MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953
SHA3-384 hash: 1137a862deca59ddb1f988a66709067fa171735e5b15cdec58ccb1934888800a01fbc7299077583ddfabc935b6c4fdb9
SHA1 hash: eb6bc44515419244e194d1b2694aca570ba91f7a
MD5 hash: b6038cccff037514a3cd3a2346abaa27
humanhash: fish-december-blossom-black
File name:70E14DDF23A5FE3D69CC50752FCC491AA2964A2CFEE3D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'244'367 bytes
First seen:2022-01-25 06:56:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JTj+ANs9gNMeWyQqALueTOdGCD5XRPRXgjuQ+Y7UI6vUq8/41ErlR6eQ8V2oEw1k:J3Zs9OPCTOdNDbpQ+Y7U1Uqw41EjzQgC
Threatray 1'055 similar samples on MalwareBazaar
TLSH T17356338490CE9F42FF8FC63151B252F34D6BA1FE25AB561A03126E217948F4E9E3DD18
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.59.167:44301

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.167:44301 https://threatfox.abuse.ch/ioc/323383/

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222171/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5041/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys control.exe mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61ef9f41d32385db632cb6c0/reports/647b1fbe-ca24-4cdf-b423-a5ef91ac35d9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a4774bf-691c-4b4e-8fda-f54da95c6c27
Result
Threat name:
Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926798
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected onlyLogger
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559276 Sample: 70E14DDF23A5FE3D69CC50752FC... Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 104 Multi AV Scanner detection for domain / URL 2->104 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 20 other signatures 2->110 10 70E14DDF23A5FE3D69CC50752FCC491AA2964A2CFEE3D.exe 10 2->10         started        14 WmiPrvSE.exe 2->14         started        process3 file4 86 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->86 dropped 134 Writes many files with high entropy 10->134 16 setup_installer.exe 24 10->16         started        signatures5 process6 file7 54 C:\Users\user\AppData\...\setup_install.exe, PE32 16->54 dropped 56 C:\Users\user\AppData\...\Thu16f7d5b5b8ee.exe, PE32 16->56 dropped 58 C:\Users\user\...\Thu16c4aeeab9fe6d88.exe, PE32 16->58 dropped 60 19 other files (8 malicious) 16->60 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 102 127.0.0.1 unknown unknown 19->102 130 Adds a directory exclusion to Windows Defender 19->130 132 Disables Windows Defender (via service or powershell) 19->132 23 cmd.exe 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 17 other processes 19->29 signatures10 process11 signatures12 32 Thu1623ffb63c26.exe 23->32         started        37 Thu16f7d5b5b8ee.exe 25->37         started        39 Thu166620d73bbe9.exe 27->39         started        136 Adds a directory exclusion to Windows Defender 29->136 138 Disables Windows Defender (via service or powershell) 29->138 41 Thu1609991927c14b1.exe 29->41         started        43 Thu166519d13ab.exe 29->43         started        45 Thu16c4aeeab9fe6d88.exe 29->45         started        47 12 other processes 29->47 process13 dnsIp14 88 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 32->88 92 5 other IPs or domains 32->92 62 C:\Users\...\z9DlP7X7XUENoBLEm4GaGCaH.exe, PE32 32->62 dropped 64 C:\Users\...\freHkhjpyYo2AnnEiEWcyiah.exe, PE32 32->64 dropped 66 C:\Users\...\cdPJt2p94S0Onukgp1le2hEy.exe, PE32 32->66 dropped 76 37 other files (20 malicious) 32->76 dropped 112 Antivirus detection for dropped file 32->112 114 Creates HTML files with .exe extension (expired dropper behavior) 32->114 116 Tries to harvest and steal browser information (history, passwords, etc) 32->116 90 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 37->90 94 8 other IPs or domains 37->94 68 C:\Users\...\nmN6cHJIUFwkxobNBRNBoSZS.exe, PE32 37->68 dropped 70 C:\Users\...\guWC2K0XQw67unTm7XVIisW8.exe, PE32 37->70 dropped 72 C:\Users\...\gaoLiezVds8TqzJbbkUwGwZq.exe, PE32 37->72 dropped 78 33 other files (17 malicious) 37->78 dropped 118 Disable Windows Defender real time protection (registry) 37->118 120 Writes many files with high entropy 37->120 74 C:\Users\user\...\Thu166620d73bbe9.tmp, PE32 39->74 dropped 122 Obfuscated command line found 39->122 49 Thu166620d73bbe9.tmp 39->49         started        96 2 other IPs or domains 41->96 98 5 other IPs or domains 43->98 124 Machine Learning detection for dropped file 43->124 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->126 128 Checks if the current machine is a virtual machine (disk enumeration) 45->128 100 5 other IPs or domains 47->100 52 mshta.exe 47->52         started        file15 signatures16 process17 file18 80 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->80 dropped 82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->84 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 20:21:28 UTC
File Type:
PE (Exe)
Extracted files:
203
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=odqu3xzdux7d22omkb2s7tcjdkrjmsrm73r5jdfpdarejeu7tfjq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
RedLineStealer
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
