MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Socelars
Vendor detections: 13
| SHA256 hash: | 41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99 |
|---|---|
| SHA3-384 hash: | e2590aec995a5fe9688f91e8da79245930e7c238ef55cb93acb9e37b3d853915718301a34f9c8ec46449ad035e32ee45 |
| SHA1 hash: | 22164794cd7ab983b53502e08b591c4e85750d38 |
| MD5 hash: | 15ce4d97e9882d40ae053cb4a494168c |
| humanhash: | colorado-ten-texas-maine |
| File name: | i864x__setup__62257ec67f6ca.exe |
| Download: | download sample |
| Signature | Socelars |
| File size: | 6'449'319 bytes |
| First seen: | 2022-03-07 04:36:17 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 196608:JxRIXyPFXX+yXA7QWTE57aIOYGly9DwVyeknTf:Jxa+9XsQQE5mIEy9iyb |
| Threatray | 6'390 similar samples on MalwareBazaar |
| TLSH | T16E5633ADF1A086A1C2EB83F4CEAF9EA69749470F9938173D43F567037C27165B1942C2 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  adm1n_usa32 |
| Tags: | exe Smoke Loader Socelars |
Intelligence
File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
i864x__setup__62257ec67f6ca.exe
Verdict:
Malicious activity
Analysis date:
2022-03-07 04:16:35 UTC
Tags:
opendir trojan rat redline evasion loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Verdict:
Malicious
Result
Threat name:
Cold Stealer RedLine SmokeLoader Socelar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Base64 MpPreference
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cold Stealer
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.RedLineStealer
Status:
Malicious
First seen:
2022-03-07 04:38:36 UTC
File Type:
PE (Exe)
Extracted files:
318
AV detection:
22 of 27 (81.48%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 6'380 additional samples on MalwareBazaar
Result
Malware family:
socelars
Score:
10/10
Tags:
family:onlylogger family:redline family:socelars botnet:allsup botnet:alltop2 botnet:lyla1 botnet:media45668 aspackv2 discovery infostealer loader spyware stealer suricata upx
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
193.150.103.37:81
deyneyab.xyz:80
bonezarisor.xyz:80
92.255.57.154:11841
193.150.103.37:81
deyneyab.xyz:80
bonezarisor.xyz:80
92.255.57.154:11841
Unpacked files
SH256 hash:
93fc741d18adddb0d009c54ad8615a47dbfcef3dc45e5138c073c0d7e574cd80
MD5 hash:
9515cc1938b5e57733d8cfd19e4ad2f0
SHA1 hash:
9d7ebdd709cb35c4cc5bdf89c6b84639eb9a4260
SH256 hash:
d00d8f312c6c757115fcd9c3f010197cbb98ed451ff879c9c93b25f4b3457815
MD5 hash:
68237153ebe77095442b437998b57388
SHA1 hash:
9a7b0fb5b4d9ea1e40c7f011d63ba0a57b4d3d51
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
SH256 hash:
352e79b6c3f03063c684ecda65b1ae0338e549a5c132dab9bd527d7587721783
MD5 hash:
81de27cfe9d1b6fade53301c2b6c2ccc
SHA1 hash:
e3f4ed325dbee6bbd890e628cf0835acb87dc4c2
SH256 hash:
55c78f98d6802e6fdb850f7d3c22aef482ca683e3d66f5b36a9a64857af36fa5
MD5 hash:
a552088050c52b999c65f3be1217386a
SHA1 hash:
c78f858657e0e81ed156113f5cc3a616c6d8208c
SH256 hash:
a8e64bc412186be363298eb2504c36f59a3099f119ebbc1ecf58db66e9a7f1af
MD5 hash:
a0b396f1576668fc08fb8aed2d494c29
SHA1 hash:
979ec431aaf9ec0fce7e02dfad7461ebc20392a6
SH256 hash:
4ca17c6f59e4d52ef98b128c2c937d493e325af19580f9f50b431272961670c1
MD5 hash:
0b2053a5a5ea5ac774b471e38f09417b
SHA1 hash:
1d03a6ab2667e59e85a5b37c65ede476a494e838
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
SH256 hash:
52faae46943c421ad5e57b3e77b65288d312ba1ad08b3e937f8e4dfa630240a1
MD5 hash:
1d61320857f2d4f20a396ba41005be19
SHA1 hash:
b50f33cc42e9ec6a0ef142aef29b5f3c832765f2
SH256 hash:
c3360194ac571e60c8930ad25645bf204e4cb2f4d580c6d3fb35391a2bb4b752
MD5 hash:
bec33335cd0d203ed6a6b05228e45240
SHA1 hash:
8a9bb46d7d0914f49956fb88c76d4c7a3e1a326d
SH256 hash:
37057e0744252bd65c33a6760c6ba39e4f139a57dfd22570b0288edb14aa1712
MD5 hash:
8490563d3b6dc9217d0013092a3ed945
SHA1 hash:
b8c6c9c36d1b5816f2df2fdac8aa85ca881dc4d1
SH256 hash:
9a826ec705ab7916f3671ace250fed52056a1f0c194fbed62e06cd74e0bdba54
MD5 hash:
ec3d499d542781ba2061f7f810de38ad
SHA1 hash:
b4e9a6d077e48bc80f22e430508f560f2afacec3
SH256 hash:
f3e1cafe268201a1ca4dfd6a75c02cdc48223911c84f58ff05a389d85fc0a86d
MD5 hash:
50ad824326c98bc5386fc49bf9679ee7
SHA1 hash:
ae3977eec26d6980a2fcfa2ab488d1eaa4c32d28
SH256 hash:
cfa905b4dd41c1e5015bb88237c12db91c62e292399b2db42ecf9bf36bd23761
MD5 hash:
c31762530f23d44151141ad2214acd1c
SHA1 hash:
3daddd6612a71916d5a3e45d247eaf70dbed2948
SH256 hash:
f11665b085e3e6c7d1650145a4424addc40215bdeb9f826ae1752d56e0cd0844
MD5 hash:
62ee49d94bf3bc80858db65fe1b21316
SHA1 hash:
2e0fd2d95ad449290be4908d2e721b47ef0fb8ea
SH256 hash:
441c30aac322dbe81f2fc72d57c07fe5d9c7c0715138eb6e7662ef244e49e4e7
MD5 hash:
d39b9aecb6213aeeea813e12d3b4c11b
SHA1 hash:
c666895461423528bf11cd613398d6eaf8bcf556
SH256 hash:
8944d9922b0ffac59dbbcafa3d7ea1f4d4b7cc8dcdd39bcfaef76b349cbdf7eb
MD5 hash:
711d0fe9c8575c73bad1c3c2664dfd2d
SHA1 hash:
3a900816770478206f83a3f31d32f3f295aec320
SH256 hash:
41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99
MD5 hash:
15ce4d97e9882d40ae053cb4a494168c
SHA1 hash:
22164794cd7ab983b53502e08b591c4e85750d38
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.