MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
SHA3-384 hash: 6bd4e3e2717f45ac551c98206d9fa4eaac5e4b9251d93b7bd86d5f97257b4654d63c50d53d059adee438ace5bc85e4ed
SHA1 hash: 7751ce911e1b45f925f214fe1fb6b96e5fd9204d
MD5 hash: abf60d26f7062fa3ed554d4ed437c8f9
humanhash: salami-salami-north-arkansas
File name:abf60d26f7062fa3ed554d4ed437c8f9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:14'424'344 bytes
First seen:2021-12-31 21:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 393216:xkY58Sudkv7xjt2H69ZahHIqLWiMtrLeYqWia3Je:66EdkvRsNPLWiuLiXt
Threatray 906 similar samples on MalwareBazaar
TLSH T192E633793AF096A3D90244B1DFA9E2DBB23F54A14A447187D310B1F86F38596F64BE0C
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
88.99.35.59:63020

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
88.99.35.59:63020 https://threatfox.abuse.ch/ioc/290203/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys mokes overlay packed
Link:
https://www.filescan.io/uploads/61cf70beec6c6c14a90187a3/reports/ab62a277-6c1c-4155-9aca-ea6895113dc3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f5eb5d2-8efc-42af-86d7-7c206aa14c73
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914363
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Shell32 DLL Execution in Suspicious Directory
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546841 Sample: WiLIUq6inF.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 71 190.107.133.19 TelguaGT Honduras 2->71 73 ip-api.com 208.95.112.1, 49765, 80 TUT-ASUS United States 2->73 75 14 other IPs or domains 2->75 95 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->95 97 Multi AV Scanner detection for domain / URL 2->97 99 Antivirus detection for URL or domain 2->99 101 25 other signatures 2->101 10 WiLIUq6inF.exe 23 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_install.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\...\Wed06efec13c3f.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\...\Wed06e8d5075f3.exe, PE32 10->49 dropped 51 16 other files (7 malicious) 10->51 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 89 hornygl.xyz 172.67.202.104, 49758, 80 CLOUDFLARENETUS United States 13->89 91 127.0.0.1 unknown unknown 13->91 93 192.168.2.1 unknown unknown 13->93 133 Performs DNS queries to domains with low reputation 13->133 135 Adds a directory exclusion to Windows Defender 13->135 137 Disables Windows Defender (via service or powershell) 13->137 17 cmd.exe 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 13->21         started        23 13 other processes 13->23 signatures8 process9 signatures10 26 Wed06efec13c3f.exe 17->26         started        31 Wed069fcc26fbe1081.exe 22 19->31         started        33 Wed0685687174402079e.exe 21->33         started        103 Adds a directory exclusion to Windows Defender 23->103 105 Disables Windows Defender (via service or powershell) 23->105 35 Wed06b327d566df8.exe 23->35         started        37 Wed062a822126.exe 23->37         started        39 Wed06e8d5075f3.exe 23->39         started        41 7 other processes 23->41 process11 dnsIp12 77 65.108.180.72, 49763, 80 ALABANZA-BALTUS United States 26->77 79 mstdn.social 116.202.14.219, 443, 49760 HETZNER-ASDE Germany 26->79 65 12 other files (none is malicious) 26->65 dropped 107 Detected unpacking (changes PE section rights) 26->107 109 Detected unpacking (overwrites its own PE header) 26->109 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->111 129 2 other signatures 26->129 81 n4flb.net 192.185.5.67, 49753, 49761, 80 UNIFIEDLAYER-AS-1US United States 31->81 83 iplogger.org 148.251.234.83, 443, 49752, 49764 HETZNER-ASDE Germany 31->83 53 C:\Users\user\AppData\Local\...\fw5[1].exe, PE32 31->53 dropped 55 C:\Users\user\AppData\Local\...\fw3[1].exe, PE32 31->55 dropped 57 C:\Users\user\AppData\Local\...\fw4[1].exe, PE32+ 31->57 dropped 67 3 other files (none is malicious) 31->67 dropped 113 May check the online IP address of the machine 31->113 115 Machine Learning detection for dropped file 31->115 117 Contains functionality to inject code into remote processes 31->117 119 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->119 121 Maps a DLL or memory area into another process 33->121 131 2 other signatures 33->131 123 Sample uses process hollowing technique 35->123 125 Injects a PE file into a foreign processes 35->125 59 C:\Users\user\AppData\...\Wed06e8d5075f3.tmp, PE32 39->59 dropped 127 Obfuscated command line found 39->127 85 104.21.34.205 CLOUDFLARENETUS United States 41->85 87 www.listincode.com 149.28.253.196, 443, 49759 AS-CHOOPAUS United States 41->87 61 C:\Users\user\AppData\Local\Temp\3Guvt.cpl, PE32 41->61 dropped 63 86928bfd-db51-4e05-ac66-2dd96e53e435.exe, PE32 41->63 dropped 69 2 other files (1 malicious) 41->69 dropped 43 control.exe 41->43         started        file13 signatures14 process15
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 18:05:13 UTC
