MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
SHA3-384 hash: 11e7c799f655ea4d5cdce18c2f11c67fc2186de8241b95f005859960d7a5a07bb700cc3e967f592662fa20b7e261fb98
SHA1 hash: 3d4a20e36ae41dc4e9e7376ac87418d6e67d259f
MD5 hash: ca9f451b687026440ae4c635ef47d5a0
humanhash: maryland-arizona-magnesium-arkansas
File name:CA9F451B687026440AE4C635EF47D5A0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'158'535 bytes
First seen:2021-08-25 03:46:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xuCvLUBsgCerxOyGqS+IPlT1x7pz43SZCeCUFz3jkE2Q/:xnLUCgCeoqkDTzFLVTkEZ/
TLSH T1F11633227BFBC5FAED4510302A8857B9A0BDCA88573546D737C5991BEE3ECED700A508
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.234.247.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.35/ https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182052/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a process with a hidden window
Sending an HTTP GET request
Creating a file
Launching cmd.exe command interpreter
Deleting a recently created file
Reading critical registry keys
Creating a file in the %AppData% directory
Sending a UDP request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b86d16f0-aa82-4681-a169-d0f3e23d71ac
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838691
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471122 Sample: xDB4Doqr4u.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 76 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->76 78 34.97.69.225 GOOGLEUS United States 2->78 80 2 other IPs or domains 2->80 100 Antivirus detection for URL or domain 2->100 102 Antivirus detection for dropped file 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 15 other signatures 2->106 11 xDB4Doqr4u.exe 18 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\setup_install.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\...\Tue19fc1515e912.exe, PE32 11->52 dropped 54 C:\Users\user\...\Tue19f37e110827fe3a3.exe, PE32+ 11->54 dropped 56 13 other files (3 malicious) 11->56 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 98 127.0.0.1 unknown unknown 14->98 134 Adds a directory exclusion to Windows Defender 14->134 18 cmd.exe 1 14->18         started        20 cmd.exe 1 14->20         started        23 cmd.exe 1 14->23         started        25 8 other processes 14->25 signatures8 process9 signatures10 27 Tue195a21241231e.exe 18->27         started        108 Obfuscated command line found 20->108 110 Uses ping.exe to sleep 20->110 112 Uses ping.exe to check the status of other devices and networks 20->112 114 Adds a directory exclusion to Windows Defender 20->114 32 powershell.exe 24 20->32         started        34 Tue19f37e110827fe3a3.exe 1 14 23->34         started        36 Tue19fc1515e912.exe 25->36         started        38 Tue1967673abd.exe 2 25->38         started        40 Tue1930b79f0e40342.exe 25->40         started        42 4 other processes 25->42 process11 dnsIp12 82 185.233.185.134 YURTEH-ASUA Russian Federation 27->82 84 37.0.10.214 WKD-ASIE Netherlands 27->84 90 12 other IPs or domains 27->90 58 C:\Users\...\zSgc0olJ6Cmg1zp5NClrlAWs.exe, PE32 27->58 dropped 60 C:\Users\...\z6fesb58mX8VcSRvxrEyh3_q.exe, PE32 27->60 dropped 62 C:\Users\...\rwW9JK2A0BZ5mw5BxBwLQMNh.exe, PE32 27->62 dropped 72 49 other files (45 malicious) 27->72 dropped 116 Drops PE files to the document folder of the user 27->116 118 Creates HTML files with .exe extension (expired dropper behavior) 27->118 120 Tries to harvest and steal browser information (history, passwords, etc) 27->120 122 Disable Windows Defender real time protection (registry) 27->122 86 208.95.112.1 TUT-ASUS United States 34->86 88 8.8.8.8 GOOGLEUS United States 34->88 92 2 other IPs or domains 34->92 64 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 34->64 dropped 66 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 34->66 dropped 124 Drops PE files to the startup folder 34->124 