125 Hides threads from debuggers 35->125 127 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->127 129 Machine Learning detection for dropped file 37->129 54 explorer.exe 37->54 injected 109 5.9.162.45 HETZNER-ASDE Germany 39->109 131 Detected unpacking (changes PE section rights) 39->131 133 Detected unpacking (overwrites its own PE header) 39->133 111 74.114.154.18 AUTOMATTICUS Canada 41->111 57 WerFault.exe 41->57         started        59 7ff03dd45.exe 43->59         started        113 3 other IPs or domains 45->113 file14 signatures15 process16 file17 91 C:\Users\user\AppData\Local\Temp\mypc.exe, PE32 47->91 dropped 93 C:\Users\...\XegfyeXv2VW5JFZkf1FzkvrA.tmp, PE32 50->93 dropped 95 C:\Users\user\AppData\Roaming\cabtsit, PE32 54->95 dropped 145 Benign windows process drops PE files 54->145 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->147 63 conhost.exe 59->63         started        signatures18 process19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2/
Threat name:
Win32.Ransomware.Stupid
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 08:52:20 UTC
File Type:
PE (Exe)
Extracted files:
128
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyvladaosq7zksfqj42dpbtvbbswjacyknu4w4cwcpotvth5ktba._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 botnet:ruzki botnet:udptest aspackv2 backdoor evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211122-ya9l5sbge7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
185.215.113.29:26828
193.56.146.64:65441
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
bd63cda547353a5b469d23ecae78105948287812d3f290dd3ebe3ca93a883e54
MD5 hash:
d3cba1cdea5c2c94909a14238f3a2f57
SHA1 hash:
c361e0d74339bd4d9318aee02d1294dc1f6de2d0
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
f48752a18c651f67ea479410fd3cee0121edb21599c5b8ab3e343006133a66d8
MD5 hash:
949b3d77a89b8aa23ccd1713ec7df198
SHA1 hash:
0dbdeef6195ab56c72b4d5ff4c2bab81c0ff3e91
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
353922bb4d5b795d476a428b5fbf72ce6f04fa49adc414e3a72e33dae2c41659
MD5 hash:
6805ca9bb6d68eed10f1c2ce3e0810fc
SHA1 hash:
f961c51695336392b196bc313aad69d92f9afd8d
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
343afeb2476aa90a52aa0e460a7bbbed6494664f173d9cdbfb5ebef3c3eab876
MD5 hash:
a7118b6603f95f829a9ad165ae1b301c
SHA1 hash:
c987105234dce7396099ed340a0da6fa8dafe1ac
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
49e297f0110f1f326fd04ad175dfc5e77da497c643851c35ef06319dd171d5a9
MD5 hash:
68715d9945df10a2a64ab711800baef8
SHA1 hash:
77a3e8a3f8cd0e5e97cbedd3317c10e2db8cdfc6
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
a16a4adb71108fd436bd569b692b5054e488196261638d172a17918e47265e79
MD5 hash:
159487e51742607e91380908fdf62472
SHA1 hash:
00f73a1b50a91af9b63a4eb4e7c6a4161d06a5c0
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
96b5d4849737e1c46491aec4d0e2cd87b0cb47091a3681aa8bcf84d2ee65893f
MD5 hash:
7f078546fb2292b069c077d076dfd2dc
SHA1 hash:
8f48f93ed0cee24115093af9853dc1edd70b2799
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
SH256 hash:
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
MD5 hash:
29b4081bf50deb53377f03e7033690a8
SHA1 hash:
caacd4418b1b992039d786779cd5228e83c109b1
Link:
https://www.unpac.me/results/b4eed1db-d9c7-492d-a7c8-9450bb5a2b58/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/162ab00c0e94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208341/

Comments