MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA3-384 hash: 24de6fc3a6154f9e2568bd6b4dbbfead9c415b46e2c63ea08cc920d8d976ed258d0c5e1b65c9ed86af07b7b63c696063
SHA1 hash: 5379737ccaf546c86fe92ee92e49afaa2eef1bee
MD5 hash: 2da8ab89fff4bfc1be98d577169e3cf8
humanhash: dakota-tennis-louisiana-vermont
File name:28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'629'238 bytes
First seen:2021-12-31 17:15:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xB4jtHqQeVSoBkpzqsOAyKPkC+EP0dSIyl83C3iKGBls/gevdWqi:xBDQcSoBVBAyKPN0dw3i5orhi
TLSH T1396633D83D738DBBCE6318316394A623B1DACF1D46218DE36B9486849D38677903FCA5
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.170.165:14888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.181.170.165:14888 https://threatfox.abuse.ch/ioc/290189/
185.215.113.10:32605 https://threatfox.abuse.ch/ioc/290190/

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 14:17:51 UTC
Tags:
trojan loader rat redline evasion stealer opendir unwanted netsupport amadey vidar
Link:
https://app.any.run/tasks/9d144ff3-7f0b-47bf-bda2-fa79900a43c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216955/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3583/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed virus
Link:
https://www.filescan.io/uploads/61cf3ad64ab5c44cbf590d2f/reports/ab8e9006-6d40-45cf-95ee-0d48f8d3371b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9efe8f21-62cf-4b50-9511-6705c608ebf1
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914344
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546822 Sample: 28043B9D96A6D54044950BCA236... Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 69 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->69 71 194.145.227.161 CLOUDPITDE Ukraine 2->71 89 Antivirus detection for URL or domain 2->89 91 Antivirus detection for dropped file 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 19 other signatures 2->95 11 28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exe 21 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_install.exe, PE32 11->49 dropped 51 C:\Users\user\...\Fri10fcc13ae0125c8.exe, PE32 11->51 dropped 53 C:\Users\user\...\Fri10d184202996a0d7f.exe, PE32 11->53 dropped 55 16 other files (10 malicious) 11->55 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 87 127.0.0.1 unknown unknown 14->87 125 Adds a directory exclusion to Windows Defender 14->125 18 cmd.exe 1 14->18         started        20 cmd.exe 14->20         started        22 cmd.exe 14->22         started        24 10 other processes 14->24 signatures8 process9 signatures10 27 Fri10584c049c7f.exe 4 89 18->27         started        32 Fri10d184202996a0d7f.exe 20->32         started        34 Fri106e757f6d75.exe 22->34         started        97 Adds a directory exclusion to Windows Defender 24->97 36 Fri1008c7d6874.exe 24->36         started        38 Fri1015b9a4e0b.exe 24->38         started        40 Fri103a7805577.exe 24->40         started        42 5 other processes 24->42 process11 dnsIp12 73 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 27->73 81 22 other IPs or domains 27->81 57 C:\Users\...\yUqmu4EeR0kV3nsbB_CvJVM8.exe, PE32+ 27->57 dropped 59 C:\Users\...\yR2G7rXHy0NGa0TWJdkOm5Ug.exe, PE32 27->59 dropped 61 C:\Users\...