MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
SHA3-384 hash: fe112e06f5c9870cefc627c047a7ebd9ae0b67eb3f0e85e95191d25616d6903821b3a39f7e5645a5eff5cc3324b513cf
SHA1 hash: 3ba39d19ffa57f83769dbb43233c2ba7d8ddd95d
MD5 hash: a8a9cbce2045a197c0b4019e31152365
humanhash: angel-mississippi-sink-thirteen
File name:a8a9cbce2045a197c0b4019e31152365.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'726'241 bytes
First seen:2022-02-06 12:45:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JezZDigKRqkLachmliVkKtRworkSIu4BRyko1qWegj:Jezpj7kLach8AEoCzWegj
Threatray 5'326 similar samples on MalwareBazaar
TLSH T12C7633B2585109FFC0EE1D7181B3A98B36B6411ADEDF4EAA265CDF231C7B141931A3B1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
23.237.25.226:17677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.237.25.226:17677 https://threatfox.abuse.ch/ioc/379464/
194.87.185.36:80 https://threatfox.abuse.ch/ioc/379575/

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61FC0464DDBA7-WinSetup-i864.zip.7z
Verdict:
Malicious activity
Analysis date:
2022-02-04 17:53:59 UTC
Tags:
evasion loader trojan rat redline
Link:
https://app.any.run/tasks/efa6ae26-2d1b-4101-bf2b-96672332e592

