MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ece34f2cfe7d906a9b1f6cf1900abc9f1a10b0b5d22ad1c3c232d5d03d540d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36ece34f2cfe7d906a9b1f6cf1900abc9f1a10b0b5d22ad1c3c232d5d03d540d
SHA3-384 hash: 39c79db5e13fa78822071bda23ed81772221d3e2dfa32161cb6895e32040efbb778ef6c2401d397d90f2f3f8371087b9
SHA1 hash: c2edefb9f8948828a11e0b1870aaf1648652f6ed
MD5 hash: b407b1ff9e762d197a9912fe8b732ca9
humanhash: floor-golf-river-gee
File name:b407b1ff9e762d197a9912fe8b732ca9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'647'890 bytes
First seen:2022-03-15 17:46:36 UTC
Last seen:2022-04-20 10:21:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:Ji7kC1poDKxgtoOcQnGBaQKyzygo5jQ9+5Z9HxAALI4lqr+FEYZ:JiAC1poOxgmOB2a7FjM+b9tLnqr+FLZ
Threatray 6'972 similar samples on MalwareBazaar
TLSH T18E763373897E6C32C2E64474EA355D2487C5D57AE334B352B0428889EED2E8DF63F249
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.150.103.37:21330

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.150.103.37:21330 https://threatfox.abuse.ch/ioc/395512/

Intelligence

File Origin
# of uploads :
4
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b407b1ff9e762d197a9912fe8b732ca9.exe
Verdict:
No threats detected
Analysis date:
2022-03-16 02:19:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51ebd211-5057-4fab-8947-78949f5b1535

