MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 4 YARA 10 File information Comments

SHA256 hash:	6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
SHA3-384 hash:	3200cf51a312af8ae3129093300be60e50edb9ee5f47cd3bf19fa8d5f1d1ea57b8a3ff43bdd830a425d4378b36717c00
SHA1 hash:	214e1ffe1fe5271e11308aceb4f5d03b89e607e0
MD5 hash:	207314269cf248438c64288dbd8dd84a
humanhash:	asparagus-magnesium-diet-music
File name:	6A42F7E5290BF7E40E1AA0C0E9CEDA098A612D6DDA9B7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'677'494 bytes
First seen:	2022-08-06 17:15:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:JLI5fYDoJlBDn7Oxz7hjwVJtbdXpOOvNfSRsu:Jc5gDozlSAxXEofSRsu
TLSH	T1E366338E56ACDCDECFA62DB2AA19D7C736AEB98142A01D202FFD74863C504D03B47530
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
194.36.177.7:39556

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.36.177.7:39556	https://threatfox.abuse.ch/ioc/841642/
65.108.231.254:29517	https://threatfox.abuse.ch/ioc/841643/
185.106.92.8:38644	https://threatfox.abuse.ch/ioc/841664/
193.124.22.7:35318	https://threatfox.abuse.ch/ioc/841665/

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6A42F7E5290BF7E40E1AA0C0E9CEDA098A612D6DDA9B7.exe

Verdict:

No threats detected

Analysis date:

2022-08-06 17:16:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2126ff09-39fd-45a1-9487-10ae4a307faa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296889/

Detection(s):

Win.Dropper.Pswtool-9857535-0

Win.Packed.Barys-9859263-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28253/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

60%

Tags:

overlay packed shell32.dll wacatac

Link:

https://www.filescan.io/uploads/62eea24e6336465f2a1b204d/reports/1e280b65-326f-4af2-916b-e5dbfb521d8b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c52cf1c-3817-412a-a51c-eb8cf66accd2

Result

Threat name:

Nymaim, RedLine, SmokeLoader, Socelars,

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047335

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to a pastebin service (likely for C&C)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disables Windows Defender (via service or powershell)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Generic Downloader

Yara detected Nymaim

Yara detected onlyLogger

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Socelars

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected WebBrowserPassView password recovery tool

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-08-05 23:21:00 UTC

AV detection:

32 of 41 (78.05%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=njbppzjjbp36idq2udaottw2bgfgclln3knx7jqt4db2lcywxata._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:onlylogger family:privateloader family:redline family:socelars family:vidar botnet:915 botnet:media18n botnet:v3user1 aspackv2 evasion infostealer loader main spyware stealer trojan

Link:

https://tria.ge/reports/220806-vs48labdf5/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Executes dropped EXE

NirSoft WebBrowserPassView

Nirsoft

OnlyLogger payload

Vidar Stealer

Modifies Windows Defender Real-time Protection settings

OnlyLogger

PrivateLoader

Process spawned unexpected child process

RedLine

RedLine payload

Socelars

Socelars payload

Vidar

Malware Config

C2 Extraction:

http://www.biohazardgraphics.com/
https://noc.social/@sergeev46
https://c.im/@sergeev47
159.69.246.184:13127
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
65.108.69.168:13293

Unpacked files

SH256 hash:

012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781

MD5 hash:

8bacb64db8fb73308faefd14b863fd43

SHA1 hash:

c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec

MD5 hash:

29fa5c5ade39d4ae5a0f564949278923

SHA1 hash:

376051004220051779d97fcb44065a8724de370b

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

86e7fd4882b259fccbc3ff1f394c984f07eaa32a05d332b7960ffb80ec8421e7

MD5 hash:

0b0861743db97941c3ed0f454a8a125c

SHA1 hash:

b37c609fb2131f09161279d8dfaa617ef4e0c929

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599

MD5 hash:

ded1c6e8c89148495fc19734e47b664d

SHA1 hash:

3a444aeacd154f8d66bca8a98615765c25eb3d41

Detections:

win_smokeloader_a2

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

Parent samples :

3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893

SH256 hash:

e145af35ca7fcc9da24f8d0bd4f8cc9993ddf532a3d43bdf995f1528f58d5b7e

MD5 hash:

f785f4a83149814d32c597487d357f60

SHA1 hash:

e775adb0c6ab03167ee7bccb8890c60232f905f4

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

e7b8877389f0bfb5fb95f08a799a0e7d06a2f7161a0287552ff3eadf06bd1dd1

MD5 hash:

e9eb471509abbfb4456285e82b25d1c9

SHA1 hash:

b96ef576c147ea8a1b3e0bd5430117ba9ad31096

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

8322127dbc13bdf9dcdf310011432f27412e052c376852596b43c1c136328339

MD5 hash:

807babbe11c53c0f75cc9ffed87e802f

SHA1 hash:

efb796e24f720117bf589d82b3b95ca310c2f7a9

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

affa49f817016dab08ddc4a0145f1a3ff50c1f38e7d3bbd3c8839d20398c80a9

MD5 hash:

2c99335203b4b47dea55c1cbc9a3d998

SHA1 hash:

e7bcaaac773521096c35af483eb31a59fb2ba6ad

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

920752bc9ca56c28044b5a07c9c5001f581c85e25695047226ce413b7470bd25

MD5 hash:

04e8f41c069799e92d9001084a21a848

SHA1 hash:

c89d26ee8a2353ab7d59e405307a05edf85b1426

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

aa5f31cbca69d68455876ccc701f92e47035e430133c0008f9aa567b0d537132

MD5 hash:

88d36a5e80efca5eeaf700d76526408f

SHA1 hash:

c77b52af91df28768a54d9d68f44ee370a8ef766

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

ed1d717d35a927a8464dc954904af8bea56bcff628005c867b950a8010d99f87

MD5 hash:

554ff5f0936b8762b0c06ef07a84baeb

SHA1 hash:

b70d2d8d728894523d4b93e9b7fd178ce82530ae

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

fb5e44afa9b86e8d68f158b58036682dc28b8e3ed0d5391ffcd246f5bd8dec99

MD5 hash:

4c120576caedf379e15621df6328dfc0

SHA1 hash:

af3ddbcb753c2609d1b1c0985984a0957d9d0d0f

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

79891e5f22bd826844f1f823318c8fd97bd5f39c0a9644aa9bc1f07a7a37deb8

MD5 hash:

de1498ead9690921b2a4a20aa6b39cc4

SHA1 hash:

a73cbecf1a479ddc09ce734471c1b6ca0429e38e

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

e6de1140792dba52fc2911d025c6a5748619026c3e5c70ec006d9db52c0dd332

MD5 hash:

40907dc382e973bd990a70f9b86eb458

SHA1 hash:

a23b9879160ea0c8a112cc219d1506ae1319d482

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

1c73116820ef5324a4b05bafe64dbff3144764b8ff62f35c7348fee1901331a1

MD5 hash:

a1cfc967b760fb4b19e0d695b537812d

SHA1 hash:

8e91dac199ea18ace1bb0356a6c095b2d119604d

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

8ea2ceb773f656696b231c40667d0162ad5100c3ff8e0b3d76d46829f2de3484

MD5 hash:

7793d38b5b4e2e3d9e972f9c07bc1c7c

SHA1 hash:

83ff2d600765ea59a1c073874741d761e95d5332

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

89954bf96951019fc60a96db190195af77a357f5ab168096406b1f98fb3480bd

MD5 hash:

031981cdafd249834547bf8a4118ffa7

SHA1 hash:

48570d0eb93a415e9eb47c9897fda88e9ff6b6a3

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

a0847e333e9ee1da17b230b76811bbb1bbd82bdaedddb4e79e6f8cdcc91dddaf

MD5 hash:

3f761d7bd400f76a0fc083389b384b1f

SHA1 hash:

3e382c2e740fbb2bf8d78982f25ca2723b4aa253

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

4ae33a84949c255b6579104a4dc5396bc96c2bc451300d3a057a9c50738c1c38

MD5 hash:

ad452197022a10b105c6892bb31d34a3

SHA1 hash:

3b4fe1df013cd14fc32a69b6ad77ea4e5d2c4f58

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

e7a64102af972b0d27d52beb1baa71cee232ab90e44bebc9389ab6412a516c5d

MD5 hash:

047445d8e46991254e106b94f29e9330

SHA1 hash:

0962feabee4f7e03b0afb20947bd8188304e4c76

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

a6fe15069a6ea98b42471503e427375cdf14b92fd6bf6f69a21dbe2e1a675c98

MD5 hash:

26f0fa618a849f4c2c8a054bb41583d2

SHA1 hash:

2d34f74fafe0c0042e567858ed8a8601ce250d14

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

Parent samples :

3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b

MD5 hash:

a6865d7dffcc927d975be63b76147e20

SHA1 hash:

28e7edab84163cc2d0c864820bef89bae6f56bf8

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

c9a0fffc096f42131cceb675ec21cebfb17b5937d426f11b3d5cb42a051ae933

MD5 hash:

b916be287a51299e6790ca3c052f1598

SHA1 hash:

819e220b7a47ca5907172a926fdaeac5f13f7c4d

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

d14e136aa2e5f5c0d246e5f9215347a9de43fd6559f9413a41dca58b66d4714c

MD5 hash:

a62cc6a2872b2148de0e13fc4cc1de99

SHA1 hash:

67e852253dac6b63ff4a39c42c24bf0f5812e36c

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

9d53263240e390affc99cd22e7514d3003e0e5ffcf61263042a7f1f1767b47a7

MD5 hash:

f0dd47cb44350055d792f71b3343350f

SHA1 hash:

04d29318a7f7a8c43e241bc50f3a1c65d7e475dc

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

40906ba88b28d543030fed3fadf9339c391336c0032ba79e471fd1c43e2a9d5b

MD5 hash:

898d1ae12e6c46634094f95dd4735f4b

SHA1 hash:

097ea14e100950b398d67f363730dd900b780343

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

c191f8aa4286bf48481ced3ae5ad8a077c466e021e875b32a77adde9199a78e8

MD5 hash:

9d45986e5efed767bed06198250ccfa6

SHA1 hash:

3f31c40dfb2f6497da5d8893f3f30825ca6f9bf6

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

c61269a93ff35f156e606e09df47273a656c7d24ce291345c655956e94b14c77

MD5 hash:

07194565b458f76f65b2987a7650eef6

SHA1 hash:

14ec8b6d55fc5680914dbed1b82fd095fb32ee29

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

c1cf4d0f11765d01b95b1f9363b2905cef19232f405776c14ce79daeeba0be30

MD5 hash:

4cf5a5a55f9a0175fd55e9e7422fde6f

SHA1 hash:

57f9d60a4515e699ce0f4fb5ffd41a84c73b1a58

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

ba4a5de41a749f1c5bc0c41790563bff92a020363b1de70d80ed1e75df010417

MD5 hash:

15ec0e3c3e35bfde9331f5f0d84e89ec

SHA1 hash:

0730e2e1ec387aba9e42660d9be0eb2551a4654f

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

SH256 hash:

6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826

MD5 hash:

207314269cf248438c64288dbd8dd84a

SHA1 hash:

214e1ffe1fe5271e11308aceb4f5d03b89e607e0

Link:

https://www.unpac.me/results/4e34ffa0-ebd9-417b-8e79-fb310cc570d8/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6a42f7e5290b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_DLInjector03 Create hunting rule
Author:	ditekSHen
Description:	Detects unknown loader / injector

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296889/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample