MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 256143422b1c43e82712b24f8c5f772c288df0278547798b1e5d8e534cea82db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 256143422b1c43e82712b24f8c5f772c288df0278547798b1e5d8e534cea82db
SHA3-384 hash: 90043fec0eb46a1b98add3f14d84f5bcdfd7752fd3892eb2a1248fd299023890ec619ce64ba8bec2db668182f96c5288
SHA1 hash: 3fe64531cc397e782862596c89800bec8e23895e
MD5 hash: ac87f09e88f1de27a6c2a74121495df8
humanhash: tango-equal-fanta-idaho
File name:ac87f09e88f1de27a6c2a74121495df8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'260'600 bytes
First seen:2022-04-24 17:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:x+MgaxeXfEW1Q2+abEUjGbR2PF+5Wgv4zfXV60yu5RpPV+oWw41I:xpDxeXfQmEUZPk5WFzfQTutPV3f
Threatray 8'146 similar samples on MalwareBazaar
TLSH T1299633A03FD1D7BBD20375F0DCD8AB61657B877024228A9323D6195F2B24ECAD26E5D0
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.213.50.241:25821

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.213.50.241:25821 https://threatfox.abuse.ch/ioc/532818/

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266188/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890303-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.36246775.27485.2482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/626585ddba81efdb400f2e3e/reports/4c9e90df-8d80-40be-bb90-1c4f3cb04f20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca42755e-aefb-42d2-98c3-824c3e16fd54
Result
Threat name:
Nymaim RedLine SmokeLoader Socelars Zeal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982089
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Zealer Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 614576 Sample: P26IuX5m9O.exe Startdate: 24/04/2022 Architecture: WINDOWS Score: 100 78 146.70.87.230 TENET-1ZA United Kingdom 2->78 80 s3.pl-waw.scw.cloud 151.115.10.1, 49749, 80 OnlineSASFR United Kingdom 2->80 82 6 other IPs or domains 2->82 88 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 21 other signatures 2->94 10 P26IuX5m9O.exe 20 2->10         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 file5 58 C:\Users\user\AppData\...\setup_install.exe, PE32 10->58 dropped 60 C:\Users\...\6261bc86afc04_Thu20be1731f8.exe, PE32 10->60 dropped 62 C:\Users\...\6261bc8593a52_Thu2072ea439.exe, PE32 10->62 dropped 64 15 other files (10 malicious) 10->64 dropped 17 setup_install.exe 1 10->17         started        process6 signatures7 86 Adds a directory exclusion to Windows Defender 17->86 20 cmd.exe 17->20         started        22 cmd.exe 17->22         started        24 cmd.exe 1 17->24         started        26 11 other processes 17->26 process8 signatures9 29 6261bc7ad4be2_Thu20d5016a17c0.exe 20->29         started        32 6261bc803d883_Thu2070d8511.exe 22->32         started        35 6261bc72cbf55_Thu2043f4f8976.exe 15 5 24->35         started        96 Adds a directory exclusion to Windows Defender 26->96 37 6261bc7383b15_Thu2059e87a6a.exe 3 26->37         started        39 6261bc834bfb1_Thu2085e3c1.exe 26->39         started        42 6261bc8593a52_Thu2072ea439.exe 26->42         started        44 7 other processes 26->44 process10 dnsIp11 98 Multi AV Scanner detection for dropped file 29->98 100 Detected unpacking (changes PE section rights) 29->100 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->102 120 3 other signatures 29->120 68 ip-api.com 208.95.112.1, 49747, 80 TUT-ASUS United States 32->68 104 May check the online IP address of the machine 32->104 106 Machine Learning detection for dropped file 32->106 108 Tries to detect virtualization through RDTSC time measurements 32->108 70 104.21.44.91 CLOUDFLARENETUS United States 35->70 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->110 112 Tries to harvest and steal browser information (history, passwords, etc) 35->112 114 Antivirus detection for dropped file 37->114 116 Sample uses process hollowing technique 37->116 52 C:\Users\...