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251006/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9348/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6230d127dfdfa8501ca52071/reports/03842b09-a4e3-499f-b5db-2c49fb7fd57c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03699373-b2ca-44d4-8ff0-7114d0a8cb32
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957303
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 589797 Sample: buNv7CAzE2.exe Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 62 ip-api.com 208.95.112.1, 49748, 80 TUT-ASUS United States 2->62 64 s3.pl-waw.scw.cloud 151.115.10.1, 49754, 49755, 80 OnlineSASFR United Kingdom 2->64 66 6 other IPs or domains 2->66 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 20 other signatures 2->88 11 buNv7CAzE2.exe 10 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->52 dropped 14 setup_installer.exe 22 11->14         started        process6 file7 54 C:\Users\user\AppData\...\setup_install.exe, PE32 14->54 dropped 56 C:\...\621e3c0eb9d6b_Tue15fa336c29db.exe, PE32 14->56 dropped 58 C:\Users\...\621e3c0e69844_Tue154fdede.exe, PE32 14->58 dropped 60 17 other files (12 malicious) 14->60 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 80 Adds a directory exclusion to Windows Defender 17->80 20 cmd.exe 17->20         started        22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 9 other processes 17->26 process10 signatures11 29 621e3c056a73e_Tue152aabf477.exe 20->29         started        32 621e3bfc786e9_Tue15c9d5e6e78.exe 3 22->32         started        34 621e3bfba507e_Tue15fc09719b.exe 14 4 24->34         started        90 Adds a directory exclusion to Windows Defender 26->90 38 621e3bfee768d_Tue154950ca058.exe 26->38         started        40 621e3bfaccb12_Tue159b8e97.exe 1 26->40         started        42 621e3c08694ce_Tue1585192d0.exe 26->42         started        44 4 other processes 26->44 process12 dnsIp13 92 Antivirus detection for dropped file 29->92 94 Multi AV Scanner detection for dropped file 29->94 96 Detected unpacking (changes PE section rights) 29->96 112 3 other signatures 29->112 98 Machine Learning detection for dropped file 32->98 100 Sample uses process hollowing technique 32->100 102 Injects a PE file into a foreign processes 32->102 68 onenew-cloudapps.com 188.114.97.7, 49749, 80 CLOUDFLARENETUS European Union 34->68 70 192.168.2.1 unknown unknown 34->70 48 e38bf40a-8a15-4f9b-8f9b-7b272e6b80e4.exe, PE32 34->48 dropped 72 iplogger.org 148.251.234.83, 443, 49751 HETZNER-ASDE Germany 38->72 74 www.icodeps.com 149.28.253.196, 443, 49746 AS-CHOOPAUS United States 38->74 104 May check the online IP address of the machine 38->104 106 Disables Windows Defender (via service or powershell) 40->106 46 cmd.exe 40->46         started        76 80.71.158.106 PARKNET-ASDK unknown 42->76 78 80.71.158.165 PARKNET-ASDK unknown 42->78 108 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->108 50 C:\...\621e3c03ad9e8_Tue1574be52a358.tmp, PE32 44->50 dropped 110 Obfuscated command line found 44->110 file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36ece34f2cfe7d906a9b1f6cf1900abc9f1a10b0b5d22ad1c3c232d5d03d540d/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 02:56:24 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3wogtzm7z6za2u3d5wpdeakxspruefqwxjcvuodyiznlub5kqgq._file
Verdict:
malicious
Similar samples:
42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
RedLineStealer
5bbc865f0347c81d627eaf6d11a2e7f34403b7ab4d12dd860af4b6fd650d41dd
RedLineStealer
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
RedLineStealer
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
RedLineStealer
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
RedLineStealer
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
RedLineStealer
+ 6'962 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:socelars aspackv2 stealer
Link:
https://tria.ge/reports/220315-wcwrysebc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Socelars
Socelars Payload
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
Unpacked files
SH256 hash:
92f9388dbf6e7d02a298b652079bd966f7c6d31d07d15a16432eb0d72aba802c
MD5 hash:
40ad850ccb36c3f3af55def256c6f5b4
SHA1 hash:
cde0249d6337251c6cc37d51c2db6655894b4895
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
069ac50992a53edd283b4a4793a5fb1f369af161073a7a51c77b54b11e0bb52c
MD5 hash:
c12f6df4cd6d9d6db407af618fe4709b
SHA1 hash:
ba75f2c1e22d85c0466b83d253de3fb71e07c7bb
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
716138e526f1076f561a41b1428dca007d6001267dc8aa27ff85e2868198f9a0
MD5 hash:
996c80faf93e28d02a3caf8d1868d11b
SHA1 hash:
b87ac292c9aefb920862a622db7cdef634085a06
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
d2afb86ffba3344344ac111c199d873674a6c2b03d337b02e0e02a377c4bb1fa
MD5 hash:
e26921ebf5345fc263f29c8b995ea140
SHA1 hash:
303b3d925f8f9d66a9e7853d6ee5487a90cabceb
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
abca3ef4971ea9cf196e429902da91fb3f0db2b502ed8dbe33bee639bb4d0b2c
MD5 hash:
e63b0af4990bdfb854b09570164175e1
SHA1 hash:
2363fd653143e88f92e8bc388d7cc5ed28e66ac2
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
23dd1beb6973d14a1df89424d2b247c09f253093a0cc0e82cc54d3857b102a22
MD5 hash:
927c51d82224dd9f8cf7494b932a7cd7
SHA1 hash:
1add099d65c32e2976027a0ef7cd05a2fb22fb23
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
d415be37ed5b52be4550cc30184db8e342150cb562ad358bf3b3b2537cfe6f57
MD5 hash:
3ea61e8e41bd6094b906172cb3172e18
SHA1 hash:
073f023d47a1b070c614e999a23d70e37b7ba522
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
7cb44671c2b4bb56f99cde175d969c903a58bbf06104e8ad456419761f264821
MD5 hash:
b653343e5c701720bb92ed19abef4f81
SHA1 hash:
968602dd34add2a908cb07b382438c9e5c131d16
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
a6843802a2b1d9feedd4979fe219eaa9bfd48ce864b123cedc71e899ba81ed3c
MD5 hash:
cb44fcd338fed41433d1e9e33401808c
SHA1 hash:
29773c291da37ddd3860c4ed5b0c7201079d9ba6
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
83cb0ae613b6fc088500fd89a3689c0aa041aa11f516a29b774eafc97aed2a3e
MD5 hash:
47d2fe74b3b07805d7e37baaf5aad3ae
SHA1 hash:
19a7db8bb26b4769555b5bbcf248497bec76249a
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
409acf5e1700781434a12c660878c57957f1fec623459140aa469e455ae5042f
MD5 hash:
82a6bf4a1fe5ff784cc365a2da341391
SHA1 hash:
8274f35d4eaf886e1e78f69d409b56c1465938c6
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
c19736c2869905fd6089e0f95c35c8457ba63586734beff3ae46c4b87ac1895c
MD5 hash:
84a66a0ad38d2984eb28bafaee2b5b4d
SHA1 hash:
a2354e2711c9043bafb384469933ab058adee083
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
b9795d0d3f55a8b442426b3db62ab29fdae3a204a3c71d2358899738869e956e
MD5 hash:
27828c536377446e5f6535f86514d658
SHA1 hash:
3b786022147bfb300c00b23e0e524c661941dd87
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
d154b5b525e4ad00db463486f2ded860564b67d62bd2ef42889246ebc5a597d1
MD5 hash:
2684c44f6d6bde1c6882ac3a5607311b
SHA1 hash:
83b0156f949341a8c2a166fa9b38b1d49ddaaa19
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
bda53f34afd67a06af41c6d91f77a44f1b3567a2fb76518227df5de2e1683ba4
MD5 hash:
1f64c6e790b03e8ad2f6486388fadc25
SHA1 hash:
5afe56aa5264a393c13eec04a0f28c6713c4b2ea
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
SH256 hash:
36ece34f2cfe7d906a9b1f6cf1900abc9f1a10b0b5d22ad1c3c232d5d03d540d
MD5 hash:
b407b1ff9e762d197a9912fe8b732ca9
SHA1 hash:
c2edefb9f8948828a11e0b1870aaf1648652f6ed
Link:
https://www.unpac.me/results/0d599858-06a0-414c-a153-c68b4d003e38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36ece34f2cfe7d906a9b1f6cf1900abc9f1a10b0b5d22ad1c3c232d5d03d540d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251006/

Comments