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->126 128 Checks if the current machine is a virtual machine (disk enumeration) 36->128 130 Creates processes via WMI 38->130 44 Tue1967673abd.exe 38->44         started        132 Machine Learning detection for dropped file 40->132 94 4 other IPs or domains 42->94 68 C:\Users\user\AppData\Roaming\2904409.exe, PE32 42->68 dropped 70 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->70 dropped file13 signatures14 process15 dnsIp16 96 104.21.70.98 CLOUDFLARENETUS United States 44->96 74 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->74 dropped 48 conhost.exe 44->48         started        file17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 01:53:48 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lg5l6rjdtjqujedbuydl2p2xrq6k6dlajqnz3ncqjz2fqldkjuya._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab3 aspackv2 backdoor infostealer persistence stealer trojan
Link:
https://tria.ge/reports/210825-3ts6h4w1ys/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f
MD5 hash:
45a47d815f2291bc7fc0112d36aaad83
SHA1 hash:
db1dc02b2d64c4c3db89b5df3124dd87d43059d5
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
c8f715ca21b7a194e6041548edb1bcf7938363501bdafa8612f6f213c01e2a5a
MD5 hash:
22c28b74389cca49fda33f6d4ab99c34
SHA1 hash:
9bb7985f17c336a17c04654946d34598b50db29a
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
343d86125f1e14fee45cf172da3a7d29006504d3c5ca7c68710762469121fa57
MD5 hash:
92311280519ef9826fd3546ffaf4c6d1
SHA1 hash:
84b0eb8a232ec3b8be1b1f28afa294ba9e848c7f
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
4915a7e0678c15771e7d1c50875f256dbbc18e04fb11132fc4878e0757331711
MD5 hash:
22ea8c743c19358ca2da4a6f387cd12f
SHA1 hash:
14e329dcd043587fd35bafd61b66c2dcd9079bab
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
8bf0ce3b488e4215fff1132571de0f40f8a8e139669f75e222f8c613d7085a1f
MD5 hash:
71b01acca3a78d7ec7a7e334f7b12687
SHA1 hash:
bca5481e16487b1e42c77878f03dbccfae6b7d03
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
e1dc57c8041d2948e4ea78485272eaa0be768efe971f6f3ab1b5e7e78555835a
MD5 hash:
0205dddb076f18e2e749e44b967a2291
SHA1 hash:
9551fab6d9f8a4e2708a5e02ffa5ec84d573190c
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
2e19e19649c9a7c2ee8f294c062275a3729a504530efa7003d427098e86352e1
MD5 hash:
12f56b8148c714e8f954123ebf995d28
SHA1 hash:
86af269d17268ed7d56d09a62bbdc4d8c46a71ac
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
825fc2aed6aed930fdd4f69a6dad3801669a8b109692be5330087ed78defe4d3
MD5 hash:
ee24338e69a2cae172c8b94600541620
SHA1 hash:
bdae37ed9ad9bcc1f2e4c485b40fde783b42992e
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
736a9a00b7f07c7c1b3b19d1b871c8f70b442680c144c0062c8395f33464e263
MD5 hash:
ca0f4eceab4c8cbf3549b17a774397c2
SHA1 hash:
e5cdef77923001e375d64311dbf2a23145794da8
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
277e3647eda69cd60bf36f84827182db3adc9a337fcfacbeb0cf481710390fc9
MD5 hash:
e95033f788aa8135b78e1be622d02312
SHA1 hash:
114d01cebc1ab2113d3916fd99d0ca2ab28857ac
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
db884e0ffcce4716e25f7201abd066852e4f155cf4ebcd302ff157f7afcea598
MD5 hash:
c1b2ad316b44e40cbe93fa78b261e535
SHA1 hash:
53a3cc3cde58893cdbc5db23d7a6f4627d8842e5
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
4e56eda567957dbe60c1d7e9b26c3671bb8aa9eb0e37e80e9e385914c51cf3b5
MD5 hash:
6dd2c4c9eaaa6ac05c10adf0b70dbda9
SHA1 hash:
6481696b43e14f0ef73abb76281be528bb94d618
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
SH256 hash:
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
MD5 hash:
ca9f451b687026440ae4c635ef47d5a0
SHA1 hash:
3d4a20e36ae41dc4e9e7376ac87418d6e67d259f
Link:
https://www.unpac.me/results/da526b51-c4ad-4244-8eb5-b968bde12b70/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/59babf45239a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182052/

Comments