MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
SHA3-384 hash: f43739bef9b4b06152ef5f33bb6ee0eff1ba02add0268cafb75d6061e10ca37cc096a172e871af10dfce019529009bf1
SHA1 hash: fd9d88822ee9ffcf824f156134e0bca713fd8360
MD5 hash: a7555cd67f0832ecb58a30ad6c348f42
humanhash: glucose-lemon-cup-mississippi
File name:a7555cd67f0832ecb58a30ad6c348f42.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'206'647 bytes
First seen:2022-02-02 04:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JFfTFuxvmESdlPY9urdr2gHTC05OF55SGzVcgH:JFb4QlPYwrjc5rcK
Threatray 5'186 similar samples on MalwareBazaar
TLSH T1457633230DD38643EFD0ED3CCB57CBB4A8DA19A39A5184D8764FE6A47401BE1E588B47
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://tzgl.org/test3/get.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://tzgl.org/test3/get.php https://threatfox.abuse.ch/ioc/374456/

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7555cd67f0832ecb58a30ad6c348f42.exe
Verdict:
No threats detected
Analysis date:
2022-02-02 04:54:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5e11e96-0503-46ec-9384-0a6ca7e368be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229740/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890303-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for analyzing tools
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5743/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll tiny
Link:
https://www.filescan.io/uploads/61fa0df76d25ac9e79f9ef1d/reports/4a1e0342-9f7c-4d9d-b229-654d3ef57d45/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a9d0e1b-6c92-42d8-8fa4-5d8d2e71f0f5
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933074
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 565551 Sample: H7LG5mteEK.exe Startdate: 03/02/2022 Architecture: WINDOWS Score: 100 64 ip-api.com 208.95.112.1, 49770, 80 TUT-ASUS United States 2->64 66 222.236.49.124 SKB-ASSKBroadbandCoLtdKR Korea Republic of 2->66 68 19 other IPs or domains 2->68 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 16 other signatures 2->86 10 H7LG5mteEK.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 22 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\...\61f6941a57592_Sun13f87ebdf44d.exe, PE32 13->50 dropped 52 C:\Users\...\61f69415e3148_Sun13022c972.exe, PE32+ 13->52 dropped 54 17 other files (10 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 60 127.0.0.1 unknown unknown 16->60 62 hornygl.xyz 16->62 76 Performs DNS queries to domains with low reputation 16->76 78 Disables Windows Defender (via service or powershell) 16->78 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 6 other processes 16->26 signatures10 process11 signatures12 29 61f6940600cbc_Sun13c6c62c66.exe 14 5 20->29         started        34 61f69409178fd_Sun13c03de51d.exe 22->34         started        36 61f6940ae7184_Sun13588c80ee9.exe 24->36         started        88 Disables Windows Defender (via service or powershell) 26->88 38 61f694076674f_Sun13dda6b07b5.exe 2 26->38         started        40 61f6940b9e5ce_Sun13752075.exe 26->40         started        42 61f6940bec807_Sun1302cb24254.exe 26->42         started        44 powershell.exe 24 26->44         started        process13 dnsIp14 70 iplogger.org 148.251.234.83, 443, 49761, 49767 HETZNER-ASDE Germany 29->70 72 cdn.discordapp.com 162.159.130.233, 443, 49762 CLOUDFLARENETUS United States 29->72 56 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 29->56 dropped 90 Antivirus detection for dropped file 29->90 92 Multi AV Scanner detection for dropped file 29->92 94 May check the online IP address of the machine 29->94 96 Machine Learning detection for dropped file 34->96 98 Contains functionality to inject code into remote processes 34->98 100 Injects a PE file into a foreign processes 34->100 74 185.244.150.84 HSAE Netherlands 36->74 102 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 36->102 58 C:\Users\...\61f694076674f_Sun13dda6b07b5.tmp, PE32 38->58 dropped 104 Obfuscated command line found 38->104 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257/
Threat name:
ByteCode-MSIL.Trojan.Antiloadr
Create hunting rule
Status:
Suspicious
First seen:
2022-01-31 07:54:44 UTC
File Type:
PE (Exe)
Extracted files:
431
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dz3j5tmhskf7dzikep3ocwohgjvbyzze6zxfhuht3eqhqs5rkjlq._file
Verdict:
unknown
Similar samples:
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
RedLineStealer
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
RedLineStealer
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