\6261bc834bfb1_Thu2085e3c1.tmp, PE32 39->52 dropped 118 Obfuscated command line found 39->118 72 iplogger.org 148.251.234.83, 443, 49748 HETZNER-ASDE Germany 42->72 74 www.icodeps.com 149.28.253.196, 443, 49743 AS-CHOOPAUS United States 42->74 76 212.192.246.217 RHC-HOSTINGGB Russian Federation 44->76 54 C:\Users\...\6261bc79b02ae_Thu20a5bb4d.tmp, PE32 44->54 dropped 56 C:\Users\user\AppData\Local\...\AvvNj4z7.cpl, PE32 44->56 dropped 122 2 other signatures 44->122 46 6261bc75295c0_Thu2032d32b6.exe 44->46         started        50 6261bc8243d68_Thu20c99a8d5.exe 44->50         started        file12 signatures13 process14 dnsIp15 84 v.xyzgamev.com 104.21.40.196, 443, 49740, 49746 CLOUDFLARENETUS United States 46->84 66 C:\Users\user\AppData\Local\Temp\db.dll, PE32 46->66 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/256143422b1c43e82712b24f8c5f772c288df0278547798b1e5d8e534cea82db/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 07:53:33 UTC
File Type:
PE (Exe)
Extracted files:
287
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evqugqrldrb6qjyswjhyyx3xfqui34bhqvdxtcy6lwhfgthkqlnq._file
Verdict:
malicious
Similar samples:
0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c
RedLineStealer
4eebc9db13bf3a2bbae7f56ecdb4be388610bff9cdb4931f9d776762597286a6
RedLineStealer
8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
d6d85835ef15c620641b03e41518ec61393f70c4740c839d7f753b6ae2a58ed3
RedLineStealer
dbeac36e7de274df245cf4965fcdbeedd57ef1637a9cb8c5bd8686645a9ee9fd
RedLineStealer
ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d
RedLineStealer
+ 8'136 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:same1 botnet:supertest6 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220424-vs4xtshfh9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Looks for VMWare Tools registry key
VMProtect packed file
Checks for common network interception software
Looks for VirtualBox Guest Additions in registry
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ysagdy415/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
91.213.50.241:25821
116.202.106.111:9582
Unpacked files
SH256 hash:
94b1a1928663783d55d18e068691d41fda717aec2b8c139cbeec537baf590cf1
MD5 hash:
dbe67324ed2ee469fb8cc030ffaa3448
SHA1 hash:
c99473f88d6e73360fe671ef0eb624b71b94315f
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
bc39ebe6efe6da87bf8c330785cd615e9c30417e766cc74eef492efcb9f1defd
MD5 hash:
5216d697b5b2e37c662ef0ea529c7355
SHA1 hash:
d8a520249a7fbbd29c95e64dcffb21c6b612bead
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
0945d87619dd1be75a81297e9395202b855edc6f8fd56d598d34b131eeb6cb86
MD5 hash:
4abd706adcfd6657e730a283fa2b9338
SHA1 hash:
d4be12bee970ca01c39b695a934b582a585fe70d
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
33a8852a2a7db445088b2d8f8757764e48e2a1f8b67c268b05e38e1af76faf04
MD5 hash:
cda0f04ee984d2b9e4671d95963a3d12
SHA1 hash:
b4b7f98d3579041d754aba7e96c80e154c824665
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
63b8510065bba99fb3182d5abb85babdcab42df952a009f853d95d8a28f3dbda
MD5 hash:
6ab8014e3734c8c6701037508ed23c55
SHA1 hash:
aa810be261edff170927df49faf0cbcf78bdf2d1
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
11a085310469bb8eaf5a362cce12b0602fa658e967d6449549a9b1b86440560b