\x9WknYhmuvnot8z69h72jEH9.exe, PE32 27->61 dropped 65 51 other files (29 malicious) 27->65 dropped 99 Antivirus detection for dropped file 27->99 101 Creates HTML files with .exe extension (expired dropper behavior) 27->101 103 Machine Learning detection for dropped file 27->103 121 2 other signatures 27->121 75 91.121.67.60 OVHFR France 32->75 105 Detected unpacking (changes PE section rights) 32->105 107 Query firmware table information (likely to detect VMs) 32->107 109 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->109 123 2 other signatures 32->123 111 Sample uses process hollowing technique 34->111 113 Injects a PE file into a foreign processes 34->113 77 172.67.204.112 CLOUDFLARENETUS United States 36->77 63 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 36->63 dropped 115 Creates processes via WMI 36->115 79 65.108.20.195 ALABANZA-BALTUS United States 38->79 117 Detected unpacking (overwrites its own PE header) 38->117 83 2 other IPs or domains 40->83 85 5 other IPs or domains 42->85 119 Tries to harvest and steal browser information (history, passwords, etc) 42->119 44 mshta.exe 42->44         started        file13 signatures14 process15 process16 46 cmd.exe 44->46         started        file17 67 C:\Users\user\AppData\...\SkVPVS3t6Y8W.EXe, PE32 46->67 dropped
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 00:17:30 UTC
File Type:
PE (Exe)
Extracted files:
400
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=facdxhmwu3kuarevbpfcgyz2wya5z7n6imc32ghweqqj5f2njyka._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:ani botnet:jamesfuck aspackv2 backdoor evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211231-vs5t5ahah8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
daf2e84c2147fc190c72c048f28af57b5608008a585693bce82b91b2f2377b3c
MD5 hash:
61bccc6ce0533a99d7282ea0622d12f0
SHA1 hash:
f27ef25e8832cc8b70d312c3ba5554f196b24b99
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
MD5 hash:
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1 hash:
eb9a4185ddf39c48c6731bf7fedcba4592c67994
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
41db0b16370a44a13e596f4202ebc740e6e153f11ecf94dd477432a815c0efc3
MD5 hash:
47cdd5940add94c56b408430e2813bbd
SHA1 hash:
b4a7028f5dd4cfe9dd3470cae39e96409303ea67
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
a7015bdf76a9abc7f6ec2b14681000c144504aba1600a43e5654cc21ddd77b97
MD5 hash:
0011a5d007b378f4ed419911fabab12a
SHA1 hash:
662b0b99b66ffd8475ff3e670fc3983bb34a9576
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
c83c6bbdf2a042df0c8343aed3d04a09e2f09b7c97ca13da4e141b2ee6b73e24
MD5 hash:
bd04c2aaa95597b44e601173a12ff67a
SHA1 hash:
6482176bc16a64fe9df5f4615c30dfddc083dcfc
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
b51b892b595042f941c1ad6c2589e546292c8b916cafce4b6fb27564472e8516
MD5 hash:
420362509ca1e34de75d51f74e615d92
SHA1 hash:
37a347bb304a5617dad665629a42dbd03e87be2a
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
743aa059cff67e557a580098b5f5da536df3476236e97d432af18e7cdaf20635
MD5 hash:
e266e47a9d751cfc5543d67644c6cec1
SHA1 hash:
0bd61714283d722c75dc7b742046550857ef3846
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
e9a98ce6b186869cf1b7c72bbf92e6fc274dd7bbc9d75611e301b17a36825e55
MD5 hash:
1beb0e9ffe3f94c63c9e7efb7775ba63
SHA1 hash:
9905cb5e12cc550791b06a8a8ab9b35684805c57
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
d5b0c98f016dbd779cd88204c87cc24d36c1f96a8f5fe88760d2a5d618c51088
MD5 hash:
97422f16161fc4a414eb4be98f8a1eb1
SHA1 hash:
f3b846e6fb2773764f859d8ebc74fab377e627ed
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
8f5076eb4b805333db3fa28e0eba2bc7dd642b63734f1c9b1d3d8213f4c82549
MD5 hash:
f4e946b7f8d05bcc77cfbbabdbd5e482
SHA1 hash:
4308be2ba611207c66f9d4f71bf937e65cae6021
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
a1f1e187828ad5bf775a40cde3790fde1c5d3b7efa82614505713f910654b981
MD5 hash:
a257c9da1c231db2f467afba3047283c
SHA1 hash:
34db98049709a8123bf1e4341b553f1726c42230
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
SH256 hash:
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
MD5 hash:
2da8ab89fff4bfc1be98d577169e3cf8
SHA1 hash:
5379737ccaf546c86fe92ee92e49afaa2eef1bee
Link:
https://www.unpac.me/results/5398d07d-5370-4713-af98-c6d931a761d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216955/

Comments