MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
SHA3-384 hash: 0fb2d6bd125471b42273a69afc0d9c83e956ef89310c7dba39eace9349fbd4963f0fb397abaaf938115b2d14637db26e
SHA1 hash: d40d5f1f00f9ac49762f6d40a1f7e0102f9e2590
MD5 hash: 99281465e23f346ffec5c0dd3964a053
humanhash: comet-stream-happy-low
File name:99281465E23F346FFEC5C0DD3964A053.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'500'529 bytes
First seen:2021-08-19 01:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9g//MbAdFB0t7G6GE9DruSaMR/Emz+Q5Zv894VOrB4+L12hKynFoFZvBrWwb1:y3Jz6D9GjUzBE4wiYo4pZvJ1
Threatray 1'072 similar samples on MalwareBazaar
TLSH T126C533462490A73BEAA00EF1DC2976175D689243847C67CB7B34331E7F57A30895EBA3
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.53.46.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.53.46.33/ https://threatfox.abuse.ch/ioc/192020/
89.38.131.227:47427 https://threatfox.abuse.ch/ioc/192182/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180484/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Creating a window
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88e5922f-2295-4287-baa2-bdefe7762a3a
Result
Threat name:
Cryptbot RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835448
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467879 Sample: 5ZZqs1PBjq.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 77 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->77 79 88.99.66.31 HETZNER-ASDE Germany 2->79 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 15 other signatures 2->131 11 5ZZqs1PBjq.exe 10 2->11         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->53 dropped 14 setup_installer.exe 16 11->14         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\...\Mon03bcfa6aac.exe, PE32 14->57 dropped 59 C:\Users\user\...\Mon039408d622242f.exe, PE32+ 14->59 dropped 61 11 other files (3 malicious) 14->61 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 75 127.0.0.1 unknown unknown 17->75 123 Adds a directory exclusion to Windows Defender 17->123 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        27 6 other processes 17->27 signatures10 process11 signatures12 30 Mon036765ec49c3.exe 21->30         started        35 Mon034208bb682c9a.exe 23->35         started        37 Mon03bcfa6aac.exe 25->37         started        133 Adds a directory exclusion to Windows Defender 27->133 39 Mon039408d622242f.exe 1 14 27->39         started        41 Mon03727877c5134.exe 2 27->41         started        43 Mon038dbdaf9a6ac148.exe 14 27->43         started        45 powershell.exe 26 27->45         started        process13 dnsIp14 81 185.233.185.134 YURTEH-ASUA Russian Federation 30->81 83 37.0.10.171 WKD-ASIE Netherlands 30->83 87 15 other IPs or domains 30->87 63 C:\Users\...\xBz5mO4ojGKhCX27RUnYi4U3.exe, PE32 30->63 dropped 65 C:\Users\...\sSAzLvFwCrtiveSn9ZRyfjN4.exe, PE32 30->65 dropped 67 C:\Users\...\s4nhGcfgm7dz1x2Eo_0JMYhJ.exe, PE32 30->67 dropped 73 55 other files (49 malicious) 30->73 dropped 97 Drops PE files to the document folder of the user 30->97 99 Creates HTML files with .exe extension (expired dropper behavior) 30->99 101 Tries to harvest and steal browser information (history, passwords, etc) 30->101 103 Disable Windows Defender real time protection (registry) 30->103 105 Detected unpacking (changes PE section rights) 35->105 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->107 121 3 other signatures 35->121 89 2 other IPs or domains 37->89 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->109 111 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->111 113 Tries to steal Crypto Currency Wallets 37->113 91 4 other IPs or domains 39->91 69 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 39->69 dropped 71 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 39->71 dropped 115 Contains functionality to steal Chrome passwords or cookies 39->115 117 Drops PE files to the startup folder 39->117 85 192.168.2.1 unknown unknown 41->85 119 Creates processes via WMI 41->119 47 Mon03727877c5134.exe 41->47         started        93 2 other IPs or domains 43->93 file15 signatures16 process17 dnsIp18 95 172.67.222.125 CLOUDFLARENETUS United States 47->95 51 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->51 dropped file19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 10:12:15 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iufy6eo7ubvo4hpppuvutqu5m4cann3f5gia57t5d2f3d777jbxq._file
Verdict:
malicious
Similar samples:
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
RedLineStealer
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
RedLineStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RedLineStealer
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
RedLineStealer
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
RedLineStealer
9bb77fb3b462b7b52694f0326b83b4f0f47969240e296129cd23da3b2fe98fb0
RedLineStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RedLineStealer
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
RedLineStealer
+ 1'062 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader family:vidar botnet:706 botnet:pab3 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210819-cn7na6kn72/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
CryptBot
CryptBot Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
lysuht78.top
morisc07.top
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.15:61506
Unpacked files
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
baeb5de0eb6fe9913dfc9bd24b77e1ce5a8e0a5ac889bb2ca1554546f577358b
MD5 hash:
7c2a1fabc1bf3b26f30097f03cdc500c
SHA1 hash:
ca9eb6a13a998707ad80a0d91b79f9c0f7049a3b
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
9e25c3f647fbb0e74a3cc54b2423b67369fd054b7477a8e06117a60958b91bad
MD5 hash:
f2dcdfc78576d58f758e95afecacd1cc
SHA1 hash:
89d37ba7d1ac881b8cc7d6b711d9a523801f72fb
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
dd4715f5607a6079fefbea44b2b375b90bac5e315c5770d59a8882864e0acba3
MD5 hash:
59602205d2469abd6c47c7cab90fe60c
SHA1 hash:
659a57c8133148dafeab878b3fb0d3374cb6bf7b
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
fa9dbb445390f574601e9503a80fcec0088f7cb7f2b53e9d688ea96ef4ab1602
MD5 hash:
eb6ee5cd1d0c7adf1f67833ed3705b1f
SHA1 hash:
900e066405752dc614320cc94c4e3d6ad9a2734f
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
a49ae7155dfc48ec360cc92b7f9906232121c46639acaa84690d1c49051574c8
MD5 hash:
158fe1aadf0c738824e913aaf8314035
SHA1 hash:
5c80665fe3d244bc1ff203f9e091121dd5086f69
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
Parent samples :
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
SH256 hash:
30a42a64020f003c24aee25591417d289e03acad63fc61c6c1b15dfbbc4ae953
MD5 hash:
608b6491a1c90bf0114e0be078d7d9fc
SHA1 hash:
107a40f2ff78d43f85b1d00f3faf66ed7554fcaf
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
481b565472f6b27d3120d24dc3c41c7aa5bb23bb34e988e01c76b88a16a988cb
MD5 hash:
52a5e31dc55c2ae0d8d87ea976abd677
SHA1 hash:
40e2a720c3b1ffd2df00417431880bb28cfb8a8c
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
f4c272addea1b2efaef9f7292dd2cc25613a0cde360cf3c7f359d4079047195e
MD5 hash:
5b9ba234534f014cf4cc7ab7f8eb8690
SHA1 hash:
e1323843bd25b163b69bc388b7a41c258db4e1b4
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
SH256 hash:
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
MD5 hash:
99281465e23f346ffec5c0dd3964a053
SHA1 hash:
d40d5f1f00f9ac49762f6d40a1f7e0102f9e2590
Link:
https://www.unpac.me/results/4982a21d-c29a-4525-a791-067b7eac37ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180484/

Comments