MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f
SHA3-384 hash: 1d4177e016a6e5221c6bfd67d44e9bd968eedbe19e611c09c7566b4a31f73f7aeea63f08d96b52b89ef46e4b2e22dd76
SHA1 hash: 5bfd848feabd6cb1fe1fd068d2ff98aca16412a2
MD5 hash: 0ee6c0c3125b0fa3de7485ba25ce5f83
humanhash: iowa-texas-ink-enemy
File name:0ee6c0c3125b0fa3de7485ba25ce5f83.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:774'144 bytes
First seen:2022-05-11 10:07:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:VQi3IG+zy2yc6m6UR0IWp1hf39Wkv8xwJ:VQiYG+zy2yzHIWpdUM
Threatray 249 similar samples on MalwareBazaar
TLSH T16CF4F003E646902FDC119B33D852BD71DEEEEE32DB255027268F3A4A1E321C1915F6B2
TrID 78.6% (.EXE) Inno Setup installer (109740/4/30)
10.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 3044f031f1c8d800 (1 x RedLineStealer, 1 x ManusCrypt)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.115.94:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.115.94:80 https://threatfox.abuse.ch/ioc/549535/

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269655/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Creating a file
Adding an access-denied ACE
Moving a file to the Program Files subdirectory
Modifying a system file
Launching a process
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Searching for the browser window
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17111/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar control.exe greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/627b8b09be0219041a9291b8/reports/ed10c239-99f4-4996-8ae7-6eda76d37a0b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Microleaves
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc2a1725-cc81-4064-a90a-d16b2a87eea4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991754
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many IPs within the same subnet mask (likely port scanning)
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624246 Sample: fogL3nYNAM.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 109 wyylde.com 2->109 111 www.wyylde.com 2->111 113 83 other IPs or domains 2->113 147 Snort IDS alert for network traffic 2->147 149 Antivirus detection for URL or domain 2->149 151 Antivirus detection for dropped file 2->151 153 9 other signatures 2->153 11 fogL3nYNAM.exe 2 2->11         started        15 Xelocodify.exe 2->15         started        signatures3 process4 dnsIp5 91 C:\Users\user\AppData\...\fogL3nYNAM.tmp, PE32 11->91 dropped 157 Obfuscated command line found 11->157 18 fogL3nYNAM.tmp 3 19 11->18         started        141 google.com 172.217.16.142 GOOGLEUS United States 15->141 143 s3.pl-waw.scw.cloud 15->143 145 doja-cat.s3.pl-waw.scw.cloud 15->145 93 C:\...\Windows__Update.exe, PE32 15->93 dropped 95 C:\...\Windows__Update.exe.config, XML 15->95 dropped 22 Windows__Update.exe 15->22         started        file6 signatures7 process8 dnsIp9 115 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49755, 49762 OnlineSASFR United Kingdom 18->115 117 doja-cat.s3.pl-waw.scw.cloud 18->117 67 C:\Users\user\AppData\Local\Temp\...\lBo5.exe, PE32 18->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->71 dropped 73 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->73 dropped 24 lBo5.exe 20 20 18->24         started        119 yonhelioliskor.com 22->119 121 connectini.net 22->121 file10 process11 dnsIp12 129 connectini.net 37.230.138.123, 443, 49761, 49775 ROCKETTELECOM-ASRU Russian Federation 24->129 131 360devtracking.com 37.230.138.66, 49774, 49858, 49860 ROCKETTELECOM-ASRU Russian Federation 24->131 133 3 other IPs or domains 24->133 83 C:\Users\user\AppData\...\Jaequpixyfae.exe, PE32 24->83 dropped 85 C:\Users\user\AppData\...\Caeqemibeqo.exe, PE32 24->85 dropped 87 C:\Program Files\...