MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
SHA3-384 hash: e1713f2aed666a3e54a8df95bb3df3f8a1595057bbbfaf67d6be383b84a3fe25e2864df25d8c89626d07d05abef5b08b
SHA1 hash: 93d1df814f81cf702823aea245408892c1468cc3
MD5 hash: b24d317c065682317220e1b1280b0c3e
humanhash: yankee-beer-three-asparagus
File name:b24d317c065682317220e1b1280b0c3e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'189'019 bytes
First seen:2021-12-28 08:40:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xYOZnquV280vNrji5cMCZ7YMAXt8IjsArK4EHReTJmbKJLpURsOPqTjrMG:xYAHV2xvJ4cM8sFr+7KLpURHmr
TLSH T1ECA6334AB9F9D9F5D3A30032BED47B680994C368130741A727948B7CBF7CC26B6E8855
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://116.202.188.27/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.188.27/ https://threatfox.abuse.ch/ioc/287975/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b24d317c065682317220e1b1280b0c3e.exe
Verdict:
No threats detected
Analysis date:
2021-12-28 08:43:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ccacd22a-158e-4323-893e-9f76d0c2277c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216665/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a window
Searching for analyzing tools
Creating a file
Creating a process with a hidden window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3385/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys exploit overlay packed smokeloader
Link:
https://www.filescan.io/uploads/61cacda38991ba72b39c6206/reports/a6136ac4-cf20-457d-95a8-7d0261b91431/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913394
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545872 Sample: nUkbOfIFrC.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 72 104.21.27.252, 443, 49843 CLOUDFLARENETUS United States 2->72 74 gp.gamebuy768.com 172.67.143.210, 443, 49772 CLOUDFLARENETUS United States 2->74 76 3 other IPs or domains 2->76 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Antivirus detection for URL or domain 2->100 102 Antivirus detection for dropped file 2->102 104 20 other signatures 2->104 10 nUkbOfIFrC.exe 27 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_install.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\...\Wed18ffccb16d.exe, PE32+ 10->48 dropped 50 C:\Users\user\...\Wed18ce818f11d27d329.exe, PE32 10->50 dropped 52 19 other files (6 malicious) 10->52 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 94 soniyamona.xyz 172.67.186.11, 49763, 80 CLOUDFLARENETUS United States 13->94 96 127.0.0.1 unknown unknown 13->96 136 Performs DNS queries to domains with low reputation 13->136 138 Adds a directory exclusion to Windows Defender 13->138 140 Disables Windows Defender (via service or powershell) 13->140 17 cmd.exe 13->17         started        19 cmd.exe 13->19         started        21 cmd.exe 1 13->21         started        23 8 other processes 13->23 signatures8 process9 signatures10 26 Wed18165f062be12.exe 17->26         started        31 Wed18203c24b9f9.exe 19->31         started        33 Wed18ce818f11d27d329.exe 21->33         started        106 Adds a directory exclusion to Windows Defender 23->106 108 Disables Windows Defender (via service or powershell) 23->108 35 Wed18983d45013.exe 23->35         started        37 Wed18282e102c874c.exe 23->37         started        39 Wed18ffccb16d.exe 23->39         started        41 3 other processes 23->41 process11 dnsIp12 78 212.193.30.45, 49749, 49758, 49782 SPD-NETTR Russian Federation 26->78 80 2.56.59.42, 49750, 49764, 49777 GBTCLOUDUS Netherlands 26->80 82 18 other IPs or domains 26->82 54 C:\Users\...\rQqmyKYiQqBboti_sj4k9Cwc.exe, PE32+ 26->54 dropped 56 C:\Users\...\adDHb2fWeKYz2azV7FaB4sla.exe, PE32 26->56 dropped 58 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 26->58 dropped 68 35 other files (10 malicious) 26->68 dropped 110 May check the online IP address of the machine 26->110 112 Creates HTML files with .exe extension (expired dropper behavior) 26->112 114 Tries to harvest and steal browser information (history, passwords, etc) 26->114 116 Disable Windows Defender real time protection (registry) 26->116 84 6 other IPs or domains 31->84 118 Query firmware table information (likely to detect VMs) 31->118 120 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->120 122 Tries to evade analysis by execution special instruction which cause usermode exception 31->122 134 2 other signatures 31->134 124 Detected unpacking (changes PE section rights) 33->124 126 Detected unpacking (overwrites its own PE header) 33->126 128 Injects a PE file into a foreign processes 33->128 130 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 33->130 43 Wed18ce818f11d27d329.exe 33->43         started        86 3 other IPs or domains 35->86 60 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 35->60 dropped 132 Sample uses process hollowing technique 37->132 88 2 other IPs or domains 39->88 62 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 39->62 dropped 90 2 other IPs or domains 41->90 64 C:\Users\user\AppData\...\softokn3[1].dll, PE32 41->64 dropped 66 C:\Users\user\AppData\...\mozglue[1].dll, PE32 41->66 dropped 70 10 other files (none is malicious) 41->70 dropped file13 signatures14 process15 dnsIp16 92 ad-postback.biz 82.118.234.104, 49748, 80 DAINTERNATIONALGROUPGB Bulgaria 43->92
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-12-26 01:50:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvlawyeopj2rkmu5hfohfxe45pc43v5uydyvhvxaf23uyktat7vq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:socelars family:vidar botnet:8fc55a7ea41b0c5db2ca3c881e20966100c28a40 botnet:media22ns botnet:v3user1 aspackv2 evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211228-klfljsdfb5/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.biohazardgraphics.com/
159.69.246.184:13127
65.108.69.168:13293
Unpacked files
SH256 hash:
4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748
MD5 hash:
ec94b9dbbb8502ae096f9d7e1f33901c
SHA1 hash:
d5f73eaaa6df419e83bb2c58f30d28ba2e348b72
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
Parent samples :
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
5219529e4da6b15cd182e79ced0ffc59422008b26c4c02213fb466960e5f609e
MD5 hash:
32b3c65204c29de9c8163c08a3772f01
SHA1 hash:
cd75c7aacdf55ff4c9502b12595b099aeaf924f2
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
a5cb08b5c9d66e3751795d06b6a15ccfe0f5c30519cd151ca46ba550696714d8
MD5 hash:
457ebf3cd64e9e5ee17e15b9ee7d3d52
SHA1 hash:
bd9ff2e210432a80635d8e777c40d39a150dbfa1
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
e7b8877389f0bfb5fb95f08a799a0e7d06a2f7161a0287552ff3eadf06bd1dd1
MD5 hash:
e9eb471509abbfb4456285e82b25d1c9
SHA1 hash:
b96ef576c147ea8a1b3e0bd5430117ba9ad31096
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
033437fadedd9979e9b3a14b32c7901ef8f38dd5663afccf7acd858d93de5d7c
MD5 hash:
de821c853a5b41e687e3f1a27b2dd571
SHA1 hash:
e240177a44a1da2a553fd6d112e70ee0853965f8
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
69a7f20465731b5cfbd43a50a76c388d3d54daef61ffa456dbb3dc36a72bac54
MD5 hash:
a3ce44a8f74ee457aa5c00cad65e23f7
SHA1 hash:
6539eb9ee76ebc16e42aeef53005f9346483bb50
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
75c768d9dcef2df9e285d5e9c03dd2bc21cd820282131e62745bd6b9cbd88381
MD5 hash:
c1c6534314b1ecedb6d75d1fc75751af
SHA1 hash:
4263aea1f4588f9118bb3798e8d64aa7c8d8d05d
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
c5c64aaef216ff2b3b1ca618d355522c523b74b0ec8390ca06c2f2a40f315b5f
MD5 hash:
4bebbbf34bd77c922bf60a4ff2af71fa
SHA1 hash:
1600cd24f9ceb25317d9f0e422cee69741746089
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
050d09c4d03daa696f53fd7e40c006216243448dc9ac4435b4534f7413bd10ac
MD5 hash:
66edbe3b1822f2e7d18799c911cc1318
SHA1 hash:
a2b9a622eaf34d6770f22351435449a38e7023d9
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
66dc973cfb1c55e087e2ba5a142ea2ff98d8ae093c2ab7110945547e79543dee
MD5 hash:
911f54bfa89a333a747139246b134fc5
SHA1 hash:
d5e80e13d0e6e07588f0f2a0ba951d97c04a28ac
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
768eb908171519cb128d2ad688e26e926955f28fee10cb1557491bac02b0818c
MD5 hash:
b8c9eb099a8404eb2b79050a18a84095
SHA1 hash:
cf5d4bdcf6850adc2a146dfc149ff31f32b08c8b
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
b9f422ecc9748c45d9b45f7da7d5f09315b18186795d95c9dafdfec03d762c8e
MD5 hash:
202b646439db43f1c999c42eae8b4103
SHA1 hash:
01b590dde13f38da9d2f6552db5a8756a2fd7f61
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
ac22e9a95e25d9a61f6f550ce89d9a55794acb93083e1af962f197f35d425af9
MD5 hash:
3030d5c6602d890aca11dd7136584509
SHA1 hash:
388f4b0594685eb06fe993b8104b7e4314859bf3
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
SH256 hash:
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
MD5 hash:
b24d317c065682317220e1b1280b0c3e
SHA1 hash:
93d1df814f81cf702823aea245408892c1468cc3
Link:
https://www.unpac.me/results/b93d4658-3ed8-48a3-8c5b-9d031b1982e9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/55560b608e7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216665/

Comments