RedLineStealer
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
RedLineStealer
70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953
RedLineStealer
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
RedLineStealer
ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
RedLineStealer
+ 1'045 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:chris botnet:media26 botnet:sert23 aspackv2 evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220125-hqya2sagh2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
194.104.136.5:46013
135.181.129.119:4805
91.121.67.60:23325
Unpacked files
SH256 hash:
e297e89e11933aa6fc67cbd8da44fc0f6b8d8030166738b111b31673d41e4d19
MD5 hash:
2a2667d1fbcd8fde9ca0bd6f50827c79
SHA1 hash:
f6838f02651e1430613bf78de99e240dbcb8d3c7
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
6525d30654a1a8255ac9a366035d841b991648e442f3a802f919726d604e9ce4
MD5 hash:
799f15cb784fe1bd6922939d46426c20
SHA1 hash:
43cc59cf651dca1208271ab740a7820054df8ba0
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
ea788a6785b36f87f7214922e32445990af0aa7ad14152f849353b52096a52b5
MD5 hash:
fbab7f0afd2d15481e1efbda54aa5ead
SHA1 hash:
18bdb59577d400786a27090d1e8b52a2fffd6f3b
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
2c964c5070502f6000bbb3f66f200a18ac7c394c5d6764c1d1f726783959d40a
MD5 hash:
5b68c333ae0c1d013619eda08f6665db
SHA1 hash:
d616077f94916d44662b6c6bf19b177e32454559
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
8ce61c25d6a977e4bd80e9c5598ab62fc64cf18498b8cc0613029c33012c9c74
MD5 hash:
cd320dca08282615d1d24758f0cb7738
SHA1 hash:
ad8ee19ddc9c8fa39e1dd0e44974bb6db4c5abf6
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
bbd237743cb43b0e6313fc0583df78e349363c2a9e7b093e2252c465e10ceb67
MD5 hash:
f9213bc004717003518130d5626e06cd
SHA1 hash:
ad1b87ac5e72657baf2c22f32f62459832693ed5
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
4a3474de044cf14b3641e2eccefab798b24ef8e4f074186a2278cb3f9c5ff7b8
MD5 hash:
7836c66d73a8df0f02d303ff8a13e86a
SHA1 hash:
a9ebc0e5e08970441f5a6bcd35b3d810e764ef18
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
b5d20c8d3148e88fbbb68d6f3002057a62244e5938881b2e0a90f7ba5d54ef4e
MD5 hash:
d51d8a61eda3587fe660ac76ff583577
SHA1 hash:
81ae703c2a1e8633c30afa1f09298901de4cd1d0
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
952dc3d4b3cc35e331083e47c731b941ee8e880927f6248b54cf0d3868f45238
MD5 hash:
f917278e55b942d9354c79dec2f94389
SHA1 hash:
7e01f0ad2aba7241af7427123fb35fedc89dbb24
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
f8b7bbc0d80057665fe669ee6314a671ea3979c5afcf2bbc4652af4abb2c620e
MD5 hash:
f3736b57857706efec6082d257f463a3
SHA1 hash:
540da2b1922879d71f97ca523375b9b4802b2efc
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
0ed832669626fed02895c5a5bbaecdf3d7bb94ed504add0cfef367e068e76b51
MD5 hash:
f79c4f92f0392b9013302aa667df0139
SHA1 hash:
3e3fafbf1dca5aa940d06eef01a1550e5fc7cc82
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
e8727c5e9114f3234d77075effca68c32072c6cb18377762da8c7c5c4bc7b650
MD5 hash:
769483334615f2ad86cbc8d4490fe1bf
SHA1 hash:
24153cc67f9ee102e63caa1877cc9ef3075b5363
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
1c9eacbb6f314228d66c4ac6101879294025fb179067ae9ff1fa4bbcb45371db
MD5 hash:
6bf50c81d64b7b392945786efb092580
SHA1 hash:
23c42a399c7433aba20b9f2b96f5b3c3a340955e
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
14ac25cea65bf076c28fccb5d9f5a01e656ae4404db456d6d4e3dd2deb03ccf1
MD5 hash:
d3d2841f74d5ede7a98658e2be89e8b0
SHA1 hash:
3cc65a7f014cb041ab21f5854cfd39bd3bc1b82f
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
7ad9edd79f03fb782d1a8490f9b56ea25f8e9cd33f10ca5017f8ff5aac6b5eda
MD5 hash:
1ee5fb8981ebc7fb9ddacb9d8607d35c
SHA1 hash:
eefc86ed0839384d351d7229fea251714a5cae1e
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
ce7e030f2bb5f0f236c130f48b2c98db580b26c86aac00b0d568b39c5e0fd3a8
MD5 hash:
47e29ee3fb7e8d10c2703e1992c55330
SHA1 hash:
9ffa449c95eee01a4cc96010f6f7992e3f3f572b
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
d0089354209717bcbd4e4260c2002b341b15696f2774be9155e6073a7c38f82c
MD5 hash:
d6465eaf0f5ffdaeee8d3bf6d6386f66
SHA1 hash:
f05bea1eebbdb18ff29dc80b4f666f3d7ac9dfc4
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
1d318ea6b0e53056e4c52edb30773e1891ef4a583b72416017916c835f34c63b
MD5 hash:
29fd55ab0f7c73fe47ababae0768d768
SHA1 hash:
681f6ed191b7ea199ff0613a1d0dace62d507272
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
72a1ff1cc48ce5e0b5847ba4346e4cf9c6e6872ff722759671c5364a6aebda4f
MD5 hash:
c5331385632913db75c999626e9658fb
SHA1 hash:
652637551472ef8b12087c855de28dd147fec9f7
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
8257634b50be87e33c0260d5248c8402b15455c18835f2e155c99adc2fc3fecd
MD5 hash:
4dcd9bfc822342ca76b6729b73c1add0
SHA1 hash:
94abf2d8a562d1f9babf2d5eba8e4e121be8c4ae
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
SH256 hash:
70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953
MD5 hash:
b6038cccff037514a3cd3a2346abaa27
SHA1 hash:
eb6bc44515419244e194d1b2694aca570ba91f7a
Link:
https://www.unpac.me/results/188750ab-06e1-4d52-bc1a-03149399c5f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/222171/

Comments