MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
SHA3-384 hash:	a2b3dc22ca47e5ef93ebce9745dfac10b1623d0f5924d9f46724fe2e7ad28b0fb801e6ae5dd0b2f366dee7a6a54b285b
SHA1 hash:	044df161143e5e5c255b4edea7199364703776ed
MD5 hash:	918769eceacd168684def1b316ff3198
humanhash:	nevada-oranges-finch-aspen
File name:	918769ECEACD168684DEF1B316FF3198.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'430'622 bytes
First seen:	2021-08-13 20:02:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	98304:xHCvLUBsg//y/FkpXd/00WuDu8gSX0zIqqr9u/ieKJLDGwtOR:xkLUCgnE600WX8gSXrnrEaeqDi
Threatray	332 similar samples on MalwareBazaar
TLSH	T13FF5331376D5D0F2E9411530994CBFB2B3ADC3C60A675CAFA740699C6FADCB1A01BA0D
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://34.77.115.2/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://34.77.115.2/	https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179083/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Malware.Jaik-9885385-0

Win.Malware.Jaik-9885386-0

Win.Malware.Jaik-9885388-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Deleting a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bsymem

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08f0c3c2-cda1-4c62-895a-6970e883f78d

Result

Threat name:

Raccoon RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832650

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates processes via WMI

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Drops PE files to the document folder of the user

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample is protected by VMProtect

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-11 12:42:35 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=npe4jznir2vjkvinazx7alyniw3l2kut7pfxfnlcy3dfzydlxeaa._file

Verdict:

unknown

RedLineStealer

205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6

RedLineStealer

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

RedLineStealer

82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2

RedLineStealer

c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c

RedLineStealer

c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed

RedLineStealer

cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

RedLineStealer

+ 322 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor discovery infostealer spyware stealer suricata trojan vmprotect

Link:

https://tria.ge/reports/210813-xpq2gclj8s/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Vidar Stealer

Process spawned unexpected child process

Raccoon

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M1

suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

Malware Config

C2 Extraction:

https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/

Dropper Extraction:

http://193.56.146.55/Api/GetFile2

Unpacked files

SH256 hash:

df6d674013ce24f66df320faf829d720fda51294f673ab12e6ca660d4f5a0d93

MD5 hash:

ed22a008628e35cdaa23b15d6cc1fac7

SHA1 hash:

7a05e54bd591efa7e2b53112f76ec74effdb59c0

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

c3f668640e10b6eb17e155cf7f564c54af57b2719ea5f97ce4bd6cbab92bad7f

MD5 hash:

4ea74e00b361ebbe8f5e06d7a104c697

SHA1 hash:

115fb2bb0ca9aeeb597fc3259371a4f77678322b

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568

MD5 hash:

6e088927a17d87c498f7011b1e26fa3a

SHA1 hash:

7f58e9a788c520a7c299af00f97252ce3c4d7131

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

Parent samples :

365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2

SH256 hash:

207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9

MD5 hash:

4955a27a03f35933fdbd801f425b6c58

SHA1 hash:

97f3b8f33fd1a49cf9db5a246d996047beef3c12

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

Parent samples :

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f

SH256 hash:

f2c65e1f03278ed9fbe8fecd7cbdeae8b9769fdb91f2ea9163dba2e5a4a166ac

MD5 hash:

bf81245bb4e15ef6e62cb768d6a6a94b

SHA1 hash:

2d61ec4a18405867f66c606727e18e2bb779bc09

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

MD5 hash:

0965da18bfbf19bafb1c414882e19081

SHA1 hash:

e4556bac206f74d3a3d3f637e594507c30707240

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4

MD5 hash:

3d82323e7a84a2692208024901cd2857

SHA1 hash:

9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6

MD5 hash:

80a85c4bf6c8500431c195eecb769363

SHA1 hash:

72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

MD5 hash:

c0d18a829910babf695b4fdaea21a047

SHA1 hash:

236a19746fe1a1063ebe077c8a0553566f92ef0f

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

d51591aeef90efc08f8ed00c1ecd558f3b2e2c70e82a2c08445c91f8b2e73417

MD5 hash:

595b31311fb733b5dd6f738917797a11

SHA1 hash:

bf6593100440d43ee577acf45e8762a342efa46b

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

MD5 hash:

5b8639f453da7c204942d918b40181de

SHA1 hash:

2daed225238a9b1fe2359133e6d8e7e85e7d6995

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

a5ea28b67b8552820e0a111d9b37945e31839b63a8e5abbb5ef010914786c390

MD5 hash:

9710e966466df1f2fb41aa913f4aa425

SHA1 hash:

04e0d06d4fd33bcc9d37ccd2c5595824e19a6d4c

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

4bdb1402f363daebf32d742ece839343d61829d71e514454de2a0bdb783a8f0a

MD5 hash:

17308b505776fea87b2c71158bc3bd08

SHA1 hash:

9cab577824f70c87be38b7c255c2fed2e90e9ca4

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

ec948755e19add4ad4f36ab9d2fd85b6381f6ad2b209f9305cca9d7e75ed02c5

MD5 hash:

47dad8ceaaa055b3a5933b1f2f2e40e3

SHA1 hash:

9fdea04125fb3f9934a134c7c92795dceeace8bf

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

SH256 hash:

6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900

MD5 hash:

918769eceacd168684def1b316ff3198

SHA1 hash:

044df161143e5e5c255b4edea7199364703776ed

Link:

https://www.unpac.me/results/1f7c00eb-87e5-40eb-b79e-06f62dfa0610/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6bc9c4e5a88e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179083/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample