MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 530e0002c120d13962f54641655060f420625a3ee39b740dac62a644bda96ede. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 12
| SHA256 hash: | 530e0002c120d13962f54641655060f420625a3ee39b740dac62a644bda96ede |
|---|---|
| SHA3-384 hash: | 0de8942c27aea32bc12a3f0649888af4e53445af9eac5df0de0ef73d0f3a198e6b567f15074d22aa312026289f7a14c8 |
| SHA1 hash: | 21003f104ad009faeacad105d55901c44bf173c4 |
| MD5 hash: | a8189f9faac3bd2f1b8ef9de7138ec33 |
| humanhash: | green-delaware-coffee-mexico |
| File name: | a8189f9faac3bd2f1b8ef9de7138ec33.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 6'812'989 bytes |
| First seen: | 2021-12-19 04:31:25 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer) |
| ssdeep | 196608:xKLUCga8PB48QZRb0dC6x8n3RFOymHq1qr6Xkqo8gQXogOPD:xKdgaS68sY/GhFOTK1HkqobQXogeD |
| TLSH | T1136633543D98D1FEE7450D30DF84DA72A4F88A989760EEE3E7C178886F74296202E5C7 |
| File icon (PE): |  |
| dhash icon | 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox) |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 45.9.20.240:46257 | https://threatfox.abuse.ch/ioc/277335/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector03
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
arkeistealer barys mokes overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Backstage Stealer SmokeLoader Socelars V
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Zapchast
Status:
Malicious
First seen:
2021-12-17 02:35:00 UTC
File Type:
PE (Exe)
Extracted files:
304
AV detection:
23 of 28 (82.14%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
ryuk
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:media16n botnet:v3user1 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.biohazardgraphics.com/
https://noc.social/@sergeev46
https://c.im/@sergeev47
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
159.69.246.184:13127
65.108.69.168:13293
https://noc.social/@sergeev46
https://c.im/@sergeev47
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
159.69.246.184:13127
65.108.69.168:13293
Unpacked files
SH256 hash:
e7b8877389f0bfb5fb95f08a799a0e7d06a2f7161a0287552ff3eadf06bd1dd1
MD5 hash:
e9eb471509abbfb4456285e82b25d1c9
SHA1 hash:
b96ef576c147ea8a1b3e0bd5430117ba9ad31096
SH256 hash:
a6fe15069a6ea98b42471503e427375cdf14b92fd6bf6f69a21dbe2e1a675c98
MD5 hash:
26f0fa618a849f4c2c8a054bb41583d2
SHA1 hash:
2d34f74fafe0c0042e567858ed8a8601ce250d14
SH256 hash:
de97b6f316e9965dd362c60a734b5fb028a48debf7c37b6eb3d7a1936a8684b4
MD5 hash:
170f298b03cc53b23412bff2f6cd58c1
SHA1 hash:
e86186581f03a945386bd3356ad1fa4e363161c2
SH256 hash:
1b7ec4b2c8faccbc0ecdf81bb34c7ebe5e9ef6d2ee9d1ec13860672407c218f8
MD5 hash:
7f1129c928a580282af8280501b66253
SHA1 hash:
e782ae50667f669a62332cd3f517c137eb37c376
SH256 hash:
d5a85cb1c8e0ca4ff26b10981865245e6338d3e1d0b099060b2da05106c8c63e
MD5 hash:
32e7a1755f4801c31cef6424741e69f2
SHA1 hash:
e6f01f00f7803bebc61952b67d14bc022a46d503
SH256 hash:
7fe3f488a2ac6b5648716f4bdd496915c461d3e4df961fb921db50c21b7f660b
MD5 hash:
8b911d6d6ffb72f5f8a54ca8a25b69f5
SHA1 hash:
c4a934507ba5d2e1a28a1a1c128f46adb70e8975
SH256 hash:
ec8dd6f231977cfbfda8a93026b6de21b8b348d3c4b50ee7d14558e262d458bd
MD5 hash:
17aed25a1524e588ed39d9772fb54bd9
SHA1 hash:
c2a4ae84a51468b0412a2f314ee4b7cd3d1696ee
SH256 hash:
772640f74c9365475f0122224704c230a362ca538934218142716c7b0fe4e956
MD5 hash:
8e991f1ad286f20c722807ba9bb6393a
SHA1 hash:
bc0138b868645decc28b317ad195b4de1d1e7e2b
SH256 hash:
8deaf50a725619537695eae5b4bef370705eecec40882ceeb24869737777fe6d
MD5 hash:
3c3a6283fe69a7c706401b6952d6f8e9
SHA1 hash:
ba6c6285f055712ff238ec06a412b07137e15d22
SH256 hash:
fb5e44afa9b86e8d68f158b58036682dc28b8e3ed0d5391ffcd246f5bd8dec99
MD5 hash:
4c120576caedf379e15621df6328dfc0
SHA1 hash:
af3ddbcb753c2609d1b1c0985984a0957d9d0d0f
SH256 hash:
99f0b7f3850cf910e41e4f5ddb3a0dc31b8aacbd786ac4baf2d8da957688934f
MD5 hash:
081b25efff8d8aa6270f74b2785c3aec
SHA1 hash:
a516b6adca827f8f22579a56b7edec4816d4bcce
SH256 hash:
505525d02e8a74b722bab1f9c575b129d262d26f2bbf992d7d6cd061d12f5774
MD5 hash:
74b7db6bacb3c950c5db479bf728cf21
SHA1 hash:
a11f635ab3cba8cd9d7434ab2df55c706a424a3d
SH256 hash:
ceeedbba092ea2e6661cbcca2d6b153926632221602ea292641b544cca9a5e95
MD5 hash:
cdcb3963993e2c3f3b00c21a122fdfb5
SHA1 hash:
8e680465b3a1112de13b76539a073fad0b2b423c
SH256 hash:
dcc1725b855ec8f21f1a78a72bc3951682a20709b129d16051cbbbfca2361c2a
MD5 hash:
851857aa313098b41716720126d1e9e1
SHA1 hash:
748d3a025f04a0526678af71a341097570c88e7e
SH256 hash:
7ce7b48690678b44c53a5511f3dd22871637b33e4ccc0a56bb934c7e87c5e8e3
MD5 hash:
69662c82d93044ae0ba449452bb041aa
SHA1 hash:
1124213f82331b4281562665bf0c504dbe36cc31
SH256 hash:
a3ac94323b95cfdc334dcfb7ec52aaad4fe2940a4bc154e988aa753cbed1e1a0
MD5 hash:
acfe6afb1b5fb76cf4ae7c7de4571877
SHA1 hash:
0e2eb9897aa28aa9f9487841cbef6711662a1495
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
SH256 hash:
8a6e94dc7e45b8fa8ef520c5fdc283c3ea522ac88dfcf9c5cdb9924a8b4910da
MD5 hash:
8a3324a3a37ed1546b2bd7756a6e62a5
SHA1 hash:
ea8556905585805aca15f8af40bd0ccd8dd05317
SH256 hash:
b8acc1c748d7e3342609776681deaa9a936b0c2988893b83853a02ed5a22be9a
MD5 hash:
3ea9f29bbd04a3956fb3e6ba9f90e530
SHA1 hash:
f19698d92fd1192f12b11bc50c17fe429567bd60
SH256 hash:
b2f383bf7f45d222a7607ac2df262a8b12752f6bb2dd963897d24d103c4da1b0
MD5 hash:
493306cc212e55a9676e8c4394a1d895
SHA1 hash:
3e0a7bb2a8f5cd4795bec156ec773158bfce3373
SH256 hash:
e76ce4fcf0b6c15b414431f14872263e2423710d665f57173dbb9d40bdb853bb
MD5 hash:
f26390aaa12b8602275885ad1e156c7a
SHA1 hash:
e8eb041563f765a5d5fda946ce3a9619496bff8e
SH256 hash:
cc00a6a461d59959c58e85191fc42c1a63c7dc8fbf577cdfc0e59c0c24b0644b
MD5 hash:
89e8f115b3c4b3f74350f39ef064f8f1
SHA1 hash:
b25d98d9d2cd1bbf362a65ef672644c14577b99d
SH256 hash:
87fe220a5c5ada3e91c769b661a1b990aa2db34a660e43a546578b8ccbba00be
MD5 hash:
078d51402b9a45719554e3708f076cf2
SHA1 hash:
f42082a96ee88f6cce5f1e084b427fc538f8360e
SH256 hash:
784f16c1095a82f3595303e3fde40bfc129e1e74dc69305029b918f430c98fef
MD5 hash:
baf9daa3af36c985fac439c0ca4417fb
SHA1 hash:
d07adafdb7e02104bd3073b6f0a75a6ace076c1c
SH256 hash:
530e0002c120d13962f54641655060f420625a3ee39b740dac62a644bda96ede
MD5 hash:
a8189f9faac3bd2f1b8ef9de7138ec33
SHA1 hash:
21003f104ad009faeacad105d55901c44bf173c4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.