MD5 hash:
f9a8df21b929c4ffdaf8b95cf551a249
SHA1 hash:
752fc686d28f7c884512c852ff47e664f4967f97
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
1470dd739718f3d6249914ed7647ea496ab7b29c4cb4c091718209bc633f436c
MD5 hash:
57de0df58ff8c5308b5764e560692bd3
SHA1 hash:
551b0ca741da1746670d1884c46a247ec8f0113b
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
1d2612e48f102469cf80780703906053fd83b43d2465a7149b57d488625967e8
MD5 hash:
76facad54fde2fc99754257bbb15c0d6
SHA1 hash:
530ba70e647d3e51726da2f12be8f4967a249f05
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
bfb1d4ac223e39c52956b98873478d81d0b362cb7e434be18b3edbe073e58f39
MD5 hash:
8ce84089b512c88d56724e5b620e43b1
SHA1 hash:
3a00450d0a01282fd0c527a1a3a3948f8c2fe057
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
549681e7ea9efc88bc9a5861f0a1da1d61e261639e066307666ac2178f38b1d3
MD5 hash:
38ac30db2c49d24c1056f0fe75f1df6b
SHA1 hash:
2b36dcb6064bcb885f9017dbbef1d0e18a5f69f4
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
23d8fc065dc72e755660e8c729abea1b95aed130e651813b20745caf69d8c518
MD5 hash:
a01d8dde16873ecf8015682f7a27d9ae
SHA1 hash:
1cf675da6074640484572d9c6028904a7bd7d792
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
51822e99ece18ac31a193079f264f10940417e7d65c8e16d55ceee7f743dc309
MD5 hash:
11d58bcdf92faf51179d2daaf99e11b3
SHA1 hash:
0c6ffc8f9db015ec1bd01e11420695faadf2c845
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
5a5c65d12f3f845c947a7f6e58c533f38cfec7ba52ecb28239e96ee788fa71f7
MD5 hash:
d93107e05fa93f02ff6959eb7eba85de
SHA1 hash:
fc42e1963f539977ef13332b8fedcc2286809d9d
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
e8c31ff9250edec13cfad7357b514df64e96079e9916ee1351de83d0c5d26e9e
MD5 hash:
9d6448e01eddb4421294cd5a2321be3b
SHA1 hash:
3a05156ba7d9efb29ef8a102ff493251a82a59f9
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
b09b1ed52f2b7ab6a2c76468fbd96a7bbe5e32e556ad646f64332e5e3c62d4cb
MD5 hash:
30c69c02ccfc5a8bade17cba3ee911b2
SHA1 hash:
a1fe7a9ffb25f1fc952d0b654fc4f87d37466fe4
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
021dbc7c1904d874544ed2625efa7fb5c35730460bee21de75a3637015c75dfd
MD5 hash:
fb24766c0b21f5afa14814fde263d565
SHA1 hash:
b138bc5c16a22d82c7be550459d54455bc7e91eb
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
34f84d6ed489273e61373dcd384ecd3708fc89ec0043e407e459018b0ba97873
MD5 hash:
ba94f76fd59d14a60e11b11af437f0ac
SHA1 hash:
5a9fcde89277ae776928baa114534d207dae1012
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
5fe2d118193d1a4bb3d37d00f98ab9658bcee52c439e6c41edc2e3f9abc2b2d4
MD5 hash:
a081ea8591e199aadc86a18426bdd96e
SHA1 hash:
f7609cecc7eaeb5fff6ce72ee442e93abf9c5ed5
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
65f88d0930069999e0d28fb72014ab5a2134db7fa1fcdd531d573a3ad9555970
MD5 hash:
f372268a983f1ff439eccc15b3acfa95
SHA1 hash:
8dcbc8244f28e0b7abb2ade8e9a5b3a28d602f20
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
fd916e9f2fb6207be1af746c9eb4a6eca4d136076043ed2643b9d1999ec15d1d
MD5 hash:
9945e367c4ecc76885cc10cea5451ea3
SHA1 hash:
98867a4028750714cc5e814638749b753ba85c93
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
SH256 hash:
256143422b1c43e82712b24f8c5f772c288df0278547798b1e5d8e534cea82db
MD5 hash:
ac87f09e88f1de27a6c2a74121495df8
SHA1 hash:
3fe64531cc397e782862596c89800bec8e23895e
Link:
https://www.unpac.me/results/87d98186-c35c-4d52-96de-9a454f3bbc5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/256143422b1c43e82712b24f8c5f772c288df0278547798b1e5d8e534cea82db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266188/

Comments