MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 10 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2
SHA3-384 hash: 22d5441e46d6a78cbfc57a80d69857ec550464ee3ffa73b04e92a8f26548938da710785c25e42b39ae19034162bf62a0
SHA1 hash: eba980b344129cd8347d54a68c267d2f817dd17c
MD5 hash: 5acface314511e920f4b40a903054d72
humanhash: beer-red-vermont-jersey
File name:5acface314511e920f4b40a903054d72.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'637'312 bytes
First seen:2021-09-25 15:14:31 UTC
Last seen:2021-09-25 16:03:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d343580213f3aad4dfa075b33c6ed3fb (1 x RedLineStealer)
ssdeep 3072:jFjKpRgi5HW9JnBXvQcorrbWR9hcktkGifh4fhN:j5KpR3AJntorOFmfOhN
Threatray 1'126 similar samples on MalwareBazaar
TLSH T15AC5D411B8A3C06BD46AC5B1CC2EEEFD4538BE51CE2C059732D6BF2F3B3028159A6955
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.26.228.204:32917

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.26.228.204:32917 https://threatfox.abuse.ch/ioc/226448/
185.244.180.224:39957 https://threatfox.abuse.ch/ioc/226450/
213.166.69.181:64650 https://threatfox.abuse.ch/ioc/226456/
65.21.230.118:16782 https://threatfox.abuse.ch/ioc/226458/
185.215.113.104:18754 https://threatfox.abuse.ch/ioc/226459/
95.217.248.44:1052 https://threatfox.abuse.ch/ioc/226460/
65.21.236.62:47186 https://threatfox.abuse.ch/ioc/226442/
138.124.186.180:39821 https://threatfox.abuse.ch/ioc/226555/
185.173.37.128:40504 https://threatfox.abuse.ch/ioc/226556/
45.82.178.241:35141 https://threatfox.abuse.ch/ioc/226557/

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5acface314511e920f4b40a903054d72.exe
Verdict:
No threats detected
Analysis date:
2021-09-25 15:15:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4e07c42-7ded-4df4-9b39-2ba8c1c68ab0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191553/
Detection(s):
SecuriteInfo.com.FileRepMalware.1990.28376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/caf1e089-f47f-4c26-8be0-73a99dd29d42
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858059
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490490 Sample: IYtpAQqaaN.exe Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 55 iplis.ru 2->55 57 tambisup.com 2->57 59 9 other IPs or domains 2->59 95 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->95 97 Multi AV Scanner detection for domain / URL 2->97 99 Antivirus detection for URL or domain 2->99 103 16 other signatures 2->103 9 IYtpAQqaaN.exe 15 2->9         started        signatures3 101 May check the online IP address of the machine 55->101 process4 dnsIp5 61 pastebin.com 104.23.98.190, 443, 49734 CLOUDFLARENETUS United States 9->61 63 cdn.discordapp.com 162.159.130.233, 443, 49735, 49736 CLOUDFLARENETUS United States 9->63 37 C:\Users\...i8DrAmaYu9K8ghN89CsjOW1.exe, data 9->37 dropped 13 Ei8DrAmaYu9K8ghN89CsjOW1.exe 4 65 9->13         started        file6 process7 dnsIp8 71 37.0.8.119, 49762, 49789, 80 WKD-ASIE Netherlands 13->71 73 37.0.10.214, 80 WKD-ASIE Netherlands 13->73 75 15 other IPs or domains 13->75 47 C:\Users\...\z8ZCDK7r0GNtU1xA7T1n98IK.exe, PE32 13->47 dropped 49 C:\Users\...\vplny7MIC8_fJRJC0s7YZDa4.exe, PE32 13->49 dropped 51 C:\Users\...\tcYthcnef_eLXKTGwnr9sUyE.exe, PE32 13->51 dropped 53 40 other files (33 malicious) 13->53 dropped 105 Drops PE files to the document folder of the user 13->105 107 May check the online IP address of the machine 13->107 109 Creates HTML files with .exe extension (expired dropper behavior) 13->109 111 Disable Windows Defender real time protection (registry) 13->111 18 z8ZCDK7r0GNtU1xA7T1n98IK.exe 13->18         started        21 3hJCCZlxLukKhgiglbo8v7DX.exe 13->21         started        23 SfYEvRXrwlBmallKGfxm2fHH.exe 13->23         started        25 14 other processes 13->25 file9 signatures10 process11 dnsIp12 77 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 18->77 79 Tries to evade analysis by execution special instruction which cause usermode exception 18->79 81 Injects a PE file into a foreign processes 18->81 83 Detected unpacking (changes PE section rights) 21->83 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->85 87 Hides threads from debuggers 21->87 89 Detected unpacking (overwrites its own PE header) 23->89 65 185.215.113.22 WHOLESALECONNECTIONSNL Portugal 25->65 67 telegram.org 149.154.167.99 TELEGRAMRU United Kingdom 25->67 69 3 other IPs or domains 25->69 39 C:\Users\user\AppData\Local\Temp\210921.exe, PE32 25->39 dropped 41 C:\...\PowerControl_Svc.exe, PE32 25->41 dropped 43 C:\Users\user\AppData\Local\...43MIT2Z2.dll, PE32 25->43 dropped 45 3 other files (none is malicious) 25->45 dropped 91 Tries to harvest and steal browser information (history, passwords, etc) 25->91 93 Sample uses process hollowing technique 25->93 29 conhost.exe 25->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 09:47:50 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5x26bih7su5wczwjnwuogfsj2zyqacu5swogid54ocoqa3ykkza._file
Verdict:
malicious
Similar samples:
002f47bb6e9157769a3ff8aba74cbb9cc764390da8c07f0f5cbc22e8b3d3106f
RedLineStealer
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
RedLineStealer
49e33a3617c0c948569f0e862d090992582eec0e371c471f18074132c85f014b
RedLineStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RedLineStealer
6495e9cc59844c804022b026aff88b0afaaafe6a23702231eaee3e1d74d448ef
RedLineStealer
79dd688046ef9f26ed0cf633cab305f18b46ce7affaa396813a9587ac2918bb0
RedLineStealer
7e0e41753d443d82da40eba933548b31ce5417559c1d159976322d6ed3050df7
RedLineStealer
d5dbddfdf20deea44d4a46defba307a364e8904627d3c67eca8ca4b255b60e33
RedLineStealer
ddc7f4b27173a2b55af5fc5550fb41cd05d28fca932d1eb79d17bea79cc30b9c
RedLineStealer
fbf5bfca398911605785389a91147f5ef8e188fe0778cb2f1808ab0f0d415c88
RedLineStealer
+ 1'116 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:socelars agilenet backdoor evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210925-smx6zsdegm/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Arkei
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Unpacked files
SH256 hash:
5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2
MD5 hash:
5acface314511e920f4b40a903054d72
SHA1 hash:
eba980b344129cd8347d54a68c267d2f817dd17c
Link:
https://www.unpac.me/results/7c836a6f-620a-4645-920f-873670e2b7e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191553/

Comments