MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 4 YARA 11 File information Comments

SHA256 hash:	1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
SHA3-384 hash:	af529f51635d44e36cc2a847d7635e8d6a97966cca9cc9ad2ac99cd4a4ca6130a5523cd484893469329cf9fdcba64791
SHA1 hash:	74b0011aa8b57ee2200ebd1a8bbae4f55b3ce249
MD5 hash:	4059958830cd39f423d0ff3737eb5d90
humanhash:	angel-avocado-wyoming-skylark
File name:	1C57E67BF823C9C15D3AFB19746746DF06A218FB70816.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'144'434 bytes
First seen:	2022-01-17 18:41:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:Jqg/9wItubPX2F0hk/9nJldzocAmnZ26bHkeEUXHJ6jW8H:JDmfa9/dzokYWHkeB3J4Wq
Threatray	2'071 similar samples on MalwareBazaar
TLSH	T15F363358D16C017FF9B2CC7D9E58A31F2BEC801705D5A51F03BA84CBB9D262E5252B2B
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
138.201.198.8:58909

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
138.201.198.8:58909	https://threatfox.abuse.ch/ioc/297409/
176.9.244.86:48790	https://threatfox.abuse.ch/ioc/297581/
95.216.112.164:17929	https://threatfox.abuse.ch/ioc/297593/
91.243.59.110:44301	https://threatfox.abuse.ch/ioc/297594/

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1C57E67BF823C9C15D3AFB19746746DF06A218FB70816.exe

Verdict:

No threats detected

Analysis date:

2022-01-17 18:54:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/135cf4fa-53fb-48cf-b947-27920961ad6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

OnlyLogger

Link:

https://www.capesandbox.com/analysis/219904/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Packed.Tiny-9901377-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Running batch commands

Launching a process

DNS request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4490/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult barys control.exe expand.exe overlay packed shell32.dll tiny

Link:

https://www.filescan.io/uploads/61e5b885d32385db63fcacf1/reports/a52a9825-cd88-470f-8c95-08d0de2e41a7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff34e1cf-779a-4827-9183-df6cb2f28ea4

Result

Threat name:

RedLine Socelars Vidar onlyLogger

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921989

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Disable Windows Defender real time protection (registry)

Disables Windows Defender (via service or powershell)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes many files with high entropy

Yara detected onlyLogger

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d/

Threat name:

Win32.Trojan.Antiloadr

Status:

Malicious

First seen:

2021-11-05 06:43:53 UTC

File Type:

PE (Exe)

Extracted files:

334

AV detection:

31 of 43 (72.09%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=drl6m67yepe4cxj27mmxiz2g34dkegh3ocawujvrkdx3a4tgbvwq._file

Verdict:

malicious

RedLineStealer

190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5

RedLineStealer

1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1

RedLineStealer

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

RedLineStealer

6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208

RedLineStealer

7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

+ 2'061 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:media0421 botnet:newjust aspackv2 backdoor infostealer stealer suricata trojan

Link:

https://tria.ge/reports/220117-xccjracbhl/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

Malware Config

C2 Extraction:

http://www.hhgenice.top/
https://mas.to/@kirpich
135.181.129.119:4805
91.121.67.60:23325
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/

Unpacked files

SH256 hash:

d76b8e153a8ddde021f2f2a6787cb99c823bfcde5fe8dd285fccb08c64e9bd92

MD5 hash:

53e951e5e273c5ef6a86fc50a2a48409

SHA1 hash:

9e4cab13a1bba6dbbbebdd3d4d8ed8d755240831

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

012e9fa8ebaaa475cf8004463a660073e0e139a3dd5acfe138e76b03a80f68cf

MD5 hash:

a0d4817976bf8dc7ac52a3101d846fa8

SHA1 hash:

3669d388445bcbba8bc7c825c0648be089550caa

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

d963923e272840267fa277042fe5b9e7f20363b2c51ddc65b00be9b91c3004ec

MD5 hash:

b39de12261b76b1be05e0727edd328ea

SHA1 hash:

7f3938d232090de009455c8677eacb76ae1e605b

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052

MD5 hash:

6449aa2e023c5931ac91815ca54225ed

SHA1 hash:

65b5f4df2c28472469ddf924e6b0d0a61394c612

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

e8a6550370235e3b584f94f157b7129fb3bb1af896c5d388b1d7bbad94d67116

MD5 hash:

f14620e703f9b5e00c946d432de48232

SHA1 hash:

e92c4a09a1082f8b80371e8f300c900248befeb6

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

d88c95632252b60329261bd5d764c319e16ee7f58efd3890878785013e0f0e21

MD5 hash:

a45393c5f1460558ea73858ce623ecd2

SHA1 hash:

cc22776c07849ad7dc1d3f657453f2617e90b485

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

a7cd76f1ec7fedc765beabb8054c5517ef96671bd25b85ce71a999b9fa802a75

MD5 hash:

cc3f508bcad16a4b42e11684b6bd40da

SHA1 hash:

b6d444a7dfe9551d3761ca8e1d0decbfac658247

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

f22bee3756acf29c1fe0c7b3e3b578345c2ad751195d12f22039a207f7949b01

MD5 hash:

