MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6
SHA3-384 hash: 34cf45c3137539da293c20cc6a1257e661b9ff33ef738150a1cbc654ce6c5b1359221645efe95ffa33c41ff49b7c341e
SHA1 hash: ecfa01090a9e0830b9bd596875402cf68c95e73e
MD5 hash: c409402102fc8cf262447c5d9e3b845a
humanhash: one-spring-eleven-venus
File name:IDWCH1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:775'218 bytes
First seen:2021-06-15 11:20:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'503 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:VQi3bv6m6URA3PhGD8p1hf39Wkv8xwJsfv:VQirChhGwpdUMc
Threatray 53 similar samples on MalwareBazaar
TLSH 36F46805E677BCBDCC10D5BC4912C27935A27F64282A9B33A1F9BEDB3635283550EE42
Reporter JAMESWT_WT
Tags:data.exe exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Data.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 06:19:03 UTC
Tags:
autoit opendir evasion loader stealer trojan danabot
Link:
https://app.any.run/tasks/08e05aa0-fc37-48c2-aa5d-48cb48b3026f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Sending a UDP request
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Launching a process
Creating a file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Reading critical registry keys
Unauthorized injection to a recently created process
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7078e79-f023-48a5-a05f-3dff8bea8c98
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802356
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434753 Sample: IDWCH1.exe Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 186 Found malware configuration 2->186 188 Antivirus detection for URL or domain 2->188 190 Antivirus detection for dropped file 2->190 192 7 other signatures 2->192 12 IDWCH1.exe 2 2->12         started        15 svchost.exe 2->15         started        17 haleng.exe 2->17         started        20 Gejiborutae.exe 2->20         started        process3 file4 132 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 12->132 dropped 22 IDWCH1.tmp 3 19 12->22         started        26 svchost.exe 15->26         started        184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->184 29 jfiag3g_gg.exe 17->29         started        31 dw20.exe 20->31         started        signatures5 process6 dnsIp7 156 198.54.116.159 NAMECHEAP-NETUS United States 22->156 158 8.8.8.8 GOOGLEUS United States 22->158 98 C:\Users\user\...\(878888888(85)GSFG1G.exe, PE32 22->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 22->100 dropped 102 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 22->102 dropped 104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->104 dropped 33 (878888888(85)GSFG1G.exe 22 16 22->33         started        160 198.13.62.186 AS-CHOOPAUS United States 26->160 204 Query firmware table information (likely to detect VMs) 26->204 162 104.43.193.48 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->162 file8 signatures9 process10 dnsIp11 142 198.54.126.101 NAMECHEAP-NETUS United States 33->142 144 88.99.66.31 HETZNER-ASDE Germany 33->144 146 4 other IPs or domains 33->146 90 C:\Users\user\AppData\...90aboxylyshae.exe, PE32 33->90 dropped 92 C:\Program Files (x86)\...behaviorgraphejiborutae.exe, PE32 33->92 dropped 94 C:\Users\user\...94aboxylyshae.exe.config, XML 33->94 dropped 96 2 other files (1 malicious) 33->96 dropped 194 Detected unpacking (overwrites its own PE header) 33->194 38 Naboxylyshae.exe 14 7 33->38         started        42 Qudilukugo.exe 2 33->42         started        file12 signatures13 process14 dnsIp15 164 89.221.213.3 WEDOSCZ Czech Republic 38->164 166 185.156.177.26 RACKTECHRU Russian Federation 38->166 168 10 other IPs or domains 38->168 196 Creates HTML files with .exe extension (expired dropper behavior) 38->196 44 cmd.exe 38->44         started        46 cmd.exe 38->46         started        48 cmd.exe 38->48         started        53 6 other processes 38->53 50 dw20.exe 20 6 42->50         started        signatures16 process17 dnsIp18 55 Setup3310.exe 44->55         started        58 conhost.exe 44->58         started        60 SunLabsPlayer.exe 46->60         started        62 conhost.exe 46->62         started        64 google-game.exe 48->64         started        66 conhost.exe 48->66         started        148 168.61.161.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->148 68 gaoou.exe 53->68         started        71 toolspab1.exe 53->71         started        74 8 other processes 53->74 process19 dnsIp20 106 C:\Users\user\AppData\Local\...\Setup3310.tmp, PE32 55->106 dropped 76 Setup3310.tmp 55->76         started        108 C:\Users\user\AppData\Local\...\System.dll, PE32 60->108 dropped 122 87 other files (none is malicious) 60->122 dropped 110 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 64->110 dropped 112 C:\Users\user\AppData\...\plugin-hang-ui.exe, PE32+ 64->112 dropped 114 C:\Users\user\AppData\Local\...\install.dll, PE32 64->114 dropped 116 C:\Users\user\AppData\...\IA2Marshal.dll, PE32+ 64->116 dropped 80 rundll32.exe 64->80         started        150 208.95.112.1 TUT-ASUS United States 68->150 152 185.60.216.35 FACEBOOKUS Ireland 68->152 154 88.218.92.148 ENZUINC-US Netherlands 68->154 118 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 68->118 dropped 120 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 68->120 dropped 83 jfiag3g_gg.exe 68->83         started        85 jfiag3g_gg.exe 68->85         started        198 DLL reload attack detected 71->198 200 Injects a PE file into a foreign processes 71->200 202 Detected unpacking (creates a PE file in dynamic memory) 74->202 file21 signatures22 process23 dnsIp24 170 142.250.185.174 GOOGLEUS United States 76->170 172 142.250.201.193 GOOGLEUS United States 76->172 174 4 other IPs or domains 76->174 134 C:\Users\user\AppData\...\itdownload.dll, PE32 76->134 dropped 136 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 76->136 dropped 138 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 76->138 dropped 140 C:\Users\user\AppData\Local\...\Setup.exe, PE32 76->140 dropped 87 Setup.exe 76->87         started        176 Writes to foreign memory regions 80->176 178 Allocates memory in foreign processes 80->178 180 Creates a thread in another existing process (thread injection) 80->180 182 Tries to harvest and steal browser information (history, passwords, etc) 83->182 file25 signatures26 process27 file28 124 C:\Program Files (x86)\...\lylal220.exe, PE32 87->124 dropped 126 C:\Program Files (x86)\...\hjjgaa.exe, PE32 87->126 dropped 128 C:\Program Files (x86)\...\guihuali-game.exe, PE32 87->128 dropped 130 4 other files (3 malicious) 87->130 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-10 01:01:25 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lolw5xts5od4mat7u7guvj6y6c6unsiqlsuvlp5zjwdkoipxh3la._file
Verdict:
unknown
Similar samples:
11fde3c052cc436dae10fa4c0b1821406d091cebb227a832a4f4c4101f21ffb4
RedLineStealer
20593dd40ac0559ee48756078596dc482d5c1ee417518988777e34c174c01d3c
RedLineStealer
2e29c4a8aa64659e07fb2e157f5a3f2cc6e322ed5b9299b15aa40886acf5c6f9
RedLineStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RedLineStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RedLineStealer
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RedLineStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
RedLineStealer
f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
RedLineStealer
+ 43 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:tofsee family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210615-9ncxxbrjg2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Vidar Stealer
PlugX
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/54c54b29-504d-4877-8943-7359e581f899/
SH256 hash:
45292c81c0a7c703dbdf33ab14b35b4886671168f3ecb006adca23c6ec7ce9cf
MD5 hash:
8ad3b4f3573f9bcc67beb88ac837f7cc
SHA1 hash:
1b2dc0d73cc8e93effe09eba51428fc68e6e1213
Link:
https://www.unpac.me/results/54c54b29-504d-4877-8943-7359e581f899/
SH256 hash:
5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6
MD5 hash:
c409402102fc8cf262447c5d9e3b845a
SHA1 hash:
ecfa01090a9e0830b9bd596875402cf68c95e73e
Link:
https://www.unpac.me/results/54c54b29-504d-4877-8943-7359e581f899/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/pollo290987/status/1404358946819878912?s=20

Comments