MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9
SHA3-384 hash: c89d35e4c9d9f1d078785ebafee2757704ba0378b10ef54317495edc1a28e1704fce88259864427b10dc9f1fa5223f2a
SHA1 hash: 7848450e3928aeb0caa86972f588c509d679ece7
MD5 hash: 9b4c66a8f89b5784c7aba7502b65338d
humanhash: wolfram-island-seventeen-saturn
File name:20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'040'723 bytes
First seen:2021-10-01 01:21:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xfCvLUBsgXM4bfehG+lUdEkVZohWdRlL5pvWWKGy+0UoK:xsLUCgzShBeEkVZ93vXNpj
Threatray 575 similar samples on MalwareBazaar
TLSH T12B1633703FE9407FEA968071B7C86BB1F2ED8389A33E0AD32785814D9F3E994516E415
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://94.158.245.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.135/ https://threatfox.abuse.ch/ioc/229045/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://envima.tk
Verdict:
Malicious activity
Analysis date:
2021-08-18 11:31:25 UTC
Tags:
trojan rat redline evasion stealer vidar loader opendir
Link:
https://app.any.run/tasks/7d4cfa19-8b8f-47f6-ab46-73ff06c25ded

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193815/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9890301-1
Create hunting rule

Win.Malware.Jaik-9891084-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8d1fe8a-82cc-4319-a069-4284af1c1ab2
Result
Threat name:
Cryptbot RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862385
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494813 Sample: 20F43079CF75825C5E909B04F3C... Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 74 88.99.66.31 HETZNER-ASDE Germany 2->74 76 162.159.129.233 CLOUDFLARENETUS United States 2->76 78 2 other IPs or domains 2->78 98 Antivirus detection for URL or domain 2->98 100 Antivirus detection for dropped file 2->100 102 Multi AV Scanner detection for dropped file 2->102 104 14 other signatures 2->104 11 20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe 18 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_install.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\...\Wed09f318c6e86f.exe, PE32 11->54 dropped 56 C:\Users\user\...\Wed09dcfb25ddb074001.exe, PE32 11->56 dropped 58 13 other files (5 malicious) 11->58 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 94 172.67.142.91 CLOUDFLARENETUS United States 14->94 96 127.0.0.1 unknown unknown 14->96 136 Adds a directory exclusion to Windows Defender 14->136 18 cmd.exe 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 1 14->22         started        25 6 other processes 14->25 signatures8 process9 signatures10 27 Wed09251cf13b2f.exe 18->27         started        32 Wed096491b43d1506.exe 20->32         started        106 Obfuscated command line found 22->106 108 Uses ping.exe to sleep 22->108 110 Uses ping.exe to check the status of other devices and networks 22->110 112 Adds a directory exclusion to Windows Defender 22->112 34 powershell.exe 25 22->34         started        36 Wed0939c2e0c7.exe 1 14 25->36         started        38 Wed09f318c6e86f.exe 12 25->38         started        40 Wed094651c882889f.exe 25->40         started        42 Wed095aee3c4ec7ab564.exe 2 25->42         started        process11 dnsIp12 80 37.0.10.171 WKD-ASIE Netherlands 27->80 82 37.0.10.214 WKD-ASIE Netherlands 27->82 90 10 other IPs or domains 27->90 60 C:\Users\user\AppData\Local\...\file7[1].exe, PE32 27->60 dropped 62 C:\Users\user\...\WCleanerFile721[1].exe, PE32 27->62 dropped 64 C:\Users\user\...\UnpackChrome2009[1].exe, PE32 27->64 dropped 70 31 other files (11 malicious) 27->70 dropped 114 Detected unpacking (creates a PE file in dynamic memory) 27->114 116 Tries to harvest and steal browser information (history, passwords, etc) 27->116 118 Disable Windows Defender real time protection (registry) 27->118 120 Machine Learning detection for dropped file 32->120 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->122 124 Maps a DLL or memory area into another process 32->124 130 2 other signatures 32->130 44 explorer.exe 32->44 injected 84 208.95.112.1 TUT-ASUS United States 36->84 92 4 other IPs or domains 36->92 66 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 36->66 dropped 68 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->68 dropped 126 Contains functionality to steal Chrome passwords or cookies 36->126 128 Drops PE files to the startup folder 36->128 86 74.114.154.22 AUTOMATTICUS Canada 38->86 88 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 40->88 48 Wed095aee3c4ec7ab564.exe 1 42->48         started        file13 signatures14 process15 file16 72 C:\Users\user\AppData\Roaming\arhgsvw, PE32 44->72 dropped 132 Benign windows process drops PE files 44->132 134 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->134 50 conhost.exe 48->50         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 21:57:16 UTC
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ed2da6opowbfyxuqtmcphqfyxwzpog7hi573h4joqx5vrxmlo7uq._file
Verdict:
malicious
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
RedLineStealer
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RedLineStealer
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RedLineStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RedLineStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RedLineStealer
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
RedLineStealer
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
RedLineStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RedLineStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RedLineStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RedLineStealer
+ 565 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:1028 botnet:706 botnet:pab3 aspackv2 backdoor evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211001-bq89zsaeg9/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
092f7cdb24e1f159ff96f8722709f11763ed8a7b6d30030c3c8c061ff1a17076
MD5 hash:
34fdd72a0040886d7afd3e9207bf9f58
SHA1 hash:
2a833dfa6d27d18e61a45c4842132f36aef52e36
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f
MD5 hash:
45a47d815f2291bc7fc0112d36aaad83
SHA1 hash:
db1dc02b2d64c4c3db89b5df3124dd87d43059d5
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
136544bc040bbb4a2915801631d2f5e47af9833a821fa647e184b79a88126767
MD5 hash:
1a7440165b4ee076ec8091c43051b55b
SHA1 hash:
c60d95eaf930dc99ef54c888f964e823cdf4cc9d
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
44d33d40c9362cd060b8696cf2848b6ec4b4d591738d12a07241820e88c1772e
MD5 hash:
ad2bdb5c9b71b3908ec920a3ebd33513
SHA1 hash:
c4e528056f461fff91c659dcc9e2c0e39468b60f
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
2eb156f07db72a1c39dd1ef8a5c99c5235d5610493ac3b2221128256975415eb
MD5 hash:
fb32ef072658ef61e66706843adef465
SHA1 hash:
c1e4b58ae3652153473c3574ba88e091ca481a44
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
34aa6dda39e88d039136ce1858050c27d1238ec2857af34c2f35e58c46b5ca21
MD5 hash:
338be8491d596350bed30360f92d351d
SHA1 hash:
2a45dd22a148b8fa2e444926d995a78e0aefe218
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
c927bd5623fad7624fa978638828d2c09130c4b3e6bd326e7fa3e90aa6c344e2
MD5 hash:
13e4d4d53bbf2c51eaf8a35e710db00f
SHA1 hash:
325512846a599b6cef4c793b07117d2fa560aabb
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
f645a2b7236df6aebb6f2c646e12444e59fef39421ea5f40286993e5d8b221e7
MD5 hash:
18be08fecfb946f4ec8989fe9a48970f
SHA1 hash:
115e94c1da1442c1b23a7a0b502de7a8a6229609
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
5ad3b3fc5c9cc647aba64ef57fa6e8913704fb116d3ba2c3b066d274e9138197
MD5 hash:
63e37d370b2b774d5884cbd989c684c1
SHA1 hash:
af63c2998ed76fd2937d727d3e5e0cb3eca7629b
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
c42565129f7d3d17f09fbc3f60a848af35f34ccdc567e2036f063a95ffd16cde
MD5 hash:
609463b0ded9846599d4c53767f48d67
SHA1 hash:
f1a9042aa3c0103be2a865a8eb30cd6835fcc8e8
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
ffb224d1ffa19c265313e84dfc06a32612cf69b273c3e57ec44a0b7930917630
MD5 hash:
0350633227c3db77b33c1b6b7466bb66
SHA1 hash:
f6e7a411cdf7d5b23ab3a677dfd567e333a328e8
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
SH256 hash:
20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9
MD5 hash:
9b4c66a8f89b5784c7aba7502b65338d
SHA1 hash:
7848450e3928aeb0caa86972f588c509d679ece7
Link:
https://www.unpac.me/results/de9fe0ab-3e4c-4222-bd98-0401605c4c19/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/20f43079cf75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193815/

Comments