4be401fc00194dab26d987688139b84d

SHA1 hash:

b1fd19c5df16de67a2d30543c224484f21e6c0c9

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

ff434abe91e23a5ad36a9c1feb4d87db9f054e362ae5e21c6a992e5f5a518f2e

MD5 hash:

d753ad5b798676ec4bdc19da55f7333c

SHA1 hash:

a6362aaa1b54239dea65704adb1f60a98bd310e3

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

d3521f08ec12ef4264bcc4e47e7fcb4e1af96ac575ca16cfb11ec23040780310

MD5 hash:

c61253fad5b803695566bdca022a9f23

SHA1 hash:

9b8b6ff1005255d834b6f29c8ce6d907bf45d32e

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

7ac4cc59bb66c43d7680ba930bf5c2c98f7ca08c591b9bf6556699f7a4fa2260

MD5 hash:

6617d0e761abcea3a66eb53243e85f34

SHA1 hash:

7e2ef58648d5e34bae9089e073e7fc5c87846bde

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

041b0014f630910ab7f8a03c8d65f1f391f2ba791632391302b606b0467fdca9

MD5 hash:

c617db1a41bca58864a680c2da043cb5

SHA1 hash:

76c328cf5c5cc64a035453a6d50628783133413f

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

5de50a43fd6e761d6d566fea27431fd193ea4cc5e888b22134c5583ffe098417

MD5 hash:

4715fb251648844c75552c0777748ff6

SHA1 hash:

3d94cdfc483700a8d9b1bafad6886015c6745150

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

17ed22f862774d025027f099302c6d55708b05603b734d73849e21f55a02c1df

MD5 hash:

443a719929637d1adba767f4f67ff780

SHA1 hash:

04e53a05b534bf6e2a40a721b100ec9da9abdba4

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c

MD5 hash:

19bfee1e23f5ce8adb83a0fee1eb6489

SHA1 hash:

c0e955dc5bd431669ffa0aa85adfd490c957138d

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

Parent samples :

d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e

SH256 hash:

83c6e5f937becb928c5a2e5bf475db8cc243d9ca4233a69dd70864f3a1faef11

MD5 hash:

12033e8b1b4b23ffb5897779f87ad37d

SHA1 hash:

dff3acd501a0fc4ab51c50e0a90e735c596fc2a0

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09

MD5 hash:

3addf1aab7f2237dd61b6857f2832c9c

SHA1 hash:

2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

9b4acc9da206a07da1aeec2585aca144ea626770d14cd2aefc2d469a51947dae

MD5 hash:

e86c55b5f7a20a866b510d0af889aeb8

SHA1 hash:

7833efeddbc0b9a7bba1b91737769b2e141d97fa

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

9b54038a24f16af708afb815d0b2a078e55e43536f73d148974e20d3bdb00822

MD5 hash:

ebeea47e2e0fb9182739772b635e8697

SHA1 hash:

ab45d6c92d9be459aa73fd81cfaa1d7d2b50cefe

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

1b7f85cc51977238bb489fd634a8777b0386c0c2db4aadf83178dded1971aceb

MD5 hash:

b9e8bca767bc30fb4ba5467c9c6e6bbc

SHA1 hash:

c0bccf4c3b23814a5ccf26356955208d1169768b

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

0b4156c972d5778866dd17e16b4fbbc9ce3d59af431dbbea600f9ae8385f2b41

MD5 hash:

267e81fa8905a68fd13e70e79c2ca001

SHA1 hash:

fd34003b04af1b9a0810549b22d2a87f07816407

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

241d41631ad07dca1eb1498d824283aae06a026df01157e92cb673fdf427609b

MD5 hash:

c8d8b8b866e4b5ab1938bfa0920e843c

SHA1 hash:

e59fb7a1ab085e9b240a908cdf80899c273d46d2

Detections:

win_retefe_auto

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

a2f4be6a7bfbe20606e786b9e91c954342e234e7f47b2a379d527a0284b4adc8

MD5 hash:

fd0675273403060fd9fa0e3ea37b4850

SHA1 hash:

71564e208a0cf6cf1dc9d7e1cad91eeb33fa6ff9

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

SH256 hash:

1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d

MD5 hash:

4059958830cd39f423d0ff3737eb5d90

SHA1 hash:

74b0011aa8b57ee2200ebd1a8bbae4f55b3ce249

Link:

https://www.unpac.me/results/1cb08f0a-a202-4e72-9590-0d0ae35d94c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_OnlyLogger Create hunting rule
Author:	ditekSHen
Description:	Detects OnlyLogger loader variants

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample