MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
SHA3-384 hash: b6f8dbf7325be8c936cb10ccf67228cfce1a1329f8b4d876177c1616ab52aa9295b3eb074e79743a561ad6ba34f6a768
SHA1 hash: 673eabe039a32982a47d088342844775822996c8
MD5 hash: 325c6021ce7b691f124ec4ee2024ce28
humanhash: bakerloo-orange-queen-south
File name:54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'936'952 bytes
First seen:2022-01-22 21:01:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xKrRBmGrBkLq9TqlSKGTuoQC2T5wRZLkU4u0jy:xKrR8yqLc2T5wjWjy
TLSH T16C06330176EE51FFEA93213392687FA572B1D185162CD8832374AB4A3A3CDC8D53B51E
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
148.251.189.166:11784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
148.251.189.166:11784 https://threatfox.abuse.ch/ioc/313092/

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exe
Verdict:
No threats detected
Analysis date:
2022-01-22 21:29:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f2194d9-b18b-4681-b06f-dae57dcefca9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221683/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
DNS request
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5024/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed sality shell32.dll
Link:
https://www.filescan.io/uploads/61ec70cfd32385db631d9908/reports/00ea454b-0eba-4909-91f0-a7e9d52073a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d7b8185-2067-43b4-9733-4534a8f8263e
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925726
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558204 Sample: 54BCD3308C140C8EC030F98697C... Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 102 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->102 124 Multi AV Scanner detection for domain / URL 2->124 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 15 other signatures 2->130 13 54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exe 8 2->13         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\setup_install.exe, PE32 13->94 dropped 96 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 13->96 dropped 98 C:\Users\user\AppData\Local\...\libzip.dll, PE32 13->98 dropped 100 3 other files (none is malicious) 13->100 dropped 16 setup_install.exe 3 13->16         started        process6 file7 64 C:\Users\user\...\c2df147c046a32046.exe, PE32 16->64 dropped 66 C:\Users\user\AppData\...\953e714456a5.zip, Zip 16->66 dropped 122 Writes many files with high entropy 16->122 20 cmd.exe 1 16->20         started        23 conhost.exe 16->23         started        signatures8 process9 signatures10 132 Adds a directory exclusion to Windows Defender 20->132 25 c2df147c046a32046.exe 16 20->25         started        process11 file12 68 C:\Users\user\AppData\...\setup_install.exe, PE32 25->68 dropped 70 C:\Users\user\...\Mon10fc1df6897de204.exe, PE32 25->70 dropped 72 C:\Users\user\AppData\...\Mon10d65f5baa6.exe, PE32 25->72 dropped 74 11 other files (6 malicious) 25->74 dropped 28 setup_install.exe 1 25->28         started        process13 dnsIp14 118 127.0.0.1 unknown unknown 28->118 120 192.168.2.1 unknown unknown 28->120 156 Adds a directory exclusion to Windows Defender 28->156 32 cmd.exe 28->32         started        34 cmd.exe 1 28->34         started        36 cmd.exe 28->36         started        38 7 other processes 28->38 signatures15 process16 signatures17 41 Mon102141234bd378.exe 32->41         started        46 Mon10097fa54c.exe 34->46         started        48 Mon107825d0b235ce.exe 36->48         started        134 Adds a directory exclusion to Windows Defender 38->134 50 Mon10301b16494.exe 38->50         started        52 Mon10fc1df6897de204.exe 38->52         started        54 Mon10d65f5baa6.exe 38->54         started        56 3 other processes 38->56 process18 dnsIp19 104 37.0.10.214 WKD-ASIE Netherlands 41->104 106 37.0.10.244 WKD-ASIE Netherlands 41->106 116 15 other IPs or domains 41->116 76 C:\Users\...\vztVzy7j2NIluIazfUPc6prS.exe, PE32 41->76 dropped 78 C:\Users\...\npbp_c_hnouvPlTexle61_u_.exe, PE32 41->78 dropped 80 C:\Users\...\m19Txbeq5skSTUK28aJR3zlA.exe, PE32 41->80 dropped 84 53 other files (26 malicious) 41->84 dropped 136 Antivirus detection for dropped file 41->136 138 Creates HTML files with .exe extension (expired dropper behavior) 41->138 140 Tries to harvest and steal browser information (history, passwords, etc) 41->140 150 2 other signatures 41->150 142 Detected unpacking (changes PE section rights) 46->142 144 Machine Learning detection for dropped file 46->144 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->146 152 3 other signatures 46->152 58 explorer.exe 46->58 injected 82 C:\Users\user\...\Mon107825d0b235ce.tmp, PE32 48->82 dropped 148 Obfuscated command line found 48->148 62 Mon107825d0b235ce.tmp 48->62         started        108 208.95.112.1 TUT-ASUS United States 50->108 110 148.251.234.93 HETZNER-ASDE Germany 52->110 112 162.159.130.233 CLOUDFLARENETUS United States 54->112 114 8.8.8.8 GOOGLEUS United States 56->114 file20 signatures21 process22 file23 86 C:\Users\user\AppData\Roaming\ddsvjfw, PE32 58->86 dropped 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->154 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 62->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 62->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 62->92 dropped signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 19:28:00 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ks6ngmemcqgi5qbq7gdjptd7b2oulbovim2kf23xywehsuinlsga._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
ryuk
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:vidar botnet:1114 botnet:1128 botnet:1bc6116182dfd33bce1052fe9bb0415968161030 botnet:26ba8731a23ebe331ca665e334da5a21506c1e2d botnet:4c585dd595f87d872b81110ef04a868eee9e5c6b botnet:fie aspackv2 infostealer spyware stealer suricata
Link:
https://tria.ge/reports/220122-zvfp8sdcbm/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://mastodon.online/@prophef1
https://koyu.space/@prophef2
91.243.59.147:33459
Unpacked files
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
9ead82463c776e2ffcd760df60714759a21a67f6b6fadb6188d0343ed8c7388b
MD5 hash:
d41d12517d9fecd975fafd669c126595
SHA1 hash:
86df1e1f2e07bcc928440455f8cfd5b8d6c8e54a
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
85c0574b48df124cb351cf102246e547a82619fbf7521d0bc515828b480aeb49
MD5 hash:
5dbebf819f64fc4691f2168c520160ea
SHA1 hash:
74d9e9ad214b51e6ffefb661b31f3f1c592867c1
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
9bade09e3cdcd01175641b1ed143ec3dc5cb645591082c1a9ba5fdf98da1e3f6
MD5 hash:
abfafb3ebeb753b4368372239eeccb4b
SHA1 hash:
4b7ec59e9c74ba5231065f6a90e21be841f48c76
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
9f49d2110ce857ad6bc5a59870ee37d02651dd381820320827a7477082836f3e
MD5 hash:
aba80c623dd45ad9f26e1474cece96af
SHA1 hash:
462562d51999490104300abd8999d25c03f359c7
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
32a1230d5fb8df0d7cfcefce7aebbca859558f264cd36eec83bef25856097fde
MD5 hash:
7226ddc0092d6606d32e2c39df110df2
SHA1 hash:
072cadae3b2cc36a5c1a7d084f005b9f6f3fa6fc
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
b33812ed872e416a18962eb5ef42b5ebe90831bfdf623db13b1bb36efe12d603
MD5 hash:
afa3ced47031677044579703807f3eef
SHA1 hash:
d819e4bad20436348b6655ade1a4155678f45efa
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
6b274429d8af94d1a01fdcdc8efad17e781677f7c254f9f67185dc2975851c5f
MD5 hash:
f57cd9e2784d37b6f98539197b6a3112
SHA1 hash:
ce5a57866e7e70b067e67bcdca27429d85f442c9
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
b11a112007bf0f092e1fac59bf427215af4449a398e89d519cd4c6d66e0d6206
MD5 hash:
47589ee60b1c19900c5b9e0750352f9b
SHA1 hash:
72c806adc5c0955680e1b3bfe6037dd46c9b09af
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
703f674fc25d8946f7468c37025c4c71a00d2956ea8fdfbeefdde5e1b3ce4ae4
MD5 hash:
b5292e09ba6b3a263828a20cb443cbb9
SHA1 hash:
1cd22e69ab2a39468d977487d66b1c00dbd7779e
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
01ff9670e34d838bc717402082ed9790825c27bc1e36bf8c4e08484c80b5a1a5
MD5 hash:
8d5bbc79e0f2c564fa82207752d84c68
SHA1 hash:
75c2332ef6cb151b0cf982a8c4ec05399192bd05
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
SH256 hash:
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
MD5 hash:
325c6021ce7b691f124ec4ee2024ce28
SHA1 hash:
673eabe039a32982a47d088342844775822996c8
Link:
https://www.unpac.me/results/9f248ba4-7e92-41c5-b0a8-6b0593086863/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54bcd3308c14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221683/

Comments