MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
SHA3-384 hash: 8a9b3c1751379155663202f50d975b89869e876ecbe236a9ce4be3f359667806630ac3ba0becd407e65b977e97da140e
SHA1 hash: 7b0ad38d008d1c7a40e2575b005e9876aca4f06d
MD5 hash: 911669a9c6aedd2806a996ad49adac13
humanhash: east-monkey-leopard-shade
File name:734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'548'289 bytes
First seen:2021-11-20 01:35:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x8CvLUBsg7hxBQbyOwHITwL0y5POTO9iGs:xhLUCgvBQleITwLxJTs
TLSH T1F7F533217BF688B6F902607029A45FB8F4BEC98C3E2607D77B454613BF1E89A711B0D5
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.232.40.51:20166

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.232.40.51:20166 https://threatfox.abuse.ch/ioc/251021/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe
Verdict:
No threats detected
Analysis date:
2021-11-20 01:43:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed7f083c-c2ce-43e7-b1b6-c361b768606b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9890301-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys diamondfox overlay packed
Link:
https://www.filescan.io/uploads/61985105f0309c84a474b09d/reports/a0b87384-2fb2-42eb-bfd9-027beb20bf57/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61072b58-ab5f-482c-8d87-8deb6cc3b49b
Result
Threat name:
Generic malware RedLine SmokeLoader Soce
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892990
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525463 Sample: 734C31431B89B7501B984AF35A2... Startdate: 20/11/2021 Architecture: WINDOWS Score: 100 124 Multi AV Scanner detection for domain / URL 2->124 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 14 other signatures 2->130 12 734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe 18 2->12         started        16 WmiPrvSE.exe 2->16         started        process3 file4 90 C:\Users\user\AppData\...\setup_install.exe, PE32 12->90 dropped 92 C:\Users\user\...\Tue09d48d6e278d9ad1.exe, PE32 12->92 dropped 94 C:\Users\user\AppData\...\Tue09ca5dc30ca0.exe, PE32 12->94 dropped 96 12 other files (7 malicious) 12->96 dropped 164 Creates HTML files with .exe extension (expired dropper behavior) 12->164 18 setup_install.exe 1 12->18         started        signatures5 process6 dnsIp7 114 127.0.0.1 unknown unknown 18->114 154 Adds a directory exclusion to Windows Defender 18->154 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 18->26         started        28 10 other processes 18->28 signatures8 process9 dnsIp10 32 Tue090358524773b93.exe 22->32         started        37 Tue09ca5dc30ca0.exe 24->37         started        39 Tue09d48d6e278d9ad1.exe 26->39         started        118 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->118 156 Obfuscated command line found 28->156 158 Uses ping.exe to sleep 28->158 160 Drops PE files with a suspicious file extension 28->160 162 2 other signatures 28->162 41 Tue095a91fcf60e296.exe 28->41         started        43 Tue0920739b1b1367340.exe 28->43         started        45 Tue094093eaba3241.exe 28->45         started        47 4 other processes 28->47 signatures11 process12 dnsIp13 100 37.0.11.8 WKD-ASIE Netherlands 32->100 102 37.0.8.235 WKD-ASIE Netherlands 32->102 110 11 other IPs or domains 32->110 80 C:\Users\...\qDfjRGhGt7Z6YRpwzT6yh0IG.exe, PE32 32->80 dropped 82 C:\Users\...\a43jj0g6ZdabIPfQo5FuP8dW.exe, PE32+ 32->82 dropped 84 C:\Users\user\AppData\...\Setup12[1].exe, PE32 32->84 dropped 86 30 other files (8 malicious) 32->86 dropped 132 Antivirus detection for dropped file 32->132 134 Multi AV Scanner detection for dropped file 32->134 136 Detected unpacking (creates a PE file in dynamic memory) 32->136 150 3 other signatures 32->150 138 Machine Learning detection for dropped file 37->138 140 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->140 142 Maps a DLL or memory area into another process 37->142 144 Checks if the current machine is a virtual machine (disk enumeration) 37->144 49 explorer.exe 37->49 injected 53 cmd.exe 39->53         started        55 dllhost.exe 39->55         started        104 5.9.162.45 HETZNER-ASDE Germany 41->104 146 Detected unpacking (changes PE section rights) 41->146 148 Detected unpacking (overwrites its own PE header) 41->148 106 74.114.154.22 AUTOMATTICUS Canada 43->106 57 WerFault.exe 43->57         started        108 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 45->108 112 4 other IPs or domains 47->112 59 Tue09a700e547.exe 47->59         started        file14 signatures15 process16 file17 88 C:\Users\user\AppData\Roaming\wgstrif, PE32 49->88 dropped 152 Benign windows process drops PE files 49->152 61 rundll32.exe 49->61         started        63 cmd.exe 53->63         started        67 conhost.exe 53->67         started        69 conhost.exe 59->69         started        signatures18 process19 file20 98 C:\Users\user\AppData\...\Volevo.exe.com, PE32 63->98 dropped 120 Obfuscated command line found 63->120 122 Uses ping.exe to sleep 63->122 71 Volevo.exe.com 63->71         started        73 PING.EXE 63->73         started        76 findstr.exe 63->76         started        signatures21 process22 dnsIp23 78 Volevo.exe.com 71->78         started        116 192.168.2.3 unknown unknown 73->116 process24
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 13:37:27 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ongdcqy3rg3vag4yjlzvullbxxhcpouhzjeeuzh3g7ffpfhbufaq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab3 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211120-bz9xwacafp/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://www.gianninidesign.com/
Unpacked files
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
69ef4fb3ee8f5ca750b27ba4b88d2bca544a31852e7e739208dc4300a5157f78
MD5 hash:
ef16526f0dd5b4630982bf14984f3174
SHA1 hash:
0ebaaad6843ae12fbd2b545ab7457fcf1c40201f
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
24dd56cca74c53dfc9ee0d1ca5c2b39a50824cb614f903472f0d57145a597c70
MD5 hash:
f05e3e12741429582feef89b49febf46
SHA1 hash:
c36a1d893efd18758cf7b2f463c48891ea06e5dc
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
MD5 hash:
ce3a49b916b81a7d349c0f8c9f283d34
SHA1 hash:
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
b9e1ceb161c6a6d69a686af6330ff9ed6e0813641b329cf0f7272ab1dc9c3332
MD5 hash:
7bca128f348b5a4ff0ea7466041226fa
SHA1 hash:
8ca8749e8940e1f61146247fd492936abcf41100
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
d36b83898c1d1cf12a3bfe1563f561313501d368e06ca585004161f2bf045231
MD5 hash:
0f2501e579309deedaf536635d17f1c1
SHA1 hash:
7422912090d6eca1545c4d4f0adda2772542435a
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
5fb40fda6e2a78720cb69e99d9a64f1b374c55e7f07508c5f1888c6cf75e66aa
MD5 hash:
68399fcac3aa1c1324ca9c8aacbb37da
SHA1 hash:
6a68a354f05a3aff7633609b89c544a2744eda16
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
2c16594b8e5c4e4ff4d593f09af4516dbe30f7ec07868507fd6057f4e7a25616
MD5 hash:
4b5ab136aee8871e46cb06d3de883f6f
SHA1 hash:
2a50f6099179e5fa9baf9b0d6b8181c9ce5209cf
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
0ea190e2f62c66b885191932658bd6381cbc56ce40286424eb095513bf688cda
MD5 hash:
944dc4a0118fe113c009e136a229c9fa
SHA1 hash:
768ad1b983467810ad0c8d4412122b68c61abf51
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
c508fe398f5da26f1ed1f849031685d8fc2d5a03515ff8e8cb020f20d77f0edf
MD5 hash:
3d9287b70a5803d4e6f60e72c64b5086
SHA1 hash:
c8f887a939df0660c4e2d08428d83309e19c58c7
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
74de0862ba2d53686f95cdfe1c16a26cd0ff6fb7b0035e0785434ed05c3f867d
MD5 hash:
fbe04eb2fe735e3eecee601e465d7372
SHA1 hash:
7ccf4eded7d4725aaf53a90dc7222f229ea23a4a
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
2681d60e134516b9268bfb4ef6612cfd91ba51f1aa9027db2e7442f2858095ac
MD5 hash:
33c5678588712136299f1de90d941a5d
SHA1 hash:
42312209c6af7b4958e4e22ce4414c897d601e7d
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
SH256 hash:
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
MD5 hash:
911669a9c6aedd2806a996ad49adac13
SHA1 hash:
7b0ad38d008d1c7a40e2575b005e9876aca4f06d
Link:
https://www.unpac.me/results/f3dcce38-979f-4700-872f-e8b0d823433b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207713/

Comments