MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979
SHA3-384 hash: 3f8780699b61c155bda6f5dfc56d7ec7526de4cc5793cd4f69d6096ce114149cfd2c9ddd7694092d59e4aa02d019e87c
SHA1 hash: 13af0b8840902049eda1a222945f0d9245860b3a
MD5 hash: ac63010f16eecdf354aef85699f17905
humanhash: michigan-harry-fanta-texas
File name:ac63010f16eecdf354aef85699f17905.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'004'527 bytes
First seen:2022-03-08 03:55:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:P+B2Gm3qaEhdtM+Y7pAHYPVNKFF/H1+/cL:7Gm3qaoM+YN0YVIFFYS
TLSH T118863316BB9279B1E4638E30183A7C04173F5D704FA0DDCE1754A61CA2B6DC2D672BAB
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
79.141.165.43:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.141.165.43:80 https://threatfox.abuse.ch/ioc/392926/

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248071/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Searching for analyzing tools
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process with a hidden window
Launching a process
Running batch commands
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8528/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8070171-316b-4c62-8868-0960dee5cc0e
Result
Threat name:
Cookie Stealer Cyberduck Nitol RedLine S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952261
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Cyberduck
Yara detected Nitol
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 584742 Sample: qB2Fc2hXCM.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 17 other signatures 2->118 8 qB2Fc2hXCM.exe 13 2->8         started        11 rundll32.exe 2->11         started        process3 file4 56 C:\Users\user\Desktop\note8876.exe, PE32 8->56 dropped 58 C:\Users\user\Desktop\TrdngAnlzr1645.exe, PE32 8->58 dropped 60 C:\Users\user\...\SharkSoftSetup346456.exe, PE32 8->60 dropped 62 5 other malicious files 8->62 dropped 13 TrdngAnlzr1645.exe 8 8->13         started        18 Resource.exe 1 1 8->18         started        20 note8876.exe 8->20         started        24 5 other processes 8->24 22 rundll32.exe 11->22         started        process5 dnsIp6 90 procduo.xyz 23.105.247.220, 49719, 49721, 80 SERVERS-COMUS Russian Federation 13->90 92 blackhk1.beget.tech 5.101.153.227, 49718, 80 BEGET-ASRU Russian Federation 13->92 70 C:\Users\user\AppData\Local\Temp\HLD44.exe, PE32 13->70 dropped 72 C:\Users\user\AppData\Local\Temp\1J7C2.exe, PE32 13->72 dropped 74 C:\Users\user\AppData\Local\Temp\1H9M8.exe, PE32 13->74 dropped 82 3 other files (1 malicious) 13->82 dropped 142 Creates HTML files with .exe extension (expired dropper behavior) 13->142 144 Performs DNS queries to domains with low reputation 13->144 162 3 other signatures 13->162 26 1A9GA.exe 13->26         started        31 1J7C2.exe 13->31         started        33 1H9M8.exe 13->33         started        39 3 other processes 13->39 94 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 18->94 100 2 other IPs or domains 18->100 76 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 18->76 dropped 146 Antivirus detection for dropped file 18->146 148 May check the online IP address of the machine 18->148 150 Machine Learning detection for dropped file 18->150 41 2 other processes 18->41 96 152.32.143.173, 49720, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 20->96 78 C:\Users\user\Documents\...\note8876.exe, PE32 20->78 dropped 152 Detected unpacking (changes PE section rights) 20->152 154 Drops PE files to the document folder of the user 20->154 164 2 other signatures 20->164 166 3 other signatures 22->166 35 svchost.exe 22->35 injected 43 3 other processes 22->43 98 169.197.141.182 SIMPLY-BITS-LLCUS United States 24->98 102 3 other IPs or domains 24->102 80 e726ce87-4a35-496f-acd2-ae2900968f93.exe, PE32 24->80 dropped 156 Detected unpacking (creates a PE file in dynamic memory) 24->156 158 Detected unpacking (overwrites its own PE header) 24->158 160 Creates processes via WMI 24->160 37 e726ce87-4a35-496f-acd2-ae2900968f93.exe 24->37         started        45 3 other processes 24->45 file7 signatures8 process9 dnsIp10 84 5.255.255.60 YANDEXRU Russian Federation 26->84 64 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 26->64 dropped 120 Multi AV Scanner detection for dropped file 26->120 122 Detected unpacking (changes PE section rights) 26->122 124 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->124 126 Machine Learning detection for dropped file 31->126 128 Tries to evade analysis by execution special instruction which cause usermode exception 31->128 130 Hides threads from debuggers 31->130 132 System process connects to network (likely due to code injection or exploit) 35->132 134 Sets debug register (to hijack the execution of another thread) 35->134 136 Modifies the context of a thread in another process (thread injection) 35->136 47 svchost.exe 35->47         started        138 Antivirus detection for dropped file 37->138 66 C:\Users\user\AppData\Local\...