MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 2 YARA File information Comments

SHA256 hash:	44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
SHA3-384 hash:	c882c20182a67001ad1336ea487b719e7ed1b752fd9e0ffb7697afb5139cf4fbd1b99136c8f5a3c9e8317200f85cecbd
SHA1 hash:	083aac1d03eeafd27753a23b3037f6cd4e0cd007
MD5 hash:	f71b1d3ea310fd69dd1dbaca46a0c1e4
humanhash:	fifteen-purple-orange-monkey
File name:	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'460'811 bytes
First seen:	2021-11-23 18:36:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JHxHov4UkV9o5Y5Ul2C6lR4Rleqbgejgki+a6zuPgCMnNve6A7:JHOGV9+YYuf4Xe9K2/UNy
TLSH	T1432633A560E39FB3FEE278F3987978CD565E78860602DE1EB630401642BD1E66DF7009
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
49.12.219.50:4846

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
49.12.219.50:4846	https://threatfox.abuse.ch/ioc/253505/
176.122.25.128:49897	https://threatfox.abuse.ch/ioc/253519/

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe

Verdict:

No threats detected

Analysis date:

2021-11-23 18:46:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/684bc14d-8177-4ad6-b121-10113d12cd3e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Packed.Socelars-9901323-1

Win.Packed.Socelars-9901373-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Sending a custom TCP request

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Creating a window

DNS request

Sending an HTTP GET request

Reading critical registry keys

Launching cmd.exe command interpreter

Query of malicious DNS domain

Unauthorized injection to a recently created process

Launching a tool to kill processes

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/619d34d1f36138de3f37bd52/reports/d06a5259-5552-4f43-80fb-2d3c3bd62d63/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/85a2f66b-a3fc-46d3-b133-15dc6dd4c2be

Result

Threat name:

Cookie Stealer RedLine SmokeLoader Socel

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/894967

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates processes via WMI

Detected unpacking (overwrites its own PE header)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cookie Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Socelars

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-03 04:43:45 UTC

File Type:

PE (Exe)

Extracted files:

127

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=itsadkxqwussrkqdgjl4dinyucncwehn6jxnvl6o6d2fulca5ccq._file

Verdict:

malicious

Result

Malware family:

socelars

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars botnet:ani botnet:jamesoldd aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/211123-w9gpasbaap/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

Malware Config

C2 Extraction:

http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
45.142.215.47:27643
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/

Unpacked files

SH256 hash:

bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05

MD5 hash:

5275ae278e347d83fb061a92e979fe86

SHA1 hash:

6c1118b87f366df72a25f1988f740ea6753984cd

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9

MD5 hash:

bf8b0c8e992a344ce312c8a939fa1c9e

SHA1 hash:

3e207a18a539ab6ec17737e6fe79562f59502718

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf

MD5 hash:

7b9e5d37881a3e58e26e22c79de09d47

SHA1 hash:

0cf699c041c6f7ad485b77f25403776aab99c057

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f

MD5 hash:

417411e71de543ffbe76242943ba5b90

SHA1 hash:

e50f45218c6d01cb67787add25491acfead007fa

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

a8c989b0f1ad161985d64b9b8ddd3af811b755efd1d5fd89dbe950717cf93070

MD5 hash:

824caee8c8b92c2c81cc5036b5754823

SHA1 hash:

b04172ba9aafc6ea2e4586193eb61ec2959193af

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee

MD5 hash:

57e3a53d7576635f94c0b7ea6b9fad43

SHA1 hash:

a43b28cd48d9efcbccc12ad2a644d6186acbd968

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1

MD5 hash:

51b73b4d3041eb2d32a29dca61059549

SHA1 hash:

9845a8e5716e5e16ffc33ceccae9abf52872a2b5

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

f72a139a7eeb49e2689dd5f89e90374ba440f0f60d0eec92af6e0dcec4a2335d

MD5 hash:

a2d61cc3794edafbf1dfa6097dccc5f5

SHA1 hash:

62732d2511e65429ea40e3b43a1cf2c82081b19d

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

11a9455ca1564a1edb3d687f05b9fb4afcb02433de2fe8dcd48e236987bbcbb4

MD5 hash:

939fd28a60b8e44b81355fcbb9731f79

SHA1 hash:

5f0ac3ded45e99156e6ab33f89f0ccd95bb5bd44

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

e44ea3867d4f177bb2a78af566933b4eca8c108231032abc17836c45499f9c7c

MD5 hash:

6fc6f704fc21e2edfdff0408f4b8864a

SHA1 hash:

1e632e628ed41284a1a24d0dc93760f5df036d45

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

7cfd084d32117fe237c4de00f149f66453f68184c22ad2a011b24e92a29bcf6f

MD5 hash:

d87c40cd90c98682b8098d2c3dfc2b4d

SHA1 hash:

84a0a5be5a028497c3358a67d049b0610214a835

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db

MD5 hash:

70220a3ce6ffd34101b3770342505f2c

SHA1 hash:

b55c421634d8eeaec5c6193f34c04625d21a9ae9

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca

MD5 hash:

2fbf0040b06b8719902326d9584c29c3

SHA1 hash:

f2983c7b2d3d91722fb88198ac2441c5e098c2cf

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01

MD5 hash:

d5d68f6d0c6e151d2fb689740f5f3f75

SHA1 hash:

cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

Parent samples :

f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a

SH256 hash:

393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e

MD5 hash:

07f99f9e2df157ae78339603186ac280

SHA1 hash:

cb295687ae130d85061676471abcaa5f60df4198

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

1801255e453427f471a53caea96f2dc62fa8847d3500dbf2def5dacc74573c41

MD5 hash:

ba9e7499c977006383969a0e3353f208

SHA1 hash:

a31fa89174935b3e63e1443017f197446c0a29b9

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

975d5bbb72c7cee156fe5c08b21e4916b2e0d126190d6f7290b496f8c81f0bc4

MD5 hash:

07b080ca07eefd15a74f112cecb149fb

SHA1 hash:

3fcdaa799c738a84da972484cd1602279dabd2ec

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

54f5cf502a7233c7f4a297a9d881ab666a560c4991759155170e21cef8568c72

MD5 hash:

4431c4cb1f3a4af44535f91a72adaca2

SHA1 hash:

0468b43446f98a74f7b1d783d9fcce9226b24c28

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

07259605693f9803dbe4532cdb881cdc6125c2082cf39d5ab9f7539eea667bb0

MD5 hash:

c7b3d755b3330820e3e39d48bf107574

SHA1 hash:

f3b4544c81b6024f4773d812581c7638fddfe33a

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

SH256 hash:

44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885

MD5 hash:

f71b1d3ea310fd69dd1dbaca46a0c1e4

SHA1 hash:

083aac1d03eeafd27753a23b3037f6cd4e0cd007

Link:

https://www.unpac.me/results/2b928862-0baf-45b1-b0ad-aa4035c07b7c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/44e401aaf0b5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208781/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample