MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
SHA3-384 hash: abf0f73c74c6286182bd5256f040be85e20537fbd86f76ccba30ce42e1eb5ba7e7b27dff2ae2ea981dd1a7be381167ab
SHA1 hash: ec87cfd8d8473f732d4cc57477c37cb0e78f4019
MD5 hash: 0126f9672de5fc7514d74a846cd7e7da
humanhash: saturn-romeo-wisconsin-bakerloo
File name:0126F9672DE5FC7514D74A846CD7E7DA.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'724'925 bytes
First seen:2021-07-13 19:21:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 98304:vKI+y1u8pu1hJQ+n/e0JBSqToVoSmFoAbJ11GJqnVCiJwnOZoAPZ1H:v5080Lm4JNoVqfDnxeAPZ1H
Threatray 130 similar samples on MalwareBazaar
TLSH T11926335936895072C3A125309FA4DB310B3A3D301FA896DBB7D27D2F7A3C1D2A636761
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.142.213.135:30058

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.142.213.135:30058 https://threatfox.abuse.ch/ioc/160114/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://keygenit.com
Verdict:
Malicious activity
Analysis date:
2021-07-10 20:14:47 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader keylogger agenttesla redline
Link:
https://app.any.run/tasks/452bb393-0391-455d-a415-be70611c53c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171515/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Trojan.Jaik-9869659-0
Create hunting rule

Win.Trojan.Jaik-9873403-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eae59c9b-bbb3-486e-8cf3-3a2ff1f35fab
Result
Threat name:
Cookie Stealer Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815870
Signature
Antivirus detection for dropped file
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448281 Sample: pexAcU27DC.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 43 google.vrthcobj.com 2->43 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for dropped file 2->53 55 9 other signatures 2->55 9 pexAcU27DC.exe 16 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\note866.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\hbggg.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\...\askinstall39.exe, PE32 9->37 dropped 39 3 other malicious files 9->39 dropped 57 Creates files with lurking names (e.g. Crack.exe) 9->57 13 note866.exe 22 9->13         started        18 Crack.exe 2 9->18         started        signatures6 process7 dnsIp8 45 101.36.107.74, 49716, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 13->45 47 iplogger.org 88.99.66.31, 443, 49717 HETZNER-ASDE Germany 13->47 41 C:\Users\user\Documents\...\note866.exe, PE32 13->41 dropped 59 Antivirus detection for dropped file 13->59 61 Multi AV Scanner detection for dropped file 13->61 63 Drops PE files to the document folder of the user 13->63 67 3 other signatures 13->67 65 Creates processes via WMI 18->65 20 Crack.exe 5 18->20         started        23 conhost.exe 18->23         started        file9 signatures10 process11 file12 27 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 20->27 dropped 29 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 20->29 dropped 31 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 20->31 dropped 25 conhost.exe 20->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 02:09:17 UTC
AV detection:
37 of 46 (80.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k34vr4uj2wxtmcem6ayzbxqjx2anzbhgxny3lonlmq44tz7rcuwq._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
0a0101a2b0df24effbb4265898076d01113e9d3d158b70f77e1d9c591e9e6445
RedLineStealer
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
RedLineStealer
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
RedLineStealer
4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7
RedLineStealer
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
RedLineStealer
+ 120 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:socelars evasion persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210713-zbrygpf86e/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
VMProtect packed file
Process spawned unexpected child process
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Unpacked files
SH256 hash:
77be8bbae03a61e6c7f0058a9519d66bf6d044eac9facde65ec0f1d56e90281c
MD5 hash:
91e677a3e513b4e35b2dfae9368b839f
SHA1 hash:
d46decd2afb4cd355019de0236fc1a8aacfcd67e
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
32e62c643c322dec05d03b884873f651346c8b540a33ed3c64bea23e41924091
MD5 hash:
7ceed721ca4a06cc148c16d8b6216785
SHA1 hash:
5167201993fa3d787c609f18b238072b01bc88af
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
887c758fa9da9829f471f7ed071b2fd8b0317c0950eeecc4c2fb7c85338cbfe1
MD5 hash:
10455ce3a52591fc886e0e8486ce2685
SHA1 hash:
2ad02b6931115cd7c951ca353935dac6ed06040c
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
1064ea55937f591e4b07abfd0e040c8770d1b4066d9c01d63aa69bdcbfb6f4ad
MD5 hash:
703ae39365910c722e2dda3428adf908
SHA1 hash:
e72d4f4df0e43e18900ae2b66aba8edbcaf7dd5b
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
1d1ab56d73ed08aa09f5f420639f4978916ecc7819a5ab05448fa901b1925492
MD5 hash:
d9bdb6a0cb249a978e9ea6aaa1cd6bfc
SHA1 hash:
00d28cd0e912454865c24e42ed2ba30cebe6a3f2
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
e1d9169b037812a44761d33751df169ce6ac49e2ba2cdf3c86c5a3a2065714e4
MD5 hash:
b1b4fdaa9e38bbd1a21a9ebe271bb83a
SHA1 hash:
2b4f8b6c4980afef9b364d1b30f3cbaa81117976
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
SH256 hash:
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
MD5 hash:
0126f9672de5fc7514d74a846cd7e7da
SHA1 hash:
ec87cfd8d8473f732d4cc57477c37cb0e78f4019
Link:
https://www.unpac.me/results/daf4ea8c-632d-4490-9902-21445c976c58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171515/

Comments