MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3df5ec1135412e64d5b3641c36fb2b34c741ee6286ba9786001a006deb889c85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3df5ec1135412e64d5b3641c36fb2b34c741ee6286ba9786001a006deb889c85
SHA3-384 hash: 95ad164b554d236ac6d51235048324ba1acbd56a86171cf02ae568f659a0a7682cbe5241791a548da50054c869f6ec3b
SHA1 hash: ed9ed7652161fbe162f0e1fbc45e1a359a2bdd3e
MD5 hash: a116bf2df52636e2244047549a3ba0bf
humanhash: asparagus-social-coffee-august
File name:a116bf2df52636e2244047549a3ba0bf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'684'244 bytes
First seen:2022-02-06 08:30:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JAzBsMlAlxGro5xPR19vLqQnsvzXdWNzz:JAlDQxq8H9vL2zdgv
Threatray 5'318 similar samples on MalwareBazaar
TLSH T1E1763363AB019352E7415C3906896D60863F63A37E58C7713AAD1B38D07BBA72FD1BD0
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
116.203.252.195:22021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
116.203.252.195:22021 https://threatfox.abuse.ch/ioc/377489/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a116bf2df52636e2244047549a3ba0bf.exe
Verdict:
No threats detected
Analysis date:
2022-02-06 09:59:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/981a7a2f-0865-443c-81ec-dc463e33a154

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233746/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6150/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61ff874fad4747e995053da7/reports/cd100fab-904b-40dd-b1d4-766ec54e49d0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c922350-9b5d-4fd6-96f0-b8be16666493
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934692
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567174 Sample: LZetStOCHC.exe Startdate: 06/02/2022 Architecture: WINDOWS Score: 100 52 ip-api.com 208.95.112.1, 49758, 80 TUT-ASUS United States 2->52 54 37.230.138.66 ROCKETTELECOM-ASRU Russian Federation 2->54 56 16 other IPs or domains 2->56 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 19 other signatures 2->66 10 LZetStOCHC.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->40 dropped 15 setup_installer.exe 23 10->15         started        process6 file7 42 C:\Users\user\AppData\...\setup_install.exe, PE32 15->42 dropped 44 C:\Users\...\61fa0eb984a28_Wed04f5f7cf162.exe, PE32 15->44 dropped 46 C:\...\61fa0eb93e9e8_Wed0491ade996a1.exe, PE32 15->46 dropped 48 18 other files (12 malicious) 15->48 dropped 18 setup_install.exe 1 15->18         started        process8 signatures9 58 Disables Windows Defender (via service or powershell) 18->58 21 cmd.exe 1 18->21         started        23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        28 3 other processes 18->28 process10 signatures11 30 61fa0ea6c7a27_Wed0401fa2f3f42.exe 3 21->30         started        33 61fa0ea8a61b3_Wed04d971f6fd.exe 23->33         started        68 Obfuscated command line found 25->68 70 Disables Windows Defender (via service or powershell) 25->70 36 powershell.exe 26 25->36         started        38 61fa0ea601784_Wed04f69bd4a.exe 1 5 28->38         started        process12 dnsIp13 72 Antivirus detection for dropped file 30->72 74 Multi AV Scanner detection for dropped file 30->74 76 Machine Learning detection for dropped file 30->76 80 2 other signatures 30->80 50 appwebstat.biz 91.238.104.185, 49781, 80 BYTES-ASCZ Czech Republic 33->50 78 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 33->78 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3df5ec1135412e64d5b3641c36fb2b34c741ee6286ba9786001a006deb889c85/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-02 10:57:04 UTC
File Type:
PE (Exe)
Extracted files:
398
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hx26yejviexgjvntmqodn6zlgtdud3tcq25jpbqadiag324itscq._file
Verdict:
malicious
Similar samples:
0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a
RedLineStealer
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
RedLineStealer
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
RedLineStealer
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
RedLineStealer
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
RedLineStealer
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
RedLineStealer
ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
RedLineStealer
+ 5'308 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:v1user1 aspackv2 infostealer loader persistence stealer suricata
Link:
https://tria.ge/reports/220206-keqg6shabk/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Malware Config
