MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
SHA3-384 hash: c63cb37fbe01ae5ab0fa0a2ef8ef4e264ff22247773cf99b44ba7f5da2250c19ccb3380c5b64123f97a3306aa085249d
SHA1 hash: 23a8f42cb0de7b2dab66ec53ba2d755b5a4d896a
MD5 hash: 71bc63e722d597e42e4ac2bd95a72ece
humanhash: montana-failed-kitten-steak
File name:33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'210'468 bytes
First seen:2021-11-12 16:36:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y+NiZfi9joazsTB9MZJ4YWoDAVJ/DQrUw:yX+ov19Mz4YWwAVRDQUw
Threatray 861 similar samples on MalwareBazaar
TLSH T19D16333F352E9257D2D126F429A08ACBB5852E070571D04F6791A72C9877A308EB3EDF
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://g-localdevice.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://g-localdevice.biz/check.php https://threatfox.abuse.ch/ioc/247491/

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205339/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618e98303edf00a722d094f4/reports/7e097722-4a0a-483c-af21-f93f78b9ea33/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abed5922-06b3-4a82-8aa9-d09313e93979
Result
Threat name:
Backstage Stealer RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888249
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520722 Sample: 33CBD9E39DD39A84D0426897605... Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 81 a.goatgame.co 2->81 83 212.192.241.15, 49819, 49832, 49841 RAPMSB-ASRU Russian Federation 2->83 85 12 other IPs or domains 2->85 111 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->111 113 Antivirus detection for URL or domain 2->113 115 Antivirus detection for dropped file 2->115 119 18 other signatures 2->119 13 33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe 10 2->13         started        signatures3 117 Performs DNS queries to domains with low reputation 81->117 process4 file5 79 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 13->79 dropped 16 setup.exe 8 13->16         started        process6 file7 59 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 16->59 dropped 61 C:\Users\user\AppData\...\setup_install.exe, PE32 16->61 dropped 63 C:\Users\user\AppData\Local\...\libzip.dll, PE32 16->63 dropped 65 3 other files (none is malicious) 16->65 dropped 109 Antivirus detection for dropped file 16->109 20 setup_install.exe 3 16->20         started        signatures8 process9 file10 69 C:\Users\user\...\cd926ef71d3a8c6b271.exe, PE32 20->69 dropped 23 cmd.exe 1 20->23         started        26 conhost.exe 20->26         started        process11 signatures12 121 Adds a directory exclusion to Windows Defender 23->121 28 cd926ef71d3a8c6b271.exe 16 23->28         started        process13 file14 71 C:\Users\user\AppData\...\setup_install.exe, PE32 28->71 dropped 73 C:\Users\user\AppData\...\Tue15ff628e82.exe, PE32 28->73 dropped 75 C:\Users\user\...\Tue15fa6334fe21643.exe, PE32 28->75 dropped 77 11 other files (6 malicious) 28->77 dropped 31 setup_install.exe 1 28->31         started        process15 dnsIp16 101 127.0.0.1 unknown unknown 31->101 103 hsiens.xyz 31->103 105 Performs DNS queries to domains with low reputation 31->105 107 Adds a directory exclusion to Windows Defender 31->107 35 cmd.exe 31->35         started        37 cmd.exe 31->37         started        39 cmd.exe 1 31->39         started        41 5 other processes 31->41 signatures17 process18 signatures19 44 Tue15c4be34cb582b1.exe 35->44         started        48 Tue152452ef2d1bdf6c.exe 37->48         started        51 Tue15a3fc0537c.exe 39->51         started        123 Adds a directory exclusion to Windows Defender 41->123 53 Tue1509a7d92b5.exe 41->53         started        55 Tue15ff628e82.exe 2 41->55         started        57 powershell.exe 25 41->57         started        process20 dnsIp21 87 ip-api.com 208.95.112.1, 49761, 80 TUT-ASUS United States 44->87 89 staticimg.youtuuee.com 45.136.151.102, 49766, 49770, 49771 ENZUINC-US Latvia 44->89 91 a.goatgame.co 44->91 125 Antivirus detection for dropped file 44->125 127 Multi AV Scanner detection for dropped file 44->127 129 May check the online IP address of the machine 44->129 131 Tries to harvest and steal browser information (history, passwords, etc) 44->131 67 C:\Users\user\...\Tue152452ef2d1bdf6c.tmp, PE32 48->67 dropped 133 Obfuscated command line found 48->133 93 kipriauka.tumblr.com 74.114.154.18, 443, 49767 AUTOMATTICUS Canada 51->93 135 Machine Learning detection for dropped file 51->135 95 2no.co 88.99.66.31, 443, 49772, 49780 HETZNER-ASDE Germany 53->95 97 theonlinesportsgroup.net 53->97 99 3 other IPs or domains 53->99 137 Performs DNS queries to domains with low reputation 53->137 file22 signatures23
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 02:21:21 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gpf5ty452onijuccnclwawyxaaaenyh3cq4z5hil6r5vlqhdvwfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26b39a6144607e13d34c60b5ce9b325151e267a3398de1c2f2cf0e87809c6cf7
RedLineStealer
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
RedLineStealer
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
RedLineStealer
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
RedLineStealer
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
RedLineStealer
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
RedLineStealer
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
RedLineStealer
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
RedLineStealer
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
RedLineStealer
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
RedLineStealer
+ 851 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:smokeloader family:vidar botnet:706 botnet:937 aspackv2 backdoor banker evasion spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/211112-t4bjzsdha6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Vidar Stealer
Gozi, Gozi IFSB
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://kipriauka.tumblr.com/
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
2ce2e65128965ba4767d64bd37bcf17c3a4a858097d3009759b31d4d0b71d6cf
MD5 hash:
e65b298a68f81eb07305c7bfbcbe96fc
SHA1 hash:
ec886dee95ffd8b412e247aa2d53e48a166a8537
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
498944efaa6db3367630d509c70e0c38dbd6a4866aff12c74b4fad11be8457d0
MD5 hash:
a483f99dbd6e0736b1633ff974f8cabf
SHA1 hash:
e215abd888bddf7f9a60c676ff6bce1f3be443d9
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
f3faf4be49943d5910f034848fa64a02e17aed69b1185fe41f9e6b72bd66f2f0
MD5 hash:
b720bd9aa396261f9761a5aa47017bd2
SHA1 hash:
e119bc5be8f39d23667c6eba0849f4b829e7f5f8
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
7e1794ca90816edcf06dc7fd9d1cf0aef6f16b65820ea869c7c8668466547055
MD5 hash:
e184b2ab99fc5af57c1550ef7c110544
SHA1 hash:
9d2a45e6749e62ba54a1e69bfde4e6ed0b29786e
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
94689cade6f34c8555de32ff6ce01399b4bad05ab839e6a032a92fdc210930cf
MD5 hash:
3d878e218e2c118d4f9c1eb0b35ea5c6
SHA1 hash:
7b789e3b774a27b1339e44a5213d418cfce0803f
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
cc4a399fc7609d2298d266b0332a3d41fb1ac98d15e50146cd5bfbba21055a30
MD5 hash:
22f16236f6d2f08f9dce6cea3530443f
SHA1 hash:
20e812c06f0a5c09967321c2feb55aa15f47eaae
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
856406c9c7b31f0c00351ad33116eef6266e808f62707dbdd452d78d87c15b49
MD5 hash:
dcb44b893efae5ddd8cb122af5c988f2
SHA1 hash:
b7a5c73b39271c594545f0d35e5c1f739f37fa7f
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
Parent samples :
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
0029547e0cb55508e3a0efa717068b5461db2cfc08324118285bc1bcaa4556ef
MD5 hash:
948020dc8083619da130f324e50a5212
SHA1 hash:
aa58179cb88f064716ad60ee122680d598444d30
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
029727dda22ae16cbd636a356b20aeb258dafa9019817f784fb8706eaa6017ba
MD5 hash:
f3a79f7409cd7eca68f8212bbda205d0
SHA1 hash:
9e18f8e2a7b5dddaed3031466f2a17ec6825b370
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
761cac88d23dc49adfbd2be17b51e85b99568b62074c9c65805bc3ba22fcaba1
MD5 hash:
6938b2705f565753adf391ac3810a06f
SHA1 hash:
103afdff21e09aa3b05b5727553b92c5404fe2c2
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
2bd3eb7eaacc96ce74d4bde37bf3a69382e4e878bccce9fc1f9d5f0cb95e3276
MD5 hash:
d06063fa16527ccf007837a5d1bed54f
SHA1 hash:
a872b2b8850fafb998ddaecd6da2d0f468604673
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
ccbb64b2def0044a329af40695363e4f3cbb4ef2dad88fbf709532fa18f83377
MD5 hash:
3e981cb2bce00301902525b35c1833bc
SHA1 hash:
25c0afc44f0d344349284a011da2167ba5e35683
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
SH256 hash:
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
MD5 hash:
71bc63e722d597e42e4ac2bd95a72ece
SHA1 hash:
23a8f42cb0de7b2dab66ec53ba2d755b5a4d896a
Link:
https://www.unpac.me/results/22644efd-e804-46cf-a4e1-4106a17c6022/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205339/

Comments