MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 4 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
SHA3-384 hash: 34712272f490a8e2b8f92ae627a1c40452645d4ec201fc4ff4e4cb779cd89644511ff19a30b167ee9a4b496df6d646a8
SHA1 hash: 165426682d216a39f0dd9c6307567376d3747615
MD5 hash: 13592ce3f7f5f21e127824988baedd53
humanhash: ink-oven-don-golf
File name:3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'163'169 bytes
First seen:2021-09-30 21:00:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gEwGMFSXl87fVP/BAlGA9CLtMBsWDFbYKJrALB2orMFFsRGM1juritO7:yRB7fZylp9CLCfFbY+toY3OjbO7
Threatray 185 similar samples on MalwareBazaar
TLSH T104A533BE6F8660E3DAE616751C872B36D6FD54928433028F0370B6D4AB62C27531B4E7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://94.158.245.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.135/ https://threatfox.abuse.ch/ioc/229045/
45.131.46.129:12509 https://threatfox.abuse.ch/ioc/229046/
185.215.113.107:61144 https://threatfox.abuse.ch/ioc/229047/
185.154.13.159:34854 https://threatfox.abuse.ch/ioc/229048/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
Verdict:
No threats detected
Analysis date:
2021-09-30 21:02:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe3eea3d-6f00-43b6-9788-f899dfb23ae4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193790/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Upatre-9888240-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d66e9de5-ac02-4cf3-b87c-a52ae0d058b6
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862321
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the startup folder
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494749 Sample: 3153CAF54366C0DDEDDD293791B... Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 93 live.goatgame.live 2->93 155 Antivirus detection for URL or domain 2->155 157 Multi AV Scanner detection for submitted file 2->157 159 Yara detected SmokeLoader 2->159 161 8 other signatures 2->161 12 3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe 10 2->12         started        15 cdsaijf 2->15         started        signatures3 process4 file5 89 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->89 dropped 18 setup_installer.exe 8 12->18         started        177 Detected unpacking (changes PE section rights) 15->177 179 Machine Learning detection for dropped file 15->179 181 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->181 183 3 other signatures 15->183 signatures6 process7 file8 67 C:\Users\user\AppData\...\setup_install.exe, PE32 18->67 dropped 69 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->69 dropped 71 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->71 dropped 73 3 other files (none is malicious) 18->73 dropped 21 setup_install.exe 8 18->21         started        process9 dnsIp10 105 127.0.0.1 unknown unknown 21->105 107 watira.xyz 21->107 109 live.goatgame.live 21->109 77 C:\Users\user\...\Sat02e61be092501d57.exe, PE32 21->77 dropped 79 C:\Users\user\AppData\...\Sat02e287cebec2.exe, PE32 21->79 dropped 81 C:\Users\user\...\Sat02da4f3b1e09e1.exe, PE32 21->81 dropped 83 4 other malicious files 21->83 dropped 173 Performs DNS queries to domains with low reputation 21->173 26 cmd.exe 1 21->26         started        28 cmd.exe 1 21->28         started        30 cmd.exe 21->30         started        32 7 other processes 21->32 file11 signatures12 process13 process14 34 Sat02e287cebec2.exe 26->34         started        37 Sat028ffbf06184.exe 1 14 28->37         started        41 Sat0265b58ab70c7af6.exe 30->41         started        43 Sat02e61be092501d57.exe 32->43         started        45 Sat024ed2827e5.exe 15 3 32->45         started        47 Sat02b7d841b814b96173.exe 12 32->47         started        49 Sat02da4f3b1e09e1.exe 2 32->49         started        dnsIp15 131 Detected unpacking (changes PE section rights) 34->131 133 Machine Learning detection for dropped file 34->133 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->135 153 3 other signatures 34->153 51 explorer.exe 34->51 injected 119 4 other IPs or domains 37->119 85 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 37->85 dropped 87 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 37->87 dropped 137 Multi AV Scanner detection for dropped file 37->137 139 May check the online IP address of the machine 37->139 141 Contains functionality to steal Chrome passwords or cookies 37->141 143 Drops PE files to the startup folder 37->143 121 3 other IPs or domains 41->121 145 Detected unpacking (overwrites its own PE header) 41->145 147 Performs DNS queries to domains with low reputation 41->147 111 37.0.8.119, 49790, 49797, 49822 WKD-ASIE Netherlands 43->111 113 37.0.10.244, 80 WKD-ASIE Netherlands 43->113 123 6 other IPs or domains 43->123 149 Tries to harvest and steal browser information (history, passwords, etc) 43->149 151 Disable Windows Defender real time protection (registry) 43->151 115 185.215.113.15, 61506 WHOLESALECONNECTIONSNL Portugal 45->115 117 lenak513.tumblr.com 74.114.154.22, 