MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
SHA3-384 hash: 14ba3176ef19f1546aebe4fe52c4d672a347d65a2f6e6e18c66a6ccacb1cefe44ae2ce68fe3bee446be6ff93d269d91a
SHA1 hash: 547b531b51d5cc1fe41f9f293c4d213a2a407cb0
MD5 hash: 0020defdf72b50c9e4e85a06358ba3f3
humanhash: autumn-jersey-india-video
File name:7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'346'521 bytes
First seen:2022-08-05 19:00:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xSy9ivBhAHMfAkc+3yTX2+wmxQR7f0BgbLDnRkGgagaAEINkloCwAV54vG:xSy90AsfAkc+4m/6kRk+gaALiloCw1vG
TLSH T1FF1633603EE186BDE0A3503667A83BBB25FCB3590636CEF723544A463D3D1D1827E499
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://49.12.9.140:1080/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://49.12.9.140:1080/ https://threatfox.abuse.ch/ioc/841510/
52.14.249.40:36095 https://threatfox.abuse.ch/ioc/841535/

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exe
Verdict:
No threats detected
Analysis date:
2022-08-05 19:03:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9508b4f1-4456-4c81-83e1-f015aad62773

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296759/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28183/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed shell32.dll vidar
Link:
https://www.filescan.io/uploads/62ed68f5b7eec656278eb600/reports/feaad71a-3bfe-41d3-81eb-82a3f26a1f84/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b37ae7d7-dabc-4be1-b795-a8db9a3c4691
Result
Threat name:
Nymaim, PrivateLoader, RedLine, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046979
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679473 Sample: 7287980C1AFB840A7438471126C... Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 118 Snort IDS alert for network traffic 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 21 other signatures 2->124 12 7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exe 20 2->12         started        15 rundll32.exe 2->15         started        17 WmiPrvSE.exe 2->17         started        process3 file4 88 C:\Users\user\AppData\...\setup_install.exe, PE32 12->88 dropped 90 C:\Users\user\...\Fri10fac3c6cbef81.exe, PE32 12->90 dropped 92 C:\Users\user\...\Fri10d53f1d5fc3a3.exe, PE32 12->92 dropped 94 15 other files (10 malicious) 12->94 dropped 19 setup_install.exe 1 12->19         started        23 rundll32.exe 15->23         started        process5 dnsIp6 96 127.0.0.1 unknown unknown 19->96 98 192.168.2.1 unknown unknown 19->98 100 hsiens.xyz 19->100 154 Performs DNS queries to domains with low reputation 19->154 156 Adds a directory exclusion to Windows Defender 19->156 25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 cmd.exe 1 19->29         started        31 12 other processes 19->31 158 Writes to foreign memory regions 23->158 160 Allocates memory in foreign processes 23->160 162 Creates a thread in another existing process (thread injection) 23->162 signatures7 process8 signatures9 34 Fri10107cf340c9.exe 25->34         started        37 Fri10048b29b88da.exe 27->37         started        39 Fri10fac3c6cbef81.exe 4 58 29->39         started        164 Adds a directory exclusion to Windows Defender 31->164 43 Fri1043e58230c2.exe 31->43         started        45 Fri1033b65427e34289.exe 15 2 31->45         started        47 Fri106dde33a4c915.exe 31->47         started        49 6 other processes 31->49 process10 dnsIp11 126 Antivirus detection for dropped file 34->126 128 Multi AV Scanner detection for dropped file 34->128 130 Machine Learning detection for dropped file 34->130 148 3 other signatures 34->148 51 explorer.exe 34->51 injected 53 mshta.exe 37->53         started        102 212.193.30.115, 49838, 80 SPD-NETTR Russian Federation 39->102 108 11 other IPs or domains 39->108 78 C:\Users\user\AppData\...\TrdngAnr6339[1].exe, PE32 39->78 dropped 80 C:\Users\user\AppData\...\Service[1].exe, PE32 39->80 dropped 82 C:\Users\user\...\zaebalidelete2_1.bmp.exe, PE32 39->82 dropped 86 16 other files (none is malicious) 39->86 dropped 132 Disable Windows Defender real time protection (registry) 39->132 110 2 other IPs or domains 43->110 134 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->134 55 WerFault.exe 43->55         started        57 WerFault.exe 43->57         started        112 4 other IPs or domains 45->112 136 Detected unpacking (changes PE section rights) 45->136 138 Sample uses process hollowing technique 47->138 140 Injects a PE file into a foreign processes 47->140 104 ip-api.com 208.95.112.1, 49771, 80 TUT-ASUS United States 49->104 106 www.listincode.com 103.224.212.220, 443, 49775 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 49->106 114 7 other IPs or domains 49->114 84 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 49->84 dropped 142 May check the online IP address of the machine 49->142 144 Tries to harvest and steal browser information (history, passwords, etc) 49->144 146 Creates processes via WMI 49->146 59 WerFault.exe 49->59         started        62 WerFault.exe 49->62         started        file12 signatures13 process14 dnsIp15 64 cmd.exe 53->64         started        116 52.168.117.172 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->116 process16 file17 76 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 64->76 dropped 67 09xU.exE 64->67         started        70 conhost.exe 64->70         started        72 taskkill.exe 64->72         started        process18 signatures19 150 Antivirus detection for dropped file 67->150 152 Multi AV Scanner detection for dropped file 67->152 74 mshta.exe 67->74         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 12:56:40 UTC
File Type:
PE (Exe)
Extracted files:
170
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=okdzqda27ocau5byi4isnqgjlq3p56tzuaj7syqcmrih4x4yy6ta._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:socelars botnet:media8 botnet:sehrish aspackv2 evasion infostealer loader main spyware stealer trojan
Link:
https://tria.ge/reports/220805-xn7t2agcc5/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
135.181.129.119:4805
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
91.121.67.60:2151
Unpacked files
SH256 hash:
b3ebe2d73a6d2b289eb9076a94e1080d095cd3dfa0eb28d000ff9ea495ec286d
MD5 hash:
0bf74c3c12256fbe7ddc9ef82550c5ec
SHA1 hash:
9125023250645cbe4aaa5237b2ee2690bdb6167d
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
5de063d98221a5f0951e9e290c4b9f6c6d45602f5b5617ba832a4bee926f0059
MD5 hash:
25f85df36f4ec8103991f1c4df0e7049
SHA1 hash:
e12d673c30b459b81d6e0b43f2cd9a280c2e2acf
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
cbf1bc36ae69b5d54992392f8b7711e4ee4973e72e33a33318268d129eed4c45
MD5 hash:
29b30b117e8be91a98b72ada7211294f
SHA1 hash:
ca859c58c7a09cdc2d171b96a1a01f43f26b634e
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
66b83b0849b03e36112ca0ed86d1151463cf64141031877a900c69683e27ece6
MD5 hash:
9e2728bb565e1530f3df3b474d4e25d7
SHA1 hash:
d2961fbb8a6ad94b55ab13f6d3ab7e0ba5fcf03f
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
b1792b96ee1599053169c723ef3847f150fb3a6cbd7f6e49f0c7980e56f17ec0
MD5 hash:
782464a630ee6593821219958720db3e
SHA1 hash:
c46ee1af2bd512533f1cd26337e73e0ccb18f57f
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
f7ec45966ad8e38d8507c637d75cd70d70f0a77a4fd436595c87c483eea6d567
MD5 hash:
17cebac621efe1638506eaa93b112748
SHA1 hash:
8c226904c925a4c61dc6a3ae02a1c3e7410b01cf
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
cd46bc766c5df8cb9f24b91855140f6de2f35470a179a43d94b516d23a679197
MD5 hash:
97cc841e56391d28da94405b0e9fc622
SHA1 hash:
7c1a32a1a1cac32d87d213c092a10f8a5a76d83b
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
c643c002efe57440c5693fc7b29354c70d4ec734810a86647dcd0a0b4f112796
MD5 hash:
0923d0ed0622ce23e181e22cd47d6d3f
SHA1 hash:
624932aee44e3d23a415b71d4f0b7d1c2d663e96
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
79dd7cad18a8bfc31cb7154c09757b3654fefb851271d7d19524cac01c1c39db
MD5 hash:
820b9166dbaf6a5e59358052a774af2b
SHA1 hash:
60257bb2d023ea0c85c8d5e44d8f8e75af517a2e
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
3127db454894da4af94dafef6f8826e06dfd44c8337e160948b38fbf2b83c1a0
MD5 hash:
cc9c722f75be49e8f93929c989e4568d
SHA1 hash:
320fba78d341f12c4225e65e276281278b3c6316
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
0bda6d7a9fff167a8e577475279dff096f1d19e4d014496c77d46e480ed8d2b8
MD5 hash:
8006d2df0e4e7182ce86f79d44281af0
SHA1 hash:
db832c1182c4e5aec5a7629d0fe62b592572364c
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
5a5eaf15a15ed9de553b5739c51f547fcdc7c906b6d161905c96452360832b83
MD5 hash:
30a141f4625e8a5a8c5b74bb9ad570b4
SHA1 hash:
50937433bca796fcab19b2f1e2cb7e072f307afb
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
4021284e66845c5c9eaa59463bc5b963ee49019747c0942475e13f1de787d8ad
MD5 hash:
afcd275306a43c34b6f3ec26821675b9
SHA1 hash:
16ee2e970adccb04d7d95698562e8db8d28fbd06
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
SH256 hash:
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
MD5 hash:
0020defdf72b50c9e4e85a06358ba3f3
SHA1 hash:
547b531b51d5cc1fe41f9f293c4d213a2a407cb0
Link:
https://www.unpac.me/results/958e5f0c-4d6b-4b08-90ed-44a61a3150e8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7287980c1afb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296759/

Comments