\poweroff.exe, PE32 24->87 dropped 89 3 other malicious files 24->89 dropped 155 Creates autostart registry keys with suspicious values (likely registry only malware) 24->155 29 poweroff.exe 24->29         started        33 Jaequpixyfae.exe 14 17 24->33         started        36 Caeqemibeqo.exe 14 4 24->36         started        file13 signatures14 process15 dnsIp16 97 C:\Users\user\AppData\Local\...\poweroff.tmp, PE32 29->97 dropped 159 Obfuscated command line found 29->159 38 poweroff.tmp 29->38         started        99 www.google.com 142.250.185.100, 49776, 80 GOOGLEUS United States 33->99 101 connectini.net 33->101 103 4tdiets.gr 33->103 41 chrome.exe 33->41         started        44 chrome.exe 33->44         started        46 chrome.exe 33->46         started        48 19 other processes 33->48 105 google.com 36->105 107 connectini.net 36->107 161 Multi AV Scanner detection for dropped file 36->161 file17 signatures18 process19 dnsIp20 75 C:\Program Files (x86)\...\is-CHBJ6.tmp, PE32 38->75 dropped 77 C:\...\Power Off.exe (copy), PE32 38->77 dropped 79 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 38->79 dropped 81 3 other files (none is malicious) 38->81 dropped 50 Power Off.exe 38->50         started        135 192.168.2.4, 443, 49715, 49717 unknown unknown 41->135 137 239.255.255.250 unknown Reserved 41->137 52 chrome.exe 41->52         started        139 192.168.2.1 unknown unknown 44->139 55 chrome.exe 44->55         started        57 chrome.exe 46->57         started        59 chrome.exe 48->59         started        61 chrome.exe 48->61         started        63 chrome.exe 48->63         started        65 chrome.exe 48->65         started        file21 process22 dnsIp23 123 my.rtmark.net 139.45.195.8, 443, 49804, 49805 RETN-ASEU Netherlands 52->123 125 soksicme.com 139.45.197.151, 443, 49814, 49817 RETN-ASEU Netherlands 52->125 127 28 other IPs or domains 52->127
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f/
Threat name:
Win32.Downloader.Chebka
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 23:10:50 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 41 (56.10%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnmbvy5gjbfabo2blpoccbnbevx3teu2psz67g6m4gyudo4zx57q._file
Verdict:
malicious
Similar samples:
0f61c7d939ea77fff7eb409522338347b140beb1c5977bd0fc84ff301dd31605
RedLineStealer
10eb78f5a36f8ca290bf100f6f05d7a04489cef0023e86860062d6d03e6fa9ed
RedLineStealer
40fcfc0be44750f5ecb9928b518155a67d7b89d2e93f1509d649ebe637f9689b
RedLineStealer
498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
RedLineStealer
82346f3a4b7e84f746f6242ff70265b1467ffdcd01954f71806f86c2989a9819
RedLineStealer
83a0838ce422cf0354914df7efde5aeadb19cbc84ee315725de96237df2a36aa
RedLineStealer
c59afb9bb8fad3568800ebdfd5fd07e35d3b77c3ce7316cda5fa1c37b924c4b8
RedLineStealer
de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e
RedLineStealer
+ 239 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:1281 botnet:jl1 discovery evasion infostealer persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220511-l5mpmsbabq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
VMProtect packed file
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/hfber54/
https://t.me/hollandracing
https://busshi.moe/@ronxik321
cenyeyalory.xyz:80
kaiaiannial.xyz:80
viasanainah.xyz:80
xtelstasiup.xyz:80
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/d487a504-920e-4d7a-ae26-4e39af589cd9/
SH256 hash:
8eb9e13f9fbc885518be7ff3ff1e6cb6aa6d5a687aeb441bdac1709255b7a184
MD5 hash:
06edf8b8aa9ed855226bd3e3a8d9368d
SHA1 hash:
02f84e7dbf43f1f77ad49db2fefd10e7b295b1d5
Link:
https://www.unpac.me/results/d487a504-920e-4d7a-ae26-4e39af589cd9/
SH256 hash:
63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f
MD5 hash:
0ee6c0c3125b0fa3de7485ba25ce5f83
SHA1 hash:
5bfd848feabd6cb1fe1fd068d2ff98aca16412a2
Link:
https://www.unpac.me/results/d487a504-920e-4d7a-ae26-4e39af589cd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269655/

Comments