443, 49775 AUTOMATTICUS Canada 47->117 56 WerFault.exe 47->56         started        58 Sat02da4f3b1e09e1.exe 49->58         started        file16 signatures17 process18 dnsIp19 95 thegymmum.com 51->95 97 renatazarazua.com 51->97 103 4 other IPs or domains 51->103 75 C:\Users\user\AppData\Roaming\cdsaijf, PE32 51->75 dropped 163 System process connects to network (likely due to code injection or exploit) 51->163 165 Benign windows process drops PE files 51->165 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->167 60 fastsystem.exe 51->60         started        99 live.goatgame.live 58->99 101 192.168.2.1 unknown unknown 58->101 65 conhost.exe 58->65         started        file20 169 May check the online IP address of the machine 99->169 171 Performs DNS queries to domains with low reputation 99->171 signatures21 process22 dnsIp23 125 172.67.176.199, 443, 49796 CLOUDFLARENETUS United States 60->125 127 staticimg.youtuuee.com 60->127 129 2 other IPs or domains 60->129 91 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 60->91 dropped 175 Tries to harvest and steal browser information (history, passwords, etc) 60->175 file24 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 23:27:00 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfj4v5kdm3an33o5fe3zdohql2v5onb5tjz4yzcew5u5aek5vp4a._file
Verdict:
malicious
Similar samples:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RedLineStealer
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
RedLineStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RedLineStealer
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
RedLineStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RedLineStealer
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
RedLineStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RedLineStealer
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
RedLineStealer
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
RedLineStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RedLineStealer
+ 175 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:1028 botnet:30.09 botnet:6b473ae90575e46165b57807704d00b90b7f6fb2 botnet:706 botnet:937 botnet:test1 aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210930-ztvsrsadg3/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
https://mas.to/@bardak1ho
195.133.18.5:45269
Unpacked files
SH256 hash:
9c47277ff3d5698263c12303316c58733acb586d61b4d0c8d84a841907cc7a88
MD5 hash:
58091fc33eb557bf2fa526005ca8b697
SHA1 hash:
aaea7b3219659a65ac118b1e9686df569a943b16
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
7a78703220a6965b5d24a7609a9f4532390068c040866885da7bdf7d65346136
MD5 hash:
c537a141a741e32beeefae77636ddde5
SHA1 hash:
6c292b2b1e043d9240e736bcdae96bb24bc45090
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
988786a63d8dc374576558bc86b59da0f2ca2dd4dc4b4c78a9517f7677632987
MD5 hash:
bb48e720f954fdd56fb3c10b136a8036
SHA1 hash:
581d37dd59dc69fac015baef30cfd6e65e2cc4d4
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
fb12be4968389c09b20883f639f6987abb686393eccbb208a37cbf2651a58544
MD5 hash:
01b0f376506d7291fc42d674b8065652
SHA1 hash:
eb6da411cbcaeb53c2ebc804a72caa0eccb90a64
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
MD5 hash:
94f06bfbb349287c89ccc92ac575123f
SHA1 hash:
34e36e640492423d55b80bd5ac3ddb77b6b9e87c
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
8f75e1162562c4f0b0badfaab962927f8f6a9c475ad076dfd131f745ac069641
MD5 hash:
3135d2a4dd475360b0656832ff0f1a66
SHA1 hash:
1117b104e6334f5ddfd6e6c73f4d1800ceb17113
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
a949a824d86498f795871cbfc332df4b8c39fac1efcb01d93659c11d4bd7e829
MD5 hash:
44d20cafd985ec515a6e38100f094790
SHA1 hash:
064639527a9387c301c291d666ee738d41dd3edd
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
9a773b69c54cda3d1fb6b98bf0ccaa87f26f036e0435d12c9da0d55481e34dc2
MD5 hash:
cc41d785d610155255a68ecceb8fcb89
SHA1 hash:
29d063c1a8046fd55a566fe22243f80e59109a3f
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
d7861a4eded01e0518e53fb53eefcfc65a3b9852276ec88f9b388899db15a2b5
MD5 hash:
e8c40c3e8491e2365b455ee887d0bbdd
SHA1 hash:
24e3083e67aaca5cdf9aaf470408d7bcb4c77948
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
a17100f5dcbb199d28c65c58c954b874c02a3fb31978f9114165ac2e7b5a9567
MD5 hash:
fc4365da3fdf7d9bdfcca9be620b23d6
SHA1 hash:
0d1983dc69581b5b66d8cc3d39752c0fc50df645
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
d00e3f940094be6b83dc2e914fc191c8569468404b89c15981effc0ae5393061
MD5 hash:
d0fb3368831e5fed173ed1039e9c3f72
SHA1 hash:
8382e0c45c66b9584cd02c6a0b478ec52d136536
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
SH256 hash:
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
MD5 hash:
13592ce3f7f5f21e127824988baedd53
SHA1 hash:
165426682d216a39f0dd9c6307567376d3747615
Link:
https://www.unpac.me/results/235bfef5-2303-406c-863c-05eaeb6bd45d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3153caf54366/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193790/

Comments