MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
SHA3-384 hash: 85f4af57a78dd355fa22afac9fd7da293d59e817eb751d7d4e42a86eca954b362f0f6ec2feac5e313ffc6f5945041adf
SHA1 hash: 9910dbddb71ce11fec02953ebd29b2ba3b1a6247
MD5 hash: 7164c297181394bbccb68090346d1742
humanhash: london-india-wolfram-early
File name:7164c297181394bbccb68090346d1742
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'827'125 bytes
First seen:2021-06-12 06:25:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+fK9oO80oajzM5cGJbTIiDOPNUB+BZcSj9PdkQmW5sMxIRgbe9aVsSnX:ityocoSzMfJbTIiDOVcYtdklWPeIeQVN
TLSH A946333B23A2D279C0221D740DAFA1F6F974A6441B7558CF69DE4DA468337DD0F2A283
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7164c297181394bbccb68090346d1742
Verdict:
No threats detected
Analysis date:
2021-06-12 06:26:08 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f1d0f17c-239a-4362-b1ec-26d76674a90b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166225/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Ekstak-9842676-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Searching for the window
Creating a file
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching a process
Sending a custom TCP request
Connecting to a non-recommended domain
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55f4b4af-9dee-4f96-a385-8514bd173a6d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801125
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433521 Sample: Mv1cu7Adsm Startdate: 12/06/2021 Architecture: WINDOWS Score: 100 221 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->221 223 Multi AV Scanner detection for domain / URL 2->223 225 Found malware configuration 2->225 227 14 other signatures 2->227 11 Mv1cu7Adsm.exe 14 13 2->11         started        14 Caemolemimy.exe 2->14         started        process3 dnsIp4 177 C:\Program Files (x86)\...\lylal220.exe, PE32 11->177 dropped 179 C:\Program Files (x86)\...\hjjgaa.exe, PE32 11->179 dropped 181 C:\Program Files (x86)\...\guihuali-game.exe, PE32 11->181 dropped 187 3 other files (2 malicious) 11->187 dropped 17 guihuali-game.exe 6 11->17         started        20 LabPicV3.exe 2 11->20         started        22 RunWW.exe 90 11->22         started        26 2 other processes 11->26 219 216.58.214.206 GOOGLEUS United States 14->219 183 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->183 dropped 185 C:\...\Windows Update.exe.config, XML 14->185 dropped file5 process6 dnsIp7 107 C:\Users\user\AppData\Local\...\install.dll, PE32 17->107 dropped 109 C:\Users\user\AppData\...\adobe_caps.dll, PE32 17->109 dropped 28 rundll32.exe 17->28         started        31 conhost.exe 17->31         started        111 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 20->111 dropped 33 LabPicV3.tmp 3 19 20->33         started        201 159.69.20.131 HETZNER-ASDE Germany 22->201 203 74.114.154.18 AUTOMATTICUS Canada 22->203 113 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 22->113 dropped 115 C:\Users\user\AppData\...\mozglue[1].dll, PE32 22->115 dropped 117 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 22->117 dropped 123 9 other files (none is malicious) 22->123 dropped 231 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->231 233 Tries to harvest and steal browser information (history, passwords, etc) 22->233 235 Tries to steal Crypto Currency Wallets 22->235 37 cmd.exe 22->37         started        205 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 26->205 207 88.99.66.31 HETZNER-ASDE Germany 26->207 209 3 other IPs or domains 26->209 119 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 26->119 dropped 121 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 26->121 dropped 39 lylal220.tmp 26->39         started        41 jfiag3g_gg.exe 1 26->41         started        43 jfiag3g_gg.exe 26->43         started        45 jfiag3g_gg.exe 26->45         started        file8 signatures9 process10 dnsIp11 237 Writes to foreign memory regions 28->237 239 Allocates memory in foreign processes 28->239 241 Creates a thread in another existing process (thread injection) 28->241 47 svchost.exe 28->47 injected 50 svchost.exe 28->50 injected 52 svchost.exe 28->52 injected 66 2 other processes 28->66 189 cor-tips.com 198.54.116.159, 49741, 49742, 80 NAMECHEAP-NETUS United States 33->189 125 C:\Users\user\AppData\...\_____________.exe, PE32 33->125 dropped 127 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 33->127 dropped 129 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 33->129 dropped 131 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->131 dropped 54 _____________.exe 33->54         started        58 conhost.exe 37->58         started        60 taskkill.exe 37->60         started        62 timeout.exe 37->62         started        133 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->133 dropped 135 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->135 dropped 137 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->137 dropped 139 C:\Users\...\56FT____________________.exe, PE32 39->139 dropped 64 56FT____________________.exe 39->64         started        243 Tries to harvest and steal browser information (history, passwords, etc) 41->243 191 192.168.2.1 unknown unknown 43->191 file12 signatures13 process14 dnsIp15 245 System process connects to network (likely due to code injection or exploit) 47->245 247 Sets debug register (to hijack the execution of another thread) 47->247 249 Modifies the context of a thread in another process (thread injection) 47->249 68 svchost.exe 47->68         started        72 svchost.exe 47->72         started        211 2.20.142.210 AKAMAI-ASN1EU European Union 54->211 213 162.0.210.44 ACPCA Canada 54->213 215 162.0.220.187 ACPCA Canada 54->215 141 C:\Program Files (x86)\...\Caemolemimy.exe, PE32 54->141 dropped 143 C:\...\Caemolemimy.exe.config, XML 54->143 dropped 145 C:\Users\user\AppData\Local\...\prolab.exe, PE32 54->145 dropped 153 2 other files (none is malicious) 54->153 dropped 251 Detected unpacking (overwrites its own PE header) 54->251 74 prolab.exe 54->74         started        77 Xigajahale.exe 54->77         started        79 Caetejyhahy.exe 54->79         started        217 2.20.142.209 AKAMAI-ASN1EU European Union 64->217 147 C:\Program Files (x86)\Java\Haeqotywalu.exe, PE32 64->147 dropped 149 C:\...\Haeqotywalu.exe.config, XML 64->149 dropped 151 C:\Users\user\AppData\Local\...\irecord.exe, PE32 64->151 dropped 155 2 other files (none is malicious) 64->155 dropped 81 irecord.exe 64->81         started        83 Wyshysaezhego.exe 64->83         started        85 Wepewyraemo.exe 64->85         started        file16 signatures17 process18 dnsIp19 193 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 68->193 229 Query firmware table information (likely to detect VMs) 68->229 173 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 74->173 dropped 87 prolab.tmp 74->87         started        195 142.250.180.196 GOOGLEUS United States 77->195 90 iexplore.exe 77->90         started        92 iexplore.exe 77->92         started        94 iexplore.exe 77->94         started        98 3 other processes 77->98 175 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 81->175 dropped 96 irecord.tmp 81->96         started        file20 signatures21 process22 file23 157 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 87->157 dropped 159 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 87->159 dropped 161 C:\Program Files (x86)\...\is-O7OTH.tmp, PE32 87->161 dropped 169 8 other files (none is malicious) 87->169 dropped 100 iexplore.exe 90->100         started        103 iexplore.exe 92->103         started        163 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 96->163 dropped 165 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 96->165 dropped 167 C:\Program Files (x86)\...\is-S0713.tmp, PE32 96->167 dropped 171 13 other files (none is malicious) 96->171 dropped 105 i-record.exe 96->105         started        process24 dnsIp25 197 192.243.59.12 ADVANCEDHOSTERS-ASNL Dominica 100->197 199 139.45.197.236 RETN-ASEU Netherlands 103->199
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-06-12 06:26:19 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmkrd2k7qxs73bquykg57vh5jbyin26t6zllmikedgdw74nnhpsa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:plugx family:vidar botnet:3 banker discovery evasion persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210612-jb8aphqn7x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Danabot
PlugX
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
192.210.198.12:443
37.220.31.50:443
184.95.51.183:443
184.95.51.175:443
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
cadbb01787c53052f997a4fc593c595eae1127044f5bac267d6d38998f8783b0
MD5 hash:
f4510542c81252e1f89882ae0cd43529
SHA1 hash:
a218cb5d8e7c8f9ea5fe44e72929c58212e01771
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
Parent samples :
531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
24e73e485857368cf7ec4e1b44b5d9cf86a16fbb8eafd89626b47703256db22d
739ea02b27b4ddb79ba40418fe09fbdd723b73ad8dabf5f2706f02e1248197dd
9fdac966350f89fd6b341097a4551fc9cda6abd1e0ccaf92acdee5ca54960367
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
SH256 hash:
0415332f2751c0d24308e384d4d5e5d783659aee68193c50cca8ef03e7187ff9
MD5 hash:
7b38f786a4e08420d4415be43289a9a3
SHA1 hash:
aec0f2f8583dc9f51eba2d4cc3765d9ded875102
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
cb09a04695bf95bd4bd6ed3838d0ba00d4360eae5e37335a438ca9b32ebbe395
MD5 hash:
51a5d541d10daf2687f2a41501ab5b01
SHA1 hash:
113b148abf28aa0805a669019137c39e6f31a070
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
c8c3382f62ada1e75acd90d6cd03241eee6b01251334cefea2eeba1c1c13e3a7
MD5 hash:
4e72278998159c781b15bcbf43f3f01a
SHA1 hash:
f810cbff0afba1223fb32c22dba437f6f9b1900c
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
SH256 hash:
531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
MD5 hash:
7164c297181394bbccb68090346d1742
SHA1 hash:
9910dbddb71ce11fec02953ebd29b2ba3b1a6247
Link:
https://www.unpac.me/results/a256d15f-5d83-48f0-97a8-6dfbde9701f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1356451/
Cape
Cape
https://www.capesandbox.com/analysis/166225/

Comments