MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 5 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
SHA3-384 hash: a34e19ef0289302f531a541db0f069a06f8e79e7c716ea1ef099e1f461b80de4561538b00627534c20bcf96952e7b675
SHA1 hash: 79963cd76d972288c6647f6fef75fa325253cc7f
MD5 hash: a871d6371c9371bfd2b7bd0b3176db98
humanhash: louisiana-london-december-nitrogen
File name:a871d6371c9371bfd2b7bd0b3176db98.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'468'928 bytes
First seen:2021-10-01 15:56:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y5/hUd8otDwUKA7LWICFajM1N4VBxTn6PoCXssCsmVmCcidis9k0k+cG:y5C8IwUbLwbWVjn6PoCjm4Cci40ktG
Threatray 582 similar samples on MalwareBazaar
TLSH T1F446338AD3654F7BCCC4193B5895393C3AF8C1341D99B1592FEE9EC87AF1AA4823502D
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.154.13.159:34854

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.154.13.159:34854 https://threatfox.abuse.ch/ioc/229048/
91.193.182.114:1203 https://threatfox.abuse.ch/ioc/229079/
65.108.5.215:54452 https://threatfox.abuse.ch/ioc/229421/
91.121.67.60:62102 https://threatfox.abuse.ch/ioc/229498/
135.125.40.64:15456 https://threatfox.abuse.ch/ioc/229499/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a871d6371c9371bfd2b7bd0b3176db98.exe
Verdict:
No threats detected
Analysis date:
2021-10-01 16:04:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/651a009e-1d09-4027-aec0-44e277e312bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194026/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e73ebb2-e5aa-4a9d-b397-e678cb39e971
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862809
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495237 Sample: sK3rCvH0RZ.exe Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 76 162.248.225.210 HOSTING-SOLUTIONSUS United States 2->76 78 88.99.66.31 HETZNER-ASDE Germany 2->78 80 4 other IPs or domains 2->80 112 Antivirus detection for URL or domain 2->112 114 Antivirus detection for dropped file 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 20 other signatures 2->118 10 sK3rCvH0RZ.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->66 dropped 15 setup_installer.exe 22 10->15         started        process6 file7 68 C:\Users\user\AppData\...\setup_install.exe, PE32 15->68 dropped 70 C:\Users\user\AppData\...\Tue07e66521b2.exe, PE32 15->70 dropped 72 C:\Users\user\...\Tue07e0be79e938b.exe, PE32 15->72 dropped 74 17 other files (7 malicious) 15->74 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 82 104.21.87.76 CLOUDFLARENETUS United States 18->82 84 127.0.0.1 unknown unknown 18->84 120 Adds a directory exclusion to Windows Defender 18->120 22 cmd.exe 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 6 other processes 18->28 signatures10 process11 signatures12 31 Tue0745d02eb81524fee.exe 22->31         started        36 Tue07ab4f9b8f45d.exe 24->36         started        38 Tue0725d735095.exe 30 26->38         started        122 Adds a directory exclusion to Windows Defender 28->122 40 Tue07e0be79e938b.exe 28->40         started        42 Tue07e66521b2.exe 14 5 28->42         started        44 powershell.exe 25 28->44         started        46 Tue07bb556f4cd.exe 28->46         started        process13 dnsIp14 86 37.0.10.244 WKD-ASIE Netherlands 31->86 88 37.0.8.119 WKD-ASIE Netherlands 31->88 92 9 other IPs or domains 31->92 48 C:\Users\user\AppData\Local\...\file6[1].exe, PE32 31->48 dropped 50 C:\Users\user\AppData\Local\...\file5[1].exe, PE32 31->50 dropped 52 C:\Users\user\AppData\...\askinstall59[1].exe, PE32 31->52 dropped 62 29 other files (6 malicious) 31->62 dropped 100 Antivirus detection for dropped file 31->100 102 Tries to harvest and steal browser information (history, passwords, etc) 31->102 104 Disable Windows Defender real time protection (registry) 31->104 94 2 other IPs or domains 36->94 106 Contains functionality to steal Chrome passwords or cookies 36->106 96 2 other IPs or domains 38->96 54 C:\Users\user\AppData\...\freebl3[1].dll, PE32 38->54 dropped 64 9 other files (none is malicious) 38->64 dropped 108 Machine Learning detection for dropped file 38->108 90 172.67.204.112 CLOUDFLARENETUS United States 40->90 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->56 dropped 110 Creates processes via WMI 40->110 98 3 other IPs or domains 42->98 58 C:\Users\user\...\Tue07e66521b2.exe.log, ASCII 42->58 dropped 60 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->60 dropped file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 03:25:00 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2xndvcefxovzndjdkop2wxpn43uxyvdjcnzgtmqio5w5gakjbaq._file
Verdict:
malicious
Similar samples:
08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534