\65BVjDQ2.ZdQ, PE32 39->66 dropped 140 Tries to harvest and steal browser information (history, passwords, etc) 41->140 86 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->86 88 v.xyzgamev.com 104.21.40.196, 443, 49714, 49717 CLOUDFLARENETUS United States 45->88 68 C:\Users\user\AppData\Local\Temp\db.dll, PE32 45->68 dropped file11 signatures12 process13 dnsIp14 104 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 47->104 106 172.67.213.194 CLOUDFLARENETUS United States 47->106 52 C:\Users\user\AppData\...\Login Data.tmp, SQLite 47->52 dropped 54 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 47->54 dropped 108 Query firmware table information (likely to detect VMs) 47->108 110 Tries to harvest and steal browser information (history, passwords, etc) 47->110 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 15:03:00 UTC
File Type:
PE (Exe)
Extracted files:
260
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ii3ag42oaoqgafra36ufek5537au3zkbrwrfgft7i3z2ctgkjf4q._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:allsup botnet:alltop2 botnet:buildttt2 botnet:smurf3 discovery evasion infostealer persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220308-ehcslaeegr/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
xabigyarall.xyz:80
169.197.141.182:47320
deyneyab.xyz:80
193.150.103.37:81
Unpacked files
SH256 hash:
98264f246a7fac463bae0339549f416102295880398891f0c4bc393e3c52889f
MD5 hash:
a4a95029c177950af361de7e73e3a7d4
SHA1 hash:
c286fa5df8040ee102036cec427eeabd55a6ad03
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
cc5599fcaf4e82662714780f4e51066a4b4205340190f00f3300ccd73c98931a
MD5 hash:
e5afcccaa286c259e938402aedbefbe8
SHA1 hash:
b406c75ae18213de5cf70898fe669d350326868d
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
85c668d01960e351c798499362cc74b9396e7eec52f135978c05a6735c9dccaf
MD5 hash:
dbf269324910a5e2c6535c7db7361eeb
SHA1 hash:
90644bb674e48d81b788fdaffd9230f897fe3d94
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
079fcbff8d710ddbade18e1952149a1d66562343fba5be50ea4824805e2d5b53
MD5 hash:
ecce30a05bbe2493081b4b9d56270650
SHA1 hash:
830e3f484737e9195b3e5dd5cbcb7d16130469bb
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
1554731152d595632657ba52a90989de23681b1355d2ca2aff11976bf36510cc
MD5 hash:
a4ad8cce21bf38b9e997da7f104c7726
SHA1 hash:
a9d29e628cccbb0b864c2170f3f3e62ed7e24f6d
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
b873156e83b21028c106ba170ed3b873ebc459607736ce3d039182d138183a5c
MD5 hash:
5a0c26b78bfcff0d3c695762c688c5cb
SHA1 hash:
d647e27dd926081db63658fbd82e22394f1974c4
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
b61b5db083b773b830e863b11962cded7099f215af27959a55d56d82ded7d49a
MD5 hash:
2ff07fca525288775c29a03d98ab5abd
SHA1 hash:
a755d407e19793751fb4ce156638907f70e4a771
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
c55ef29b862c2f5dd4f1f016c7dbae2e0638ae17b0f2a7f8e8c8f54ab4c5c26d
MD5 hash:
572cbe9db6fae8829d58e95d546048fd
SHA1 hash:
d5aa9069ac245228019af414b76f6fee572cdb1a
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
04f43903ac8a14473a83b09f51196cd99f880477b8e600032f77ec0016678fa3
MD5 hash:
364ef552a4680c37f94d7148ea587c8b
SHA1 hash:
a8ba800f95f7504aede1e7ad946d0fd6e5e49851
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
1d4ca5f13afa42a380c3cc12a4ad7489b1c158e463c4559bb179467eff44bb40
MD5 hash:
61d3e34b1f8687ce985f61667545c4d7
SHA1 hash:
737b8a558d4b4653f17a4711db2f70c90f5fc807
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
fa92b4cb287adeb86f69adbcc6bc86b3f4434c745afaf4a1329f7166193ff500
MD5 hash:
4bad81150aaf7ac1f6f770325ee4da53
SHA1 hash:
968602cc9f8ced8991f5e602d3684244bdbb583a
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
SH256 hash:
423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979
MD5 hash:
ac63010f16eecdf354aef85699f17905
SHA1 hash:
13af0b8840902049eda1a222945f0d9245860b3a
Link:
https://www.unpac.me/results/73ccb967-801a-4fce-b120-28ae4eac5b9a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/423603734e03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248071/

Comments