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233780/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6158/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys control.exe manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61ffc313ad4747e9950681bc/reports/931b3da9-9529-47a0-b399-1c424c73d191/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3616aa16-b568-43e7-bf75-5f8ab330cac3
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934765
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567243 Sample: WfBayGk51Z.exe Startdate: 06/02/2022 Architecture: WINDOWS Score: 100 57 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 2->57 59 187.190.48.60 TOTALPLAYTELECOMUNICACIONESSADECVMX Mexico 2->59 61 17 other IPs or domains 2->61 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 20 other signatures 2->79 10 WfBayGk51Z.exe 10 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->43 dropped 13 setup_installer.exe 23 10->13         started        process6 file7 45 C:\Users\user\AppData\...\setup_install.exe, PE32 13->45 dropped 47 C:\Users\...\61fc044a849e5_Thu1690710cd.exe, PE32 13->47 dropped 49 C:\Users\...\61fc044a34211_Thu167fb182622.exe, PE32 13->49 dropped 51 18 other files (13 malicious) 13->51 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 71 Disables Windows Defender (via service or powershell) 16->71 19 cmd.exe 16->19         started        21 cmd.exe 1 16->21         started        23 cmd.exe 16->23         started        25 5 other processes 16->25 process10 signatures11 28 61fc043bdc154_Thu166d882d1a.exe 19->28         started        33 61fc0437dc425_Thu16cd23caad.exe 21->33         started        35 61fc043d6c908_Thu1677bbf2.exe 23->35         started        81 Disables Windows Defender (via service or powershell) 25->81 37 61fc043ad44cd_Thu16769fedcfa4.exe 25->37         started        39 61fc0436e5ac6_Thu165d01c1e6.exe 1 25->39         started        41 powershell.exe 26 25->41         started        process12 dnsIp13 63 presstheme.me 104.21.76.213, 443, 49714, 49722 CLOUDFLARENETUS United States 28->63 65 iplogger.org 28->65 53 821c461c-2a12-4790-94f9-d3fb1dfd843f.exe, PE32 28->53 dropped 83 Multi AV Scanner detection for dropped file 28->83 85 Detected unpacking (creates a PE file in dynamic memory) 28->85 87 May check the online IP address of the machine 28->87 89 Tries to evade analysis by execution special instruction which cause usermode exception 28->89 91 Machine Learning detection for dropped file 33->91 93 Sample uses process hollowing technique 33->93 95 Injects a PE file into a foreign processes 33->95 67 145.239.201.32 OVHFR France 35->67 69 5.230.72.73 ASGHOSTNETDE Germany 35->69 97 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 35->97 55 C:\...\61fc043ad44cd_Thu16769fedcfa4.tmp, PE32 37->55 dropped 99 Obfuscated command line found 37->99 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-04 19:03:00 UTC
File Type:
PE (Exe)
Extracted files:
426
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbm33vdtrsaswyfuhipavxrqthh22lp5gbxi7ja4gbeevgbq2ofq._file
Verdict:
unknown
Similar samples:
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
RedLineStealer
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
RedLineStealer
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
RedLineStealer
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
RedLineStealer
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
RedLineStealer
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
RedLineStealer
ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
RedLineStealer
+ 5'316 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:socelars aspackv2 stealer
Link:
https://tria.ge/reports/220206-pzmn8sacc7/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Socelars
Socelars Payload
Malware Config
C2 Extraction:
http://www.tpyyf.com/
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
dc4c232a236bc778f6c8404ce4b1043c519129b4c788376211221d30455aee17
MD5 hash:
807981caa748a34a1a5dd0eb4beb3d6b
SHA1 hash:
f683ed140dac727dfc6190002fbb5586e944ef3f
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
a6334a93323db29971a851352354d59b6ba2c26bf3ab49895e6db6f7fcbc3283
MD5 hash:
36941f4d11216f011ebb2b6bae57a590
SHA1 hash:
b60c5e36c66986466d589651a7bc2567101eb2de
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
509486ae2d429f77ada5367d718d339e9d71883e0b9b4c44a71adc6e51724b84
MD5 hash:
e6c1aa3d620c0ee307dcb2932bd74bc5
SHA1 hash:
a2a0fbc93ac5f31c281f1d37191a6896373096b6
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
3959dc227089d0a9b38d2ea8c387e993db3584c7bb9129780f20673d1fd15e61
MD5 hash:
7eb2d388416744a108c0cf107caf8ef8
SHA1 hash:
876cc415ac9a3832afde3f8bacf86edb7a5b72ce
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1
MD5 hash:
2fe1fbe1cf3b63c2b9d04859ba27b5a7
SHA1 hash:
6d82b25f27939d2c712ca76d267437569799518a
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
cf90ca84d08f1c0a029c3abb38cdc9e3ea163dbb3007cb1ddd9ae5ded068994e
MD5 hash:
ced5248196f9734259208b2192469de1
SHA1 hash:
3fb60ca1f742980f1d8e99f572945cf498d6d48f
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
3393096b9c7756606b972001b514dcf832b9b4c72e6145a5e0658f7ab290e58d
MD5 hash:
a38c8ad1d90ce62c323a81b8e2cf67da
SHA1 hash:
0dd91ff3beae57d04fd3051ecc258586d7d31e05
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
553edb84c48b6278a459507319f0c1797c141d5b6f2a7670c346d87392c57f86
MD5 hash:
90b737fff02ccd531ac5876dcb6475ee
SHA1 hash:
d8fc82184979a883f940d2edc36aaff9a90141fa
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06
MD5 hash:
9d9c68549cf06b0485742e0865f5390c
SHA1 hash:
b23241ac8419df6bb0a930ac80cdae9edbd55893
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
26757636238368a268128248bf2f6323da01cc6cfef821c1ffe688380433d009
MD5 hash:
e06cbdd4e87c2993476ac7128ce919e4
SHA1 hash:
010d7bb132e5c362ad9dc74aab5173a9cad6f8b5
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
a7e195ca8c932e36a809dfaa1b89cf1d62410e4c530af76dd6cc88314b513650
MD5 hash:
e37b0f99cfc859f6a5f98ac3bf21da84
SHA1 hash:
a7059f95320a4e8018e646353e0b086e3700b145
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
0c7079130463ca52d352044146595fbd45e261c2d52eb7365dd3ec7d05b53446
MD5 hash:
407edc8468e202d3bd4dc6c800c9553e
SHA1 hash:
b01c1a4daba6b08314cf96262580aec108b5bf79
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
c30fbcb812f2421b60ad516b8eea00a9518ec186d418ba27bec68b7c130b634b
MD5 hash:
c53fd24f96f3d59324dbe87c4797fdf5
SHA1 hash:
8d19665f325bca441da186bc064a73f75a333042
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
5af5259bcbc86c4e5bfd6dbf36e5669cf7f61527f57001789756df2094acc431
MD5 hash:
28012c4a952d673c45b40231aa9c878e
SHA1 hash:
16be737dde199a042b4cc3e45bb5bcf70ecc2e49
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
5dfbf3ad72028c5b80f57c849a9e800ccabbec0b6100d6664635372d65afaf6d
MD5 hash:
3cae8364c7cb9b643447e185ad371c33
SHA1 hash:
e0d4d08d65f33c1dfb4efe155d0b480eff4ae8b4
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
6dd83c14bbf612d9c48c33e673166fdc4bc8b4a24cee29bb75b561beed220f3b
MD5 hash:
4e0ef5e7428bf23d4390e7e30c30f22c
SHA1 hash:
ae11e3252347c0a891222f9f3ca2a68c84583062
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
59942cdb6c82dd617035ba19295d1b85f23718b33ad262d81d91bc44169b73c4
MD5 hash:
349ba8be5c17e689569d2c4e7d8443cc
SHA1 hash:
5428e509af70e559f7b4fe78fc0ce0448ca418e3
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
SH256 hash:
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
MD5 hash:
a8a9cbce2045a197c0b4019e31152365
SHA1 hash:
3ba39d19ffa57f83769dbb43233c2ba7d8ddd95d
Link:
https://www.unpac.me/results/ba7045ba-7480-4c43-962a-b1e1341b2d37/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233780/

Comments