MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91
SHA3-384 hash:	65d5538db777cef4a66d43b48922a8cc0df97df8b3ce09c23813165b021c1c7cdb52e7e69922b8c38f01f25e6150a872
SHA1 hash:	b86877217822255118d3d7fa1471f963fcb2aae6
MD5 hash:	b8366f92131bd549978f91b869c7204e
humanhash:	october-blue-papa-black
File name:	b8366f92131bd549978f91b869c7204e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	7'330'237 bytes
First seen:	2022-02-10 05:45:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:JaIsNn+bbHswMXB4LjzDAhezvWLN/d0Ej8:JaIsN+/swMk8EWNd0EQ
Threatray	5'508 similar samples on MalwareBazaar
TLSH	T1667633D9A7C3CD9EDBBFD8721A7E19401F67E200168C5F8E2AF1B041B5DC1998513AB8
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.255.57.154:11841

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.255.57.154:11841	https://threatfox.abuse.ch/ioc/384526/

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Pswtool-9857535-0

Win.Packed.Barys-9859263-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Launching a process

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6204a6a1942573cad44e8700/reports/5a6e06bc-56aa-470a-872e-13fc77978371/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b632c6cd-a6c8-41aa-8ba7-9e0075588629

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937517

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Disables Windows Defender (via service or powershell)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected onlyLogger

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Socelars

Yara detected WebBrowserPassView password recovery tool

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-07 10:07:33 UTC

File Type:

PE (Exe)

Extracted files:

509

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=otbfo3wqdc2feeqohobp7f5vmb2uxr6zjdukvaotwczvsvcbdoiq._file

Verdict:

malicious

RedLineStealer

1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d

RedLineStealer

1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1

RedLineStealer

1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257

RedLineStealer

6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b

RedLineStealer

7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c

RedLineStealer

cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948

RedLineStealer

ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e

RedLineStealer

+ 5'498 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars botnet:media456 agilenet aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/220210-gga9gseghn/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates processes with tasklist

Enumerates system info in registry

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://www.tpyyf.com/
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
92.255.57.154:11841

Unpacked files

SH256 hash:

232bcf732d5998e06282efcc719d5e1ecdf837d838ecd9967a1ff38a97ae4ab8

MD5 hash:

5f7c0dd6d32a1ec5d767f5ab362fec1c

SHA1 hash:

e4ae8b6c9ea57f5046e14142ce460cfbcde3e4b9

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

970729ea30981bbdf82d8eb8e51c6baceb7986567420366a2abd6ea3f99ae8c9

MD5 hash:

b1da130e5b6eb208f485ee866ec9573b

SHA1 hash:

f4dbb25ccd9082e51e76a8c32948a4fa4df50f8e

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

72603805ba9a88fd46542fe4c00f40f1242cf62f75a7527cbe47d9b6abccd636

MD5 hash:

ef43ad490f9f3f5a64eaefa26218083e

SHA1 hash:

da25467e9c67145183139fbef6e31250c9257b31

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

5785d857ce7b611454555857c6421e9955e9542b2087256945138d64b4609ca0

MD5 hash:

c59af3622724898a5f40850b2216542a

SHA1 hash:

b5f9db5cc3cb8061b9c221ad31bb11e0c34abe88

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

2848780a68b46d1f7a91df0dc200e6bf53c803cf5dafd7928f3d092bb8c718cd

MD5 hash:

fcb60398c77aecfee22e46ff342f4845

SHA1 hash:

76ca7534071927957121018e4667da41c86148cf

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1

MD5 hash:

2fe1fbe1cf3b63c2b9d04859ba27b5a7

SHA1 hash:

6d82b25f27939d2c712ca76d267437569799518a

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

e18ba1bf5c0a07f9ad5e282f6e646df4716714ae0ac05332d2364802c9e3b291

MD5 hash:

1c575af427a917e082c14c175694f64c

SHA1 hash:

57fe37ebdbfaece45ae109a1c27d1227929493d6

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

4f3ee3d0518f9886bca2fcfba032917e9bd7ac945221d043c30af8dbd6ea8d19

MD5 hash:

e6c946b55755bf75033c0912745422c2

SHA1 hash:

57531d9c9314e5158b7c2b765081c0aad9d11e92

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

b167e7ffe5be086b4b35c469e8a7f6a55f2f8e855d86ce4647ccce7c5607a303

MD5 hash:

485575a5766485e4c1f5632f53849004

SHA1 hash:

c1b98a99df973808e79dc82f936814c9f3cc760f

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0

MD5 hash:

da70ba6fa59896248f7c05fdcb7d581e

SHA1 hash:

174cb2b083e327a362b6ecac68fe939a40743ffb

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

cda2217b2505fec6ff6fad01c710d6484730b36e8ab969cc42b063b7bff6bbc9

MD5 hash:

4f2e37540fbdbcb98891559a2c2338db

SHA1 hash:

8cfffaf612c6ffb5bf5df94e0a1f36c5379bcb6c

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

7fd59334f243fdc46b940bf368e1b73cbb1dc373324c6839ec00bde1baa36340

MD5 hash:

1485e85e1091d8e32468c25cad4df316

SHA1 hash:

0b6b06f33a506eb3c1fedcc6dac291db9dbb617f

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

07a0ddf36b5fe6fe1d88f213f5c45a45ded126bfe4496cc56df174e33e6efdca

MD5 hash:

79ee92cc324ec56d49b82417452dcf69

SHA1 hash:

fc7b9663153916eeefec14c210ac6b81d9dee977

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

7c39b83f7ea56f2a19be821237f6b314dfac9e8f92887d398696f7781f806075

MD5 hash:

ee4b9b7ab1dfb0db9cbebec5f717b867

SHA1 hash:

594a3147022383cc2b69c8f23f6ff90bb8449a5a

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

da6b174b9de36286e3d3d42119ee7f772e0d434e8a57364cca7bf5f7e2c8a2d6

MD5 hash:

65444fc9ee4b8ec51359856cf382f99c

SHA1 hash:

2c1fd35e286e50272d6d4598b5da98f5285a7f7c

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

a0e2aa63329c110e2666c42150dc102fbc07ee81262d90c9add0680e4d345e06

MD5 hash:

343240dcb2fcfe7fe6e369cb15abaff8

SHA1 hash:

0d3f8077afbefec2ec8bdc61a3e5a2f21782f2d2

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

20cd852edc1e1ff64f695fce1076263d9025956c971441d3cf2e96f308848fb7

MD5 hash:

d7dfe8cdf43b16360d90f5ca481c4a0b

SHA1 hash:

dd68d0078962ebcadada2cc50202220cc06f76d2

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

SH256 hash:

74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91

MD5 hash:

b8366f92131bd549978f91b869c7204e

SHA1 hash:

b86877217822255118d3d7fa1471f963fcb2aae6

Link:

https://www.unpac.me/results/5c569a9b-b731-4a66-a98c-3315d02337b9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample