MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
SHA3-384 hash: 31300eb8dba77340a0e7922141ef613a0ad6d66fb260afff559039a9cc191914c282ca4e0512d79e5e2320abe1530623
SHA1 hash: d1801a33c113fa63aaf798ddff9203dd8b3b793e
MD5 hash: 7f830c73c75600970921569a45de8d52
humanhash: lamp-low-uranus-mike
File name:415CEF68482C74FCFFF231FAFC63BF9835C72DA00E826.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'844'916 bytes
First seen:2022-03-06 21:00:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x5CvLUBsg/a9olYCdig2YGmfLtN3aY7ANfh7Jb0YpmfFU2:xyLUCg4olWI3fLtr8NfTx2
TLSH T14626336037A5C8F3E2402434CF468F7765FFC3884B132143A36847A9AF5C9EA9566E5E
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
192.236.161.4:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.236.161.4:443 https://threatfox.abuse.ch/ioc/392753/
5.61.49.206:8880 https://threatfox.abuse.ch/ioc/392760/

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb.zip
Verdict:
Malicious activity
Analysis date:
2022-03-07 11:57:01 UTC
Tags:
evasion trojan socelars stealer loader
Link:
https://app.any.run/tasks/9b2e2714-c679-409d-9d1b-f1baf4225a6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247709/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8404/overview
Behaviour
MalwareBazaar
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ad28b6d-7aa1-4b6a-9421-30f9a7e4db92
Result
Threat name:
RedLine Socelars Vidar onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951486
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Base64 MpPreference
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583967 Sample: 415CEF68482C74FCFFF231FAFC6... Startdate: 06/03/2022 Architecture: WINDOWS Score: 100 91 staticimg.youtuuee.com 2->91 93 c.goatgameh.com 2->93 95 31 other IPs or domains 2->95 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Malicious sample detected (through community Yara rule) 2->119 123 24 other signatures 2->123 10 415CEF68482C74FCFFF231FAFC63BF9835C72DA00E826.exe 20 2->10         started        signatures3 121 Tries to resolve many domain names, but no domain seems valid 93->121 process4 file5 61 C:\Users\user\AppData\...\setup_install.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\...\Tue01ecf80a62a.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\...\Tue01cabed7052.exe, PE32 10->65 dropped 67 15 other files (10 malicious) 10->67 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 111 127.0.0.1 unknown unknown 13->111 113 hsiens.xyz 13->113 153 Performs DNS queries to domains with low reputation 13->153 155 Adds a directory exclusion to Windows Defender 13->155 17 cmd.exe 13->17         started        19 cmd.exe 13->19         started        21 cmd.exe 1 13->21         started        23 13 other processes 13->23 signatures8 process9 signatures10 26 Tue015759faad2.exe 17->26         started        31 Tue01683d9f92318f8.exe 19->31         started        33 Tue017c3a78e57fb9.exe 7 21->33         started        125 Adds a directory exclusion to Windows Defender 23->125 35 Tue0143692a53f0e201f.exe 2 23->35         started        37 Tue019a87299a5.exe 23->37         started        39 Tue014c9e15567c1.exe 23->39         started        41 7 other processes 23->41 process11 dnsIp12 101 18 other IPs or domains 26->101 69 C:\Users\...\tNsQkR6Fmu4aB5td6HwSOSeB.exe, PE32 26->69 dropped 71 C:\Users\...\0HvidFVduRhZ7epvxFQazfFj.exe, PE32 26->71 dropped 73 C:\Users\user\AppData\Local\...\wam[1].exe, PE32 26->73 dropped 77 24 other files (8 malicious) 26->77 dropped 127 Antivirus detection for dropped file 26->127 129 May check the online IP address of the machine 26->129 145 2 other signatures 26->145 43 59u86W5JVFLhnDbn3GfcEDPL.exe 26->43         started        46 0HvidFVduRhZ7epvxFQazfFj.exe 26->46         started        131 Detected unpacking (changes PE section rights) 31->131 133 Query firmware table information (likely to detect VMs) 31->133 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->135 147 2 other signatures 31->147 103 2 other IPs or domains 33->103 137 Detected unpacking (overwrites its own PE header) 33->137 149 2 other signatures 33->149 75 C:\Users\user\...\Tue0143692a53f0e201f.tmp, PE32 35->75 dropped 139 Obfuscated command line found 35->139 48 Tue0143692a53f0e201f.tmp 35->48         started        97 www.listincode.com 37->97 105 2 other IPs or domains 37->105 51 WerFault.exe 37->51         started        53 WerFault.exe 37->53         started        107 2 other IPs or domains 39->107 141 Performs DNS queries to domains with low reputation 39->141 99 staticimg.youtuuee.com 41->99 109 7 other IPs or domains 41->109 151 4 other signatures 41->151 55 explorer.exe 41->55 injected 57 Tue01aaf3c4e20e6.exe 41->57         started        59 WerFault.exe 41->59         started        file13 143 Tries to resolve many domain names, but no domain seems valid 99->143 signatures14 process15 dnsIp16 79 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 43->79 dropped 87 safialinks.com 48->87 89 best-link-app.com 48->89 81 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->81 dropped 83 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->83 dropped 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->85 dropped file17
