MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec
SHA3-384 hash: c64a3d588a767c9a605bbefee9e10c3f193d98651050cba34cb5c149f11618bc21d5efd70ca62b8ec71c2da5315718a1
SHA1 hash: 8ea2c93cab54022165a5ca92ae663b04fcdfc97c
MD5 hash: 969a631044715e387f3b7cd7c64fdb63
humanhash: pizza-harry-magnesium-earth
File name:4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'879'362 bytes
First seen:2021-10-17 22:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgsKbjkPq5z/PJIE8xTa6GlGlDym5nqpqjSLpMsf5eK+BV2Kdw/cRz:JZamvuTBlDyOo2swK+WYz
Threatray 636 similar samples on MalwareBazaar
TLSH T15ED53354E7C28847EC8942799A35776AA7F388120CF94F24C612E81ED32D5E49DEF363
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe RedLineStealer


Avatar
abuse_ch
DiamondFox C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/
http://rlrz.org/lancer/get.php https://threatfox.abuse.ch/ioc/234909/

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198004/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9878603-0
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Win.Malware.Zenlod-9882704-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19dbda65-e8c4-4187-a871-90de74d7351f
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871883
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504311 Sample: 4051EB7216E002CC6D827D78152... Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 125 google.vrthcobj.com 2->125 127 205.185.119.191 PONYNETUS United States 2->127 129 22 other IPs or domains 2->129 179 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->179 181 Multi AV Scanner detection for domain / URL 2->181 183 Antivirus detection for URL or domain 2->183 187 16 other signatures 2->187 12 4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe 10 2->12         started        signatures3 185 System process connects to network (likely due to code injection or exploit) 125->185 process4 file5 101 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->101 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 103 C:\Users\user\AppData\...\setup_install.exe, PE32 15->103 dropped 105 C:\Users\user\AppData\Local\...\sahiba_5.txt, PE32 15->105 dropped 107 C:\Users\user\AppData\Local\...\sahiba_3.txt, PE32 15->107 dropped 109 11 other files (3 malicious) 15->109 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 131 razino.xyz 192.64.119.193, 49755, 80 NAMECHEAP-NETUS United States 18->131 133 127.0.0.1 unknown unknown 18->133 93 C:\Users\user\AppData\...\sahiba_7.exe (copy), PE32 18->93 dropped 95 C:\Users\user\AppData\...\sahiba_6.exe (copy), PE32 18->95 dropped 97 C:\Users\user\AppData\...\sahiba_5.exe (copy), PE32 18->97 dropped 99 5 other files (3 malicious) 18->99 dropped 189 Detected unpacking (changes PE section rights) 18->189 191 Performs DNS queries to domains with low reputation 18->191 23 cmd.exe 18->23         started        25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 6 other processes 18->29 file10 signatures11 process12 process13 31 sahiba_7.exe 23->31         started        36 sahiba_2.exe 1 25->36         started        38 sahiba_5.exe 27->38         started        40 sahiba_6.exe 29->40         started        42 sahiba_1.exe 2 29->42         started        44 sahiba_3.exe 12 29->44         started        46 2 other processes 29->46 dnsIp14 135 212.192.241.62, 49762, 49863, 80 RAPMSB-ASRU Russian Federation 31->135 145 16 other IPs or domains 31->145 65 C:\Users\...\wXrzjv8G0NZNKsLCSybodsWT.exe, PE32 31->65 dropped 67 C:\Users\...\pmsrkZkt0vZGjR6fX_tkFsHO.exe, PE32 31->67 dropped 69 C:\Users\...\nO9GB9KxoKxRsbMSGjY9Bafm.exe, PE32 31->69 dropped 73 19 other malicious files 31->73 dropped 149 Drops PE files to the document folder of the user 31->149 151 May check the online IP address of the machine 31->151 153 Creates HTML files with .exe extension (expired dropper behavior) 31->153 155 Disable Windows Defender real time protection (registry) 31->155 48 nGjqMGCdaTCpTjOFpihQB8_i.exe 31->48         started        53 N7kb5Ug3msYin0yKql8sWzxY.exe 31->53         started        71 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 36->71 dropped 157 DLL reload attack detected 36->157 159 Detected unpacking (changes PE section rights) 36->159 161 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->161 167 4 other signatures 36->167 55 explorer.exe 36->55 injected 147 3 other IPs or domains 38->147 163 Performs DNS queries to domains with low reputation 38->163 137 videoconvert-download38.xyz 40->137 165 Creates processes via WMI 42->165 57 sahiba_1.exe 42->57         started        139 sergeevih43.tumblr.com 74.114.154.22, 443, 49760 AUTOMATTICUS Canada 44->139 59 WerFault.exe 44->59         started        141 176.111.174.254 WILWAWPL Russian Federation 46->141 143 s.lletlee.com 104.21.17.130, 443, 49756 CLOUDFLARENETUS United States 46->143 61 WerFault.exe 46->61         started        file15 signatures16 process17 dnsIp18 111 niemannbest.me 172.67.221.103, 443, 49905, 49913 CLOUDFLARENETUS United States 48->111 119 3 other IPs or domains 48->119 75 C:\Users\user\AppData\Roaming\7601185.exe, PE32 48->75 dropped 77 C:\Users\user\AppData\Roaming\3970395.exe, PE32 48->77 dropped 79 C:\Users\user\AppData\Roaming\3473064.exe, PE32 48->79 dropped 91 2 other files (none is malicious) 48->91 dropped 169 Detected unpacking (changes PE section rights) 48->169 171 May check the online IP address of the machine 48->171 121 2 other IPs or domains 53->121 113 ozentekstil.com 55->113 115 integrasidata.com 55->115 123 3 other IPs or domains 55->123 81 C:\Users\user\AppData\Roaming\favchda, PE32 55->81 dropped 173 System process connects to network (likely due to code injection or exploit) 55->173 175 Benign windows process drops PE files 55->175 177 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->177 83 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 57->83 dropped 85 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 57->85 dropped 87 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 57->87 dropped 63 conhost.exe 57->63         started        117 google.vrthcobj.com 59->117 89 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 59->89 dropped file19 signatures20 process21
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec/
Threat name:
Win32.Spyware.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 07:30:52 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibi6w4qw4abmy3mcpv4bkj6xkvxu5mhuppyjf7a2lc2bwnssklwa._file
Verdict:
malicious
Similar samples:
208660089575dbef9e473ae2b2556e5492e8739376d39e1f5575ca65d33892f7
RedLineStealer
2aafe51ed875d14265117e71337eaf72d2d22f8055ad43356062efbde0eb6f4a
RedLineStealer
2d100cc76f229ac10a7589e1aea0bfb47b5692840d8f2b7a1ea56df0f312d1fd
RedLineStealer
37b2718705e2cdcbe38e2e27173ba95467b68d45187a25e5bd8114b5b2c182aa
RedLineStealer
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
RedLineStealer
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
RedLineStealer
a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
RedLineStealer
+ 626 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:932 botnet:933 botnet:937 botnet:973 botnet:cana botnet:default aspackv2 backdoor discovery evasion infostealer miner spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211017-2h8xcschf7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
xmrig
Malware Config
C2 Extraction:
https://sergeevih43.tumblr.com/
176.111.174.254:56328
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
https://mas.to/@sslam
http://185.215.113.22/E2vacMBpWA.php
Unpacked files
SH256 hash:
451aebfca43e02ea710263fd77f1760ba5bf9917d1e5e84ca356be07081f909c
MD5 hash:
dc9499b8eb5bf7d8295e3da003d7b47c
SHA1 hash:
2c32d3d570f9ff0bd5f316fd5e9ce5fd486fc2b1
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
d5fb7e7e607978756997c1a9038b8033edda90cbaad6e6994c1cfe967a63758a
MD5 hash:
47fddcd6c71b0da0836348d58109d749
SHA1 hash:
e7a85929268f7887c3e07fddb6e75f9711d1a759
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
7e7bfe59ae0611aee3ebe4fe90ba1a36d4672c0f0daeabc1cfbdae2bf57a56ba
MD5 hash:
9e83ee260b04bac6ba74d21f4c5ad8b8
SHA1 hash:
6b88a37ab60f692f8857b1e4b56410c7ca195db9
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
aa5310fd387a04b4c0942c3aa8576053f9891286ff42bca153278535a88b8d73
MD5 hash:
3887583d31875ca7a72241b6759cc0c7
SHA1 hash:
18308be0ace66eaee8976434f4472b33bda3aae0
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
0731229bcf7a925b7aff76a16d2472565aa67923fce163daed1c97dc68c6d3d9
MD5 hash:
db6c9d70c82f70253c3e5d0dd2544092
SHA1 hash:
9733f26d78829b690bcbff9a3b169a8583c02557
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
Parent samples :
4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec
aa9ff4e33f61dd2fc164a21d0a53397f19b7f9c64d7861df4c9120d34c3a5536
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
3c3bcd40dc7e400fec45e906298c20bcec25ef1238340513565b89aa3ac6ee99
MD5 hash:
073dd8938a1f1c18328bea37faaeb8d9
SHA1 hash:
2cbe481b4b2c30c0217801e901cbe55faf4ff83a
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
09809f56e64861934f9b196c344cfc6b330554f5dfaf448938082c362c508083
MD5 hash:
07970b17910ba7e2ca4208f482463f69
SHA1 hash:
a7ac29a8b09a7428bdb57f715f3ad5b8d0de9e9c
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
890b0d5aecf621d9c57e7c98e87b74a6b593c9977c907eba27120350047356b1
MD5 hash:
c132913f414a76cd69efb597c0315455
SHA1 hash:
850eca9eaea0fb2e969652c5b8f6524dcf0a1cda
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
959b21542215b93dafb6df217039027b81bf0954de1c2ae08f9c68ef6cad526e
MD5 hash:
503702e08c6aa1f3ff5d1136be1d984b
SHA1 hash:
5ef3a7e0518a08f10cebbdb70ed6c833f939fafe
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
883fd7893b535404f92370da70931bda4c3dc8c1524b7d1a3592f980e892ff7c
MD5 hash:
f89c33818e317dc4ce219ecd2b115abf
SHA1 hash:
57b6457baca4bc45d7f2667ce035c487e5146cc9
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
aa6cc42ad1c627460a4c54cfa46fa1934518c510d2bdb323ee119c460136ed3f
MD5 hash:
f2eb93b3bbe3cad8a4b76e74ffd3ccff
SHA1 hash:
e018afa2e24e5eb03598d37d9142674ad1d7ac2f
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
7296d60423fbfc4877e7bbb0c1352d0756908f9fbc53679bce463320e3a382f0
MD5 hash:
7ca1af0d05d832e6039ddb2629c6007f
SHA1 hash:
b3cf5b027fa6ee5a6cebb33bde0b36eb17e9956c
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
8c7cdb6916702d2387737927da9a3c49a6f4c1033545c1ed9bb37fc2829e4803
MD5 hash:
dca556c5c11a934a767c12ac44f179e5
SHA1 hash:
900f5ad3481cdb4f82dccf97d0b7ab272e599dce
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
c9dd478d93d1b836e057e0048a00684fc339f8678fab47905113f2ea7360ae5a
MD5 hash:
ca9a610b6ae2517b75d22c6ab66ef783
SHA1 hash:
5e4620fa106aa0ad10b14709466217f4caee2835
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
SH256 hash:
4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec
MD5 hash:
969a631044715e387f3b7cd7c64fdb63
SHA1 hash:
8ea2c93cab54022165a5ca92ae663b04fcdfc97c
Link:
https://www.unpac.me/results/657d7891-7e16-4e37-b953-1364d67f9437/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4051eb7216e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4051eb7216e002cc6d827d781527d7556f4eb0f47bf092fc1a58b41b365252ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198004/

Comments