RedLineStealer
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
RedLineStealer
6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
RedLineStealer
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
RedLineStealer
ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
RedLineStealer
+ 5'176 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:media272259 botnet:newmast2 botnet:testing aspackv2 infostealer loader persistence spyware stealer upx
Link:
https://tria.ge/reports/220202-fhesmaged8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.tpyyf.com/
92.255.57.115:11841
185.215.113.10:39759
169.197.141.182:47320
Unpacked files
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc
MD5 hash:
64638fe3e9d9acbcfe027bac3d0a7fab
SHA1 hash:
ff0d35497c4d6676a01a57db299df9847b382126
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
8a13f698d21786fc3fe5ce5e09fea10497551266eeec07fdf6abe3c55f9065d0
MD5 hash:
7db5edf513053778186311771126f449
SHA1 hash:
cf7143b4722932f329543f8b2c870753568e8e1a
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
0dbc7412ac154cb1d420eec0cdf294ad633ba010acd55a4bc146b1eb4b142008
MD5 hash:
df4d8016a7954cf6291b7a28672f1bc4
SHA1 hash:
7795847c8840c2f826e3e03a2e36e1f9d74e63e3
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
1de6ad9177cdccc27c125ec581da67cd16e94e7be89071648e6da74198995679
MD5 hash:
3d78897ede16438d0b9fc041d8caaa53
SHA1 hash:
744baf43bf098a1175e8210a8d839374c4ae4417
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
621b8fa99bb1b083225259615b8ec7e331272bce29c0fb4dd7ab334911587eb5
MD5 hash:
123613d75f29ec8b53912c5f43d143ff
SHA1 hash:
67186b584b5af0c24724f54c1181e0311ab663f2
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
43c4545fe9b0cb3723bc481c7786209d125ac012fda11f3a243f5fdd239d2437
MD5 hash:
bbdde020cb1aa8c82b0130020d250b0b
SHA1 hash:
284bb91341e198d42d145aa316e73fa8349d2662
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
be7c7699c20c93944fa6e56dd362688bc7a62c6c0c922b78de8fada2703f381e
MD5 hash:
bb13f1b41c4e49e9cc48f583628d29c9
SHA1 hash:
13ed5453d6896f1f6fefcd4502e22b9e88206ee1
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
MD5 hash:
ce54b9287c3e4b5733035d0be085d989
SHA1 hash:
07a17e423bf89d9b056562d822a8f651aeb33c96
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
56bc47d13a1d7ac385634f70075ca750b5e6455bef63152eb6ccf4276b9cefa5
MD5 hash:
86e406c290b0e202bbd56c69d9930e12
SHA1 hash:
228b209f2e930be14605dd8ad54c618643367ad1
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
ea4a436cda457c2080e6f785e53919f14b6881790753c037383b5034fc88b5bb
MD5 hash:
c19f23dc3aa765c4d388c703880c5a39
SHA1 hash:
ca9dee28428a3d772e2e5b20cb9886f0db35811b
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
e75c93d2701530198c1ba5ae64d2469f3ed26185b341a440ace308c40e7c7bb9
MD5 hash:
920fce02f808ed4083d04f1ee2127693
SHA1 hash:
f39b9343987c4e17e498d469b7b608b2d1c46262
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
62c6b20bc8f41afb2850bf173c5e7717ef97358c0a319d48fec623eef67217f6
MD5 hash:
828cbdfd68769d6539572c0151c4fc51
SHA1 hash:
3fba04fe81c689f2f6f58d77a02970c12af658c8
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
93a6be53656745f6c2275eb3c73afeb55fd4f21648ea24e7102ffff32deed4c6
MD5 hash:
b4fa14b88430df89d364b21a411fd7c5
SHA1 hash:
845e39418f8a1f81da23ba6f91c087b89f20d6e4
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
cbbb6daa7364e9ac5618557f817ecf52e965b20f12d45017674687de2528b999
MD5 hash:
2c9a1c7b38cd2e76aee45eec9fec4a0f
SHA1 hash:
f523e4dea318e2b7fa74cc1126bdfc74079fe246
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
a31b3c1e157bfdf51563f3b9049166913d0dff86205c567ebae31ebaa549773d
MD5 hash:
d823590f412f27d2a4da6344743109ba
SHA1 hash:
82178f0ebfa013b3670771598ae5dde95f8cbecb
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
5b1ab3fd4f0e7773a13cf5d32b8047ab71e3e54a0ee99665399476aabef1effc
MD5 hash:
6f8dcb95d2d327cfb38dc2ee2243a1f3
SHA1 hash:
b572f584d96d782f6e0e5ee544b114b014f8ddc1
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
25bc526a0db31a758a9bf4d699d75364cfd564c739da608c311a631d901c5bc1
MD5 hash:
4a08ff132feab41398ca3cd6b36ef434
SHA1 hash:
6183d7d9a7ae808120d155d0dc3b75a743bae0de
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
SH256 hash:
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
MD5 hash:
a7555cd67f0832ecb58a30ad6c348f42
SHA1 hash:
fd9d88822ee9ffcf824f156134e0bca713fd8360
Link:
https://www.unpac.me/results/ba299c0b-7752-4431-adc0-f86630768efd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e769ecd8792/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229740/

Comments