MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
SHA3-384 hash: 81590a0a1d19c0dfd1dc1e9266c709b54cef3992144bdd468c06876799649ac8b7cbbc421113c2b771ef646034041aa4
SHA1 hash: 8113b09b48cda4b933b7621915ede9ec80b4438b
MD5 hash: 98d129283fccf504adb59f2ff02bdf76
humanhash: mockingbird-juliet-oranges-cola
File name:98D129283FCCF504ADB59F2FF02BDF76.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'428'927 bytes
First seen:2021-08-13 19:11:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yfIUwCB+IqvVH1/KhodEgl5fLkA0HhkL/DR/JEL:yfIbC4Iqv1xKhGEwTkDBs/tBe
Threatray 332 similar samples on MalwareBazaar
TLSH T1F2F533C456D98663D75F1339DA335B6F0EB9501611E5D3AC36EB3029B2032C1B9E7BA0
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.21.228.92:46802

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-08-11 10:31:00 UTC
Tags:
evasion trojan rat redline phishing
Link:
https://app.any.run/tasks/aa32fe53-e1e8-4a58-b7e4-5f9689016425

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179077/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9885385-0
Create hunting rule

Win.Malware.Jaik-9885386-0
Create hunting rule

Win.Malware.Jaik-9885388-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/091d9bc6-e750-45ac-a3e1-7e6196be6480
Result
Threat name:
Clipboard Hijacker Cookie Stealer Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832640
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is protected by VMProtect
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Cookie Stealer
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465071 Sample: SGZ6ajC1eQ.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 75 91.228.218.118 VOLIA-ASUA Ukraine 2->75 77 208.95.112.1 TUT-ASUS United States 2->77 79 11 other IPs or domains 2->79 113 Antivirus detection for URL or domain 2->113 115 Antivirus detection for dropped file 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 17 other signatures 2->119 10 SGZ6ajC1eQ.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->47 dropped 15 setup_installer.exe 8 10->15         started        process6 file7 49 C:\Users\user\AppData\...\setup_install.exe, PE32 15->49 dropped 51 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->51 dropped 53 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->53 dropped 55 3 other files (none is malicious) 15->55 dropped 18 setup_install.exe 8 15->18         started        process8 dnsIp9 81 172.67.170.195 CLOUDFLARENETUS United States 18->81 83 127.0.0.1 unknown unknown 18->83 39 C:\Users\user\AppData\...\ffdebd71b3232.exe, PE32 18->39 dropped 41 C:\Users\user\...\7a0a59dd28055ec3.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\...\09c48f70afae1.exe, PE32 18->43 dropped 45 4 other files (none is malicious) 18->45 dropped 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 3 other processes 18->28 file10 process11 process12 30 09c48f70afae1.exe 4 64 22->30         started        35 7a0a59dd28055ec3.exe 24->35         started        37 ffdebd71b3232.exe 17 26->37         started        dnsIp13 85 37.0.10.236 WKD-ASIE Netherlands 30->85 87 37.0.11.8 WKD-ASIE Netherlands 30->87 95 12 other IPs or domains 30->95 57 C:\Users\...\xfKRCNI3zYjp1n8vs2n_6A5L.exe, PE32 30->57 dropped 59 C:\Users\...\wz_NXQWwN8nnDvf039Stz3Aq.exe, PE32 30->59 dropped 61 C:\Users\...\vk97F3cj7fMnZ4afA3UBDT8d.exe, PE32 30->61 dropped 71 41 other files (33 malicious) 30->71 dropped 97 Drops PE files to the document folder of the user 30->97 99 Creates HTML files with .exe extension (expired dropper behavior) 30->99 101 Disable Windows Defender real time protection (registry) 30->101 89 116.203.127.162 HETZNER-ASDE Germany 35->89 91 74.114.154.22 AUTOMATTICUS Canada 35->91 63 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 35->63 dropped 65 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 35->65 dropped 67 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 35->67 dropped 73 9 other files (none is malicious) 35->73 dropped 103 Detected unpacking (changes PE section rights) 35->103 105 Detected unpacking (overwrites its own PE header) 35->105 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->107 109 Tries to steal Crypto Currency Wallets 35->109 93 186.2.171.3 DDOS-GUARDCORPBZ Belize 37->93 69 C:\Users\user\Documents\...\ffdebd71b3232.exe, PE32 37->69 dropped 111 Tries to harvest and steal browser information (history, passwords, etc) 37->111 file14 signatures15
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 07:38:04 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nymyc3fucrjpqwtpiaqwyqauabtovc6jthmb4n4n2o25v36smndq._file
Verdict:
unknown
Similar samples:
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
RedLineStealer
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
RedLineStealer
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
RedLineStealer
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
RedLineStealer
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
RedLineStealer
bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
RedLineStealer
c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
RedLineStealer
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
RedLineStealer
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
RedLineStealer
+ 322 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 botnet:937 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210813-3r982d31g6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
bd63cda547353a5b469d23ecae78105948287812d3f290dd3ebe3ca93a883e54
MD5 hash:
d3cba1cdea5c2c94909a14238f3a2f57
SHA1 hash:
c361e0d74339bd4d9318aee02d1294dc1f6de2d0
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f
MD5 hash:
8cd6a0f9c54968b2003415a62a6ce8b7
SHA1 hash:
ea5bacbba4ebceacf4f7c547fc840d03fb8654f7
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822
MD5 hash:
78e8acd24692dbfac7f20fd60fe5dfbd
SHA1 hash:
d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
3e7be2266d53ce6a2d3ff914922950d18e4e3e2b464960f32b1199ded644ea94
MD5 hash:
df9e9646510cb0f817d7475b8b73401d
SHA1 hash:
c25414a4a2ade8b68f03a16e8ce8b600df76a0f4
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
c5293ac08c37ae7b696a14a0d8aa1ea6f329e023d5c3cbd115f378831edce448
MD5 hash:
668eebee3a95758a4c43dafa5314b646
SHA1 hash:
29dc92fbf958c99d26502c17a23d4a795c3b606e
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
ed470877e66688ac30286af7e3a636f3256ae72ecb2e74b305973424097ebd9f
MD5 hash:
c43185d3bd93f2b7ba1a57aabc9ce302
SHA1 hash:
0e54a96d10e48ef80d95212de649fac7ad86ef17
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
307815f31a37fd698a14760661e2774130f6b43f5b45f4717135f31f6830dc04
MD5 hash:
12f060b4a9687595bb4de607ac51d512
SHA1 hash:
487744fe6e51e5e94095b59e275c42fddcf38ae6
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
3c23b11ffa034ca5a290f6c2f894cea571bcc3e6cb837b9f38068f9b70138987
MD5 hash:
19f8252bce042089dba8ac4829e39c90
SHA1 hash:
524d9e39ab1f79ed9c5ce19c368e3f66035cf2da
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
SH256 hash:
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
MD5 hash:
98d129283fccf504adb59f2ff02bdf76
SHA1 hash:
8113b09b48cda4b933b7621915ede9ec80b4438b
Link:
https://www.unpac.me/results/6c18337b-d90d-45b8-89aa-bb197339bd50/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6e19816cb414/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179077/

Comments