MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 9 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5
SHA3-384 hash: 5679fc5c7d21a8746a3c671cf7d0e017bd3a54a50f16a9db4f4722e42e9d730bd0f02bbecb22927bf3693a6d1f55f596
SHA1 hash: c2d23d94760223306cd040c0a0ec0440e0fe839f
MD5 hash: 7744729a25a46ba8f1c3b1ce451dce0e
humanhash: idaho-leopard-april-sierra
File name:7744729A25A46BA8F1C3B1CE451DCE0E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'431'915 bytes
First seen:2021-10-05 23:17:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xhCvLUBsgogsBJy7c7gA9E9hXFkPIBKSOQmzhDzq4cEH:xqLUCgdGfgAaxNBVOQmzZF
Threatray 593 similar samples on MalwareBazaar
TLSH T1652633507EE1C4FBD903023487986B2530ED8BA9953106C773A0E72DAF2E9E6D11FE59
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.14.49.184:18458

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.184:18458 https://threatfox.abuse.ch/ioc/230690/
91.206.15.183:9825 https://threatfox.abuse.ch/ioc/230691/
84.38.189.175:39222 https://threatfox.abuse.ch/ioc/230698/
37.1.219.52:42987 https://threatfox.abuse.ch/ioc/230699/
185.92.73.160:6070 https://threatfox.abuse.ch/ioc/230881/
185.215.113.216:4525 https://threatfox.abuse.ch/ioc/230882/
193.188.20.94:25588 https://threatfox.abuse.ch/ioc/230883/
45.156.27.227:48558 https://threatfox.abuse.ch/ioc/230884/
135.181.79.37:42709 https://threatfox.abuse.ch/ioc/230885/

