MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
SHA3-384 hash: 295b4fa8632b5eeda2965867f57cee96438c358fceff7954f6ee55b893616cd6f594a0d870f083a593c3ace535c575ec
SHA1 hash: e7996ee499e594195cf25be007ba862c299d50ab
MD5 hash: 7289c24e6e34cf7ed1d518152eb64eac
humanhash: cardinal-failed-burger-connecticut
File name:6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'329'751 bytes
First seen:2022-01-22 22:26:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgHgbCWLFWrstzhszJ/qGQa6Q516nVMYYQmPBFuyZz6niQkuCaUbhe:JRWLFS4h8/qGC4EaYSBFpgB+0
TLSH T120F533BE62DA1E63E0B7C6F67CDD61A5A2FDE0308519176A2324B2517F181C76E3D320
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
148.251.189.166:11784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
148.251.189.166:11784 https://threatfox.abuse.ch/ioc/313092/

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exe
Verdict:
No threats detected
Analysis date:
2022-01-22 22:36:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4d2f0ce-a42e-432d-8d9f-b2d5c89b1242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221686/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5026/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys control.exe overlay packed redline shell32.dll upatre
Link:
https://www.filescan.io/uploads/61ec84bcd32385db631df708/reports/a11e9af4-5b34-4c40-94d5-42ad5fcdae1c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/895d9edb-f74e-4fe7-b80d-64ea1cd79012
Result
Threat name:
RedLine SmokeLoader onlyLogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925732
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558210 Sample: 6104F2B4049168FEA236BB6A5B9... Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 69 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 2->69 71 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->71 73 8 other IPs or domains 2->73 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 113 20 other signatures 2->113 10 6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exe 10 2->10         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->47 dropped 115 Writes many files with high entropy 10->115 14 setup_installer.exe 21 10->14         started        signatures6 process7 file8 49 C:\Users\user\AppData\...\setup_install.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\...\Tue18dbeee939.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\...\Tue18cadd2d84.exe, PE32 14->53 dropped 55 16 other files (11 malicious) 14->55 dropped 17 setup_install.exe 1 14->17         started        process9 dnsIp10 67 127.0.0.1 unknown unknown 17->67 105 Adds a directory exclusion to Windows Defender 17->105 21 cmd.exe 1 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 9 other processes 17->27 signatures11 process12 signatures13 30 Tue18dbeee939.exe 21->30         started        35 Tue1810b00ae0c1250c.exe 23->35         started        37 Tue1815bbaf4c832099e.exe 25->37         started        117 Adds a directory exclusion to Windows Defender 27->117 39 Tue1849149a83ade8.exe 27->39         started        41 Tue1829588bff8.exe 27->41         started        43 Tue18ac2da112f1385.exe 6 27->43         started        45 3 other processes 27->45 process14 dnsIp15 85 10 other IPs or domains 30->85 57 C:\Users\...\kkFGy09guSqxCghhvpt5lMpQ.exe, PE32 30->57 dropped 59 C:\Users\...59w9x0AApqP3RBTJ1k3Rk0DYr.exe, PE32 30->59 dropped 61 C:\Users\...7lZ3SLGNyogWPfwdVTZVw_2.exe, PE32 30->61 dropped 65 45 other files (23 malicious) 30->65 dropped 89 Antivirus detection for dropped file 30->89 91 Creates HTML files with .exe extension (expired dropper behavior) 30->91 93 Tries to harvest and steal browser information (history, passwords, etc) 30->93 103 2 other signatures 30->103 75 172.67.221.103 CLOUDFLARENETUS United States 35->75 95 Multi AV Scanner detection for dropped file 35->95 97 Machine Learning detection for dropped file 35->97 77 45.9.20.13 DEDIPATH-LLCUS Russian Federation 37->77 99 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 37->99 79 104.21.85.99 CLOUDFLARENETUS United States 39->79 63 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 39->63 dropped 101 Creates processes via WMI 39->101 87 2 other IPs or domains 41->87 81 8.8.8.8 GOOGLEUS United States 43->81 83 135.181.129.119 HETZNER-ASDE Germany 45->83 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 06:22:35 UTC
File Type:
PE (Exe)
Extracted files:
328
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mecpfnaesfup5irwxnvfxgsrss4hrnq7q4zw5l5q7znf7k4tcrfq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ani botnet:media12 botnet:she aspackv2 infostealer
Link:
https://tria.ge/reports/220122-2c4qfsddf8/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.121.67.60:2151
194.104.136.5:46013
135.181.129.119:4805
Unpacked files
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
9a4581bb4456623aa1432e24149d0cb1d64497dd6ea5542d574e13eab54cf2e9
MD5 hash:
1afedee76a4794340210da1e0e2c4f38
SHA1 hash:
1904487196b21f2e28fb73cf43d19030cadce19d
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
9a2bd2affa4f61fddd2cf83eca1a9023d1275e71d711fee1bf78887097602193
MD5 hash:
955a84181beba0d5cebaaa096a2008fd
SHA1 hash:
4ba42cf5e19c66649ea2f9e23d26f168a9609bc2
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
Parent samples :
f06154d372fa1cd4d5e9c1d5956646c9b4dd80dab46ab1d47f057a0199f5e8f2
67a38378609c0eb8141a74e7baa052b01ff5734319b4e434e556c88fffd596b9
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
23e49690f0c6c8545fb6058d2103405d8f74d485284d3ca9ae0de14afedd2fa1
MD5 hash:
fbf645f3f98bd18e7fa3846d90ac98db
SHA1 hash:
c2b0eab30cf1d92ed02b6762eab927500e0a69e5
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
f64c777abab289837042feb8d86b12a83d48147591fee7c56853f4a9a7c8f6f7
MD5 hash:
d99f11897ec2e7dab1012bda897ca99f
SHA1 hash:
bfa60604743bfb97d965ebef9c7620708690f15f
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
f7ee5b08b5a9dcfd9e59225cc0d8816d1fa27f2b6a56064761a272b0ba807b57
MD5 hash:
2e1257523e2b034489f3aa3725fce7fe
SHA1 hash:
becee886e34121c595da484b46500cb03fc04abe
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
a5905784e7071fc2e2dc3aa150a1abe6fdb360e547d1853e22d3939a4c9e01ea
MD5 hash:
9a55a0ea32440f95ff06f9896059c854
SHA1 hash:
bd0e63bf406b50b32d3a56c1d3e18911a6107121
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
5822f4cfd6dcff68a60c18152539ed6cf56fcb4bf3ea0e6770b52db6764caa9a
MD5 hash:
0aa5f39361897de42d5aed83b15ddf63
SHA1 hash:
ba013e14cbeecedb20ef3ff049ac9e0006262608
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
d12f8f144b3bb6cbacd95964fb50a5ebbc8ba688e0a5857fe5584dfa564254d3
MD5 hash:
d3050f98bb71cf3f20a37865d548483b
SHA1 hash:
a6837ed079f259712be516d45e14ada19c549843
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
0fc7337cef0ce03a2bd6690843d56ffc69eda94116249fb944628a55dbc1ebca
MD5 hash:
1a1b6f50de3bfb5583cc62f1f42b0ceb
SHA1 hash:
8fa0ba3ad08ea764c1f08a6253457c071db63e13
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
4b38489db02f9010853309d4eb9e86958e1bcb8800a862110fa9453bdeaaabde
MD5 hash:
7eeb310736676761e1d566ddb8941a28
SHA1 hash:
5beb31949a1716e6cbfb668cf02feb0b6be5f36e
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
6805e04b0e21a807aec3812aa9cc5cffb9980bbf28ed8b45819037a051337784
MD5 hash:
852b5024cf0c8509795100968a3081ee
SHA1 hash:
431a6c846c8c58458ba697db021ad2a6b37e5ef0
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
c04479b546b652253c3a2e448a1d1318d4d28700b5455e9e243871685afd1772
MD5 hash:
c892f22bbb91141d5b9a6b3e26f2f75a
SHA1 hash:
02ec2b3b48a46781aa7b5db57c82a39f0d452b15
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
04ef2fa5bad20cf169e10a490388cc7776c639b3fc597e97e6cd0152145812a4
MD5 hash:
6a40020d9f351c50c8f18172e88fa072
SHA1 hash:
099335082aee9d2029fd4f96fbfb9b60e61b68c0
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
f3fee3357dd01ec34ae91b3e68ec1d9a5cd8cb6b18e94366ed26b695c31e4235
MD5 hash:
3edf1ca46eb8e107c4f05111e467baf9
SHA1 hash:
096ea2560817c0a3a381fbe7d43922013d145a58
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
d32f0e9b462366402a5283ee67bd26a48d25086535577e9fc70c7c70a16ab8d0
MD5 hash:
7e17503655c3b62d7a4a8da817bff23a
SHA1 hash:
c0bd2216021fc459e40e53835d239e9fa61aa0d0
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
SH256 hash:
6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
MD5 hash:
7289c24e6e34cf7ed1d518152eb64eac
SHA1 hash:
e7996ee499e594195cf25be007ba862c299d50ab
Link:
https://www.unpac.me/results/eab604b8-9a8b-4c6d-838f-ff443bf5284a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221686/

Comments