RedLineStealer
2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f
RedLineStealer
5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
b45aeaafb0e1a0ded6645279d0f828e57550a0b5902373d9e30667d0c3cbdae0
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f38f738f52674e3f4689cdb299e82d40a6446ccec24abd4cac244fe64cdc07ed
RedLineStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RedLineStealer
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
RedLineStealer
+ 572 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:933 botnet:jamesoldd botnet:media26 aspackv2 backdoor infostealer stealer trojan
Link:
https://tria.ge/reports/211001-tdxpjacah3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
65.108.20.195:6774
91.121.67.60:62102
https://mas.to/@bardak1ho
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
Unpacked files
SH256 hash:
3fd064dfa5e9ef6016845046f35b05f1b619411f469ff7e60c49772162879419
MD5 hash:
2d484c4f2224af41c813a1769a103c7f
SHA1 hash:
53a2609394d73797578ce78e06e4d4857d1082e4
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
Parent samples :
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
ce2fb413c1967c8ac8fe054d912d7476d6361a7d57db42a6740a7fc85998d9fc
MD5 hash:
ae3f1c6f86768467210446678b8e0a11
SHA1 hash:
7d3275ff05b8ad2b9b141b48f22a8a0e9c53eb29
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814
MD5 hash:
17df2b7340cf3291107bfd454d0ca856
SHA1 hash:
00458e02751bb0e2cc268730a0cac2689249b1a7
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
cd89fc2adf5729a7d483aa44f249fbb58b718ac76ec953092e537b62033b46b9
MD5 hash:
020768e24bcf93cb779dc390a7187f1a
SHA1 hash:
c4853d157795dbfb7a6cf1ffddcb30a5255663db
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
d7172829b5d80ec447ac943d999b251c715489ae55ddc5ce982810569637267d
MD5 hash:
295488882cece566b887c9b44ceec1b7
SHA1 hash:
a61f15fb42cc7964c6557ce3f5bc8f88fc01a7c8
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
757bf765685083be100b3721ccc295b8c6a14f13f9765dc8cecfcd0cc9853e44
MD5 hash:
68041bd729d24636422f8c95169df8de
SHA1 hash:
a094652c3502d72db6950a870f2da2f333032d2f
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
5e59d1eab5c2ebabfa5f93b2750053de1e319f8c12d5eeb33d5e59d142e743cb
MD5 hash:
df3214b331ac6b55ccb091896c24560c
SHA1 hash:
9eb64641382f6f589d5a5e0f5f3ceb3f9dd14f7d
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
25b6cb6543b180ddbfadf99669b3fd2fa5c161eda6a429f1302336c4af46579e
MD5 hash:
f7835f28fcdb0265b88b6a972920cf30
SHA1 hash:
73db2c230e7e8acb375b04649da9d0495f25d734
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
b7bac6f9632b53b05f4b50cf2f658196e6a0625f358cb24affd9f3dea30367c9
MD5 hash:
b2fb8ea6cfbba5cfcfa8532f2f2933e2
SHA1 hash:
6e434280999fce3fcb16a54c669655f4b69f5767
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
c91461922abc36a867765ffd32f2fb78bc22c3344fba2fb28bfb543a0aa3da2f
MD5 hash:
3904213dfcbe9ff96ac71e999f64ef6a
SHA1 hash:
02a1f898fa91b4a4e42ceb051e012ac55861c6b7
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
MD5 hash:
5678604b22617049dc686b524d3b583f
SHA1 hash:
98e0fc4a00542239f649459ccf8f6de22cb5e43e
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
472186b4b04ce451bfbc2f05095e8bbb9647e03a416182a45c0e6c261f4441e0
MD5 hash:
546a7a6f3635ef2ef039db79cc43d9bf
SHA1 hash:
bac10d0d1835bf7ce60fb3d73f573657ee8b585d
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
4413ed75935b9f14dfc0552c995965ab9a56a3017e4cef97ce95fd97000c5dbf
MD5 hash:
82f42e8233a78f81d3f67cc5861b5278
SHA1 hash:
f34aae9ee8fbf32747a3c6b3849b281ad07f75fe
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
35ad705274eea4550343084c20fbb4ecc1fa92e79a7133b4e93db7a8d86e36fb
MD5 hash:
f5551249fba2480dbbf9b4fb95b2c397
SHA1 hash:
d55e0961f286ed518418cea329921ba23bc285e9
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
4decd0cf215883f879fea9fc5631444612fec7965b9bae83a2cb50953d86ab76
MD5 hash:
05f31efa94632d555522c46e2efb10d7
SHA1 hash:
79a14113b8d29c949dd55aa9f001ae84f35d2d4e
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
38bd980cd6305526cef749e8d673f25a810acc5b704b7c8f88c996beb645d098
MD5 hash:
f19ddae87745df3a19e89875d343ccc7
SHA1 hash:
32163f27c6fa354c8d9cc95e35ddff35eb100698
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
1f368583acab6b1d25e0ed0c07e3c3839516170aaf8da47d0beb85a6204b51e8
MD5 hash:
dd5294db78668792b7d61438ef16fce7
SHA1 hash:
b5cec328b8731b697cbdd32534fac71ff3fbd3e4
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
SH256 hash:
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
MD5 hash:
a871d6371c9371bfd2b7bd0b3176db98
SHA1 hash:
79963cd76d972288c6647f6fef75fa325253cc7f
Link:
https://www.unpac.me/results/35d8f9aa-b367-47c3-bec7-53e06a957ce1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194026/

Comments