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195211/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed stop
Link:
https://www.filescan.io/uploads/615cdd2ae3d213d202b7e9e1/reports/e3d821d8-e64e-4a35-b46d-04095a9effa2/overview
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3683ed2a-d02b-4546-b5c2-fa34a00d5672
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865144
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497572 Sample: vIplIq46Cl.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 68 162.0.210.44 ACPCA Canada 2->68 70 162.0.214.42 ACPCA Canada 2->70 90 Antivirus detection for URL or domain 2->90 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 16 other signatures 2->96 9 vIplIq46Cl.exe 20 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Sat19fddced3f1f54.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\Sat19e6979ed7.exe, PE32 9->46 dropped 48 15 other files (10 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 86 104.21.87.76 CLOUDFLARENETUS United States 12->86 88 127.0.0.1 unknown unknown 12->88 122 Adds a directory exclusion to Windows Defender 12->122 16 cmd.exe 1 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 12->20         started        22 11 other processes 12->22 signatures8 process9 signatures10 25 Sat197da6749b4d5.exe 4 69 16->25         started        30 Sat19470bfe8d2ee60.exe 18->30         started        32 Sat19570a6d12bbbe.exe 20->32         started        98 Adds a directory exclusion to Windows Defender 22->98 34 Sat19e6979ed7.exe 22->34         started        36 Sat1932c8597c4.exe 22->36         started        38 Sat192e7661edcf3.exe 22->38         started        40 7 other processes 22->40 process11 dnsIp12 72 37.0.8.119 WKD-ASIE Netherlands 25->72 74 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 25->74 80 9 other IPs or domains 25->80 50 C:\Users\...\z_KsAgp_KD6Y4DNI9uTxAZA1.exe, PE32 25->50 dropped 52 C:\Users\...\wbDBoq9ApQpqqwQ9IxSluCWs.exe, PE32 25->52 dropped 54 C:\Users\...\un2ELVkblwF9kdCCI6uP7e_g.exe, PE32 25->54 dropped 66 15 other malicious files 25->66 dropped 100 Antivirus detection for dropped file 25->100 102 Drops PE files to the document folder of the user 25->102 104 Creates HTML files with .exe extension (expired dropper behavior) 25->104 106 Disable Windows Defender real time protection (registry) 25->106 108 Machine Learning detection for dropped file 30->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->110 112 Checks if the current machine is a virtual machine (disk enumeration) 30->112 114 Injects a PE file into a foreign processes 32->114 56 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->56 dropped 76 172.67.214.80 CLOUDFLARENETUS United States 36->76 58 C:\Users\user\AppData\Roaming\2646724.scr, PE32 36->58 dropped 60 C:\Users\user\AppData\Roaming\1479861.scr, PE32 36->60 dropped 116 Drops PE files with a suspicious file extension 36->116 82 2 other IPs or domains 38->82 78 208.95.112.1 TUT-ASUS United States 40->78 84 4 other IPs or domains 40->84 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->62 dropped 64 C:\Users\user\...\Sat19fddced3f1f54.tmp, PE32 40->64 dropped 118 Tries to harvest and steal browser information (history, passwords, etc) 40->118 120 Creates processes via WMI 40->120 file13 signatures14
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 11:18:08 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwkwxv5x4ha6eu5zs7pa2ms2x25hxz6xkytnoup22wri5q6emssq._file
Verdict:
malicious
Similar samples:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
RedLineStealer
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
RedLineStealer
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
RedLineStealer
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
RedLineStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RedLineStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
RedLineStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RedLineStealer
c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
RedLineStealer
+ 583 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:ani botnet:jamesoldd aspackv2 backdoor discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211005-2999haadc9/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
7cfd084d32117fe237c4de00f149f66453f68184c22ad2a011b24e92a29bcf6f
MD5 hash:
d87c40cd90c98682b8098d2c3dfc2b4d
SHA1 hash:
84a0a5be5a028497c3358a67d049b0610214a835
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
d8f6507f66a5b32267c42f01fcf0329934013539e02168fc684c042eb2d10a9f
MD5 hash:
3febc1d0fa8aad4389308cda87187f2f
SHA1 hash:
daacc83e7d940d9837595e75b1f238c24f5aeb20
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
c7586fcc3ca8c51c073528045d1fb409cd30dccd9800ab5737b865f20f8a340f
MD5 hash:
aaec659640dafd04c9c84d0782448a87
SHA1 hash:
a234a2f7bedf9eafa1509ab91b32c3eda5bfab25
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
82413b8562c94630eab95ca2f30c38d78af6ca7e06b5cd634910655818602d48
MD5 hash:
3758e54d4338553c4bc4a937fca1b73f
SHA1 hash:
8d713b4ed648e619ddd4ab19fcf9d723269a06aa
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
3857ea713ceb9cd356619f1c21cf532768fd53cb1cb1921ff3cd10e8c42fb02f
MD5 hash:
bd77e922d005dc394a0999f5704c9171
SHA1 hash:
7f126c3ada9d278c1780d694072749b7edf0fffc
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
e1f83cd727f92af27da611c4c17cd9100a7d0ce13a48eca945e18f09e2182f82
MD5 hash:
ad203f3463d90387bc0ca93751b2c55b
SHA1 hash:
435342d5afdc34c215a4d3103e544cb07ebe0efb
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
32726c33f1645e83ccf68f9e3ddeeb8a82f999c166b841ed0380b346427d5cc1
MD5 hash:
4475e4ac595b6b0858efc2c3ec93e07a
SHA1 hash:
f080448f9bdfde1f391595e6f2931b9375bea24f
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
fe803f445cee0733f46db68bee5e670546001f192a964c23505fa89b21c3b973
MD5 hash:
969766c4c357cefc13027a705d89cb61
SHA1 hash:
ecb832a835cb4994cb4fe3c38558ef283ffaf8fc
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
8da92e97a21ee6e76c0bc7f7bc2f1949886c4d53df2a96e99b67483b38a47c85
MD5 hash:
dbf931e619964f30cbafca3309b66e59
SHA1 hash:
e1fb1d8134741ebea741931764d0394193d54bf0
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
15b0b8140935966aa3eaa376408c1ec4ad01958dae679d8632519e2d733d4c00
MD5 hash:
47944aa4102ae5f4bd76bd14faab5cb8
SHA1 hash:
32e3372e8511429e5958fa40a4648a290aadd0e6
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
SH256 hash:
3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5
MD5 hash:
7744729a25a46ba8f1c3b1ce451dce0e
SHA1 hash:
c2d23d94760223306cd040c0a0ec0440e0fe839f
Link:
https://www.unpac.me/results/2c384c26-d6b3-4504-831b-76b057ebcef2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3d956bd7b7e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195211/

Comments