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 02:18:27 UTC
File Type:
PE (Exe)
Extracted files:
197
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifoo62cifr2pz77sgh5pyy57ta24olnab2bg45j2vsdpobg3plea._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:onlylogger family:redline family:socelars family:vidar botnet:706 botnet:937 botnet:nanani aspackv2 discovery evasion infostealer loader ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/220306-ztv4jafaf5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger Payload
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
45.142.215.47:27643
https://mastodon.online/@samsa11
https://koyu.space/@samsa2l
https://petrenko96.tumblr.com/
Unpacked files
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
02faa92f954bf58fa9100afc04fb66235fabc7e79f95e31d7e434c15d1eb59c7
MD5 hash:
79cf39ca158b21fdd29f2ed2263ec522
SHA1 hash:
f299e3d7567f69bc1e50f399f568cc29bb047a06
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
58548d835af3cd0b14ff1fad456a4654ab1c0d8b705aa4f3fee6c551a5c88702
MD5 hash:
379d88b03dc9b79a12ed23321c88ab0a
SHA1 hash:
f40a4f0011056a7f119cffddaa44beb3434f2e38
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
fbc75a565c0d1896171feb728d011c1a91c0d9548e0e529a76dcf0a6679d1f20
MD5 hash:
d9bdc8a637733704c3b25360ae0f8d07
SHA1 hash:
e40a87a4226f9f31ae9df39b61ed501f356c70b2
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
dc9ae515aa033430a4c755995cd83106b6c060aa2279662cc4a9d31558554558
MD5 hash:
5e5643b0685f6cb728bfddb9e4686149
SHA1 hash:
db9129babccdf8ea57dbfefe9736605c6fd20d03
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
2d7deb427ff5a10c522ad2f836f9714d1294ac03ecc7f19e52c85e00b16f1ac0
MD5 hash:
345b456e702648f640feafe9e43cdc96
SHA1 hash:
c551d69444bf5191f505b981e3702d6e53db5e3d
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
283691b42a673d524246a76531cf0bf40c17b0a415b2b9354635a91f8a6ede04
MD5 hash:
0ac78539771d109b0fd4d41080e93fcc
SHA1 hash:
c142346bf70d266b65e1c3ffdcfbcfe6a41a02f0
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
d25898f4e03bc39021a0343bbdacff41124c4df53a7ca016ba0283e243e59574
MD5 hash:
c24432e2194460be25fce45ed7ec3815
SHA1 hash:
b03ccbffbddb5221b943f55e0d45da751800454e
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
d4422d3174fbfa10bf2a5886cdc1cc37baea4e325950fcf92b9eb73cba728270
MD5 hash:
5db4276eb2315a08be9b3d203beb8f4d
SHA1 hash:
930b0f80513fa6be081f51fd2f9151bf8306a635
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
c3fdcdf14187e336a9ad59a000e6e94e4db063a28243830243f79b2e9ba495ba
MD5 hash:
148629a3661dc6f306ca083a25a2004a
SHA1 hash:
7d8814aaf464d486bf95da30f28dcc288520cc4a
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
bfcec33dec1d8e2289b5cd2c9ba575b9afbc313ccc6c7870254ed916f53c7cf1
MD5 hash:
09ddadc12942f17fe197a995fd6ccb1d
SHA1 hash:
73d51ea908020a6808c789dda877f11c8acbf47f
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
84339f838e53229b9dfc4b0475a4f04e735ae2316ca68c4e1162eb10ebb77ae0
MD5 hash:
2755c201501d5e698f174390180fd1fe
SHA1 hash:
111aa3a35203142031c57f56e8a01695eedb60cc
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
b8aeb4ebad71b985604e0cc6a9c946061efe2137e1f4d5c46261d22cbc7faa59
MD5 hash:
0e69f92eddddf25731ca08464cc86383
SHA1 hash:
6b8ec8b1e9ebd15204a05b5a5953010c2db9822b
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
c4d7a621f6efb32b4f4adfaf2e68f591ebf980932ed5da4e4bad9993d5c4cc2c
MD5 hash:
138311178898221682786ae1fc4b2808
SHA1 hash:
b82cf3e02abf03cfcf8dccbaea661d65099c047b
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
ce2305f5d596061832ab77cd6166be8352a4ec4d2b18f236b0ee2c934ad10d87
MD5 hash:
ce4dcac7ef8ce0596d016ce21c03cdb3
SHA1 hash:
a1cd3eeedd9fe89d887351f4a688dd0b5e890d4d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
f813d0ff4a205fda53f2819b6e4b7513e60fef17b34cabc2be72473c7e85c11a
MD5 hash:
cb96a9a62b09869d486bbd841c0a7024
SHA1 hash:
582d5f91d0d536c5419267daf26eb225597f2f4f
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
ee6deaed04a9687085ee66d8353e6b93459fd1003afa4d0b9e70c5709618a5ad
MD5 hash:
dbedaf9eec395afa94e4ff06b6571c85
SHA1 hash:
917f288ccd0cbec89754a1c13d32eec36a1aa5cb
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
SH256 hash:
415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
MD5 hash:
7f830c73c75600970921569a45de8d52
SHA1 hash:
d1801a33c113fa63aaf798ddff9203dd8b3b793e
Link:
https://www.unpac.me/results/aa9b1fe7-eca9-42cf-9a11-23538338b3b3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/415cef68482c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247709/

Comments