C2 Extraction:
http://www.tpyyf.com/
116.203.252.195:22021
Unpacked files
SH256 hash:
4c1096ceb6a8ccf2b307bfa32ae970b292c42e3d3bdda92a1365229efb96bab3
MD5 hash:
000367b095d40da50ee18e464006f49c
SHA1 hash:
a888f95b454f8ea780e3afc0750fd831ea80cd33
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06
MD5 hash:
9d9c68549cf06b0485742e0865f5390c
SHA1 hash:
b23241ac8419df6bb0a930ac80cdae9edbd55893
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc
MD5 hash:
64638fe3e9d9acbcfe027bac3d0a7fab
SHA1 hash:
ff0d35497c4d6676a01a57db299df9847b382126
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
c247a3a230dab35c8f022cc9bcd52b9509440d5a94081b5fbfb16721f18750c7
MD5 hash:
24b71baf054dec1d2626495d8af7edc2
SHA1 hash:
b6682dcdef53e275da9b57d32f70183348242674
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
a6334a93323db29971a851352354d59b6ba2c26bf3ab49895e6db6f7fcbc3283
MD5 hash:
36941f4d11216f011ebb2b6bae57a590
SHA1 hash:
b60c5e36c66986466d589651a7bc2567101eb2de
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
5097f5f4526dc1a850609bc1bc68eb0799be0794a6beff1d6e87a967e4a862ff
MD5 hash:
a42ce7cf54ed404a4ce8a4cf2f10cc5e
SHA1 hash:
8af69dd2fa623bec4115d7adc5d483746c5b5840
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
3959dc227089d0a9b38d2ea8c387e993db3584c7bb9129780f20673d1fd15e61
MD5 hash:
7eb2d388416744a108c0cf107caf8ef8
SHA1 hash:
876cc415ac9a3832afde3f8bacf86edb7a5b72ce
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
a17150da9cae3e273e3ea09b932087d1dbec5410bf9aec542a9fbd0008010d4a
MD5 hash:
0d527e1fa406c8bef8e1dee3c6c6879b
SHA1 hash:
86a26f4b1f4bb8428a66299a9f1df6a1e19fa1da
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
d12e12052e39dc300b9bf65a0f6f4d2d0aaa1efd187c06083a74bee2e0e93162
MD5 hash:
1a35c73a915b2e6359010ede8730f67e
SHA1 hash:
57c0ee15fd6e280bae796c75229a540f5268fce3
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
84eff71a145e8ff133fee3136e1a1df75df0d4201d6345bb84778dcb8fceb542
MD5 hash:
d35e02d51bdb68c2c1ad3a23fe48ce16
SHA1 hash:
2a5fef91b4f4ca0cdb85698e81f753097bf09af9
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
197cc801dee2c6a8f6f462cbce76a3eeef10f8b0d36c7cc6a452062cf2500f46
MD5 hash:
9a040049242e8058342000fc4fb3ac05
SHA1 hash:
c546381bdeba48ec42f690dea7651f940c9cd460
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
4b6982e5d5d8e44250ab950e8700a56cc3661744146a9ccca3d875ddf4b693b8
MD5 hash:
d4040fc8c95ad24cc02b46242d0a6e7b
SHA1 hash:
6841b9e754d24a9d0188aaffd63580cf216cbd40
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
fa5cc36d6e74d0a783f47c12de09f37041be3f6ac73f21923967b5e0a6347a43
MD5 hash:
bdb6e71a7bdaaa54ca71501c83a83878
SHA1 hash:
a7efbf31b7d2aaa1c5e3e14749691d991f27ddad
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
ef497bfc6d02ef9a1a63bd72273703c5cba9d577138eab0b90af86b88b146359
MD5 hash:
ab1d873e9eada7efcc6d3c0547b86eff
SHA1 hash:
7f05a0a250774b9fe192419d5b2f155a4e86fd58
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
afe790d0fa3de963e46a833b4001cc26c380458e39f8f9350b0a428688a73e6f
MD5 hash:
4718df4852a6ad97e0410c2c1fc2bd17
SHA1 hash:
c226b589ca798783fa5c47b8ad558b4d49459a15
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
c0c9e38a471d6d894cabe1605ca729a84d4ae348fc0e320e72022ffe0c2b935c
MD5 hash:
4e68b06d05b04e0437bade491c40e4db
SHA1 hash:
ee637997ba4e83750ac51337b0a64f78e90cd665
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
5866f784224f26e351cffd204e3bd71097f8929b4bec416be3d83c0edcd10f56
MD5 hash:
90c55177ab0904290a47813157c25220
SHA1 hash:
ba68c085c80ba08c3d0299831eb034a33054f3bd
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
a87018693576291fdc373bc63630e6f6a06bca0f5f7455aa4639d2a40c4f8d89
MD5 hash:
fd6e7c8d2059a5de5cb1154f9992d085
SHA1 hash:
a4b110bb7c1274724f5169d81f3dd75a6879542e
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
94d1dc8a85905b68cdb856fcc47c70a64f9931fec2660b3f94198664a478a0c0
MD5 hash:
6a0e658a3fecff9a7651f2913f9632e5
SHA1 hash:
a6b4e5d01dd1436c6a91f799dfe8da16a1168e2b
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
70ff0343990b284c180eccfc002a2420a2e423e8c5d2e69d38629e397b552f7a
MD5 hash:
3bad06931dd627eb6bb1f2885f4fb531
SHA1 hash:
24276f1ed30aaa284d354db2ce5f8b404744fee2
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
SH256 hash:
3df5ec1135412e64d5b3641c36fb2b34c741ee6286ba9786001a006deb889c85
MD5 hash:
a116bf2df52636e2244047549a3ba0bf
SHA1 hash:
ed9ed7652161fbe162f0e1fbc45e1a359a2bdd3e
Link:
https://www.unpac.me/results/2307a400-9f21-4c2a-9e82-3a2f582d5e20/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233746/

Comments