File Type:
PE (Exe)
Extracted files:
479
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jathxatpu7waz2ul5b4ps6njm7ikbeomz2u7ejvnrwd3fhojjaaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
raccoon
Create hunting rule
trickbot
Create hunting rule
Similar samples:
10eb78f5a36f8ca290bf100f6f05d7a04489cef0023e86860062d6d03e6fa9ed
RedLineStealer
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
RedLineStealer
6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208
RedLineStealer
a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
RedLineStealer
cc2d611eb3f0e462f0c136b1664348fc05669fbac46ebb4b28c900c4dff94318
RedLineStealer
cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
RedLineStealer
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
RedLineStealer
+ 896 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars family:vidar family:xmrig botnet:915 aspackv2 backdoor discovery miner persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/211231-zxq9rahca5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
http://www.chosenncrowned.com/
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
http://melchen-testet.at/upload/
http://zjymf.com/upload/
http://pbxbmu70275.cn/upload/
http://mnenenravitsya.ru/upload/
http://pitersprav.ru/upload/
Unpacked files
SH256 hash:
7e4c288f060981b8cfd9c908997578b69ffc16438672f065bd50784fab3edcca
MD5 hash:
d7159e861f2881a05ace80394d805087
SHA1 hash:
3dcf96205f2a95ffdb3c463c264b68d7babe03a8
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
0efac9c1f24c44e5265ba1c8a80e0169d8b4aa6e8df218c524c57942c246f578
MD5 hash:
3d3b789155f41db5f058047d8e78a552
SHA1 hash:
c2f8488bf2c823bd165f1a41b53427ca1b24acb4
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
7dce97154d24b9982361a37133e35aaf9106f3836bb48e27dd7daea568e75378
MD5 hash:
dd601e359de7b856efc57a630f90554e
SHA1 hash:
97995811c6bbb33ea6bf7cf808570dc6b15ed6e0
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
673d3ac584eac9a13df6885bedca1c421783bc52ba0f1ae805154850a0ae62bc
MD5 hash:
06d0483ff6b1a8068b807fcf155f1682
SHA1 hash:
1a605ba4af2781a515bd5044f5ca09427cf80922
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
Parent samples :
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748
MD5 hash:
ec94b9dbbb8502ae096f9d7e1f33901c
SHA1 hash:
d5f73eaaa6df419e83bb2c58f30d28ba2e348b72
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
Parent samples :
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
04e582850441e36ea75efefc30fdf7c7619cc4dd9b7931e32badb19491ae7ff8
MD5 hash:
4c08e664bf367d0558316ebcac26cf9e
SHA1 hash:
32148c45ec823838f426bd91d43693d7ef3dd821
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
cb96b418b1a0afa5c55aeb4ac231387d651d4a625739955b378f28947795378a
MD5 hash:
9f21f96d35113ad8411d781482bd7d6d
SHA1 hash:
c82bee35fcf7f32fc480af5772571e35b99f5783
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
38d7d3b90e6943b81f3a4124e820dab00e83afaeb8be7eb3a4171d3140c91a3d
MD5 hash:
f712020db6e31b69900b86d69779a046
SHA1 hash:
85b8baf8a814aa0fe234a30b9a682bdcd78a1dd4
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
05578614aa84a61232fb95a5c08d2eb0a64fdbedf12fda22a1d508bd57ac4682
MD5 hash:
de440f9a3bf65d5018617785c4fe9356
SHA1 hash:
3e7be083bcecf13d78ea4029d38c11ad608b7408
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
0f4d75d5f326849567ceca7cdfae14987399acba3f1387be8b044cb4162db8af
MD5 hash:
fae12cbad3757f6508f72891ff6be0c1
SHA1 hash:
65da660f49948dc2343f238e0e1aa49ceef170fc
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
7ae47826ac78093ad204672394e3f6cbed10c9c28513b7813bc5a96ffda63658
MD5 hash:
c115f08f004a80b19c3bc646c91f3873
SHA1 hash:
82908dc17391a85f0699b18ba40219f5cb90c007
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
67964c15fcb8b1bb236f6b5187f831deb7fed27331473fb9ac9151b54283d631
MD5 hash:
3ad6ce4b97b1678a53b35abc093e0716
SHA1 hash:
43cee3950cb41184f4d579922ad0323b7edee335
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
3faf71242ecab4d2629daaf0d2938c2fde0b15d6a5730b12d71cf1281b1f1c87
MD5 hash:
3e2feed3112b44369d9b389e167d4334
SHA1 hash:
92411269e6726d9ef0e345637aedcc1f9ac83018
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
8a634cd72c0d75a7d7f3c5937771d31c16ab16b95d3cf3e5a1e047c6cb2beb40
MD5 hash:
9d3ff535d005b9e17b6212bb8506c01a
SHA1 hash:
ae16b00bf88a3455a95f2c919b98c295c587b838
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
52b9f76a3d8e919e0c978e6c8581f75ce4edace63caf1e44a10b42419cab8b48
MD5 hash:
42cc4f6aabdb36e4a26e2a383f318fe8
SHA1 hash:
8ce4f4f3d74213fc1553a88771d1f293296b56e8
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
SH256 hash:
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
MD5 hash:
abf60d26f7062fa3ed554d4ed437c8f9
SHA1 hash:
7751ce911e1b45f925f214fe1fb6b96e5fd9204d
Link:
https://www.unpac.me/results/0743ee33-3e76-4ce8-b218-7df02fabbe64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments