MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
SHA3-384 hash: 63a44728a36a2a0901caa7ac7274f47e896d9b9f4c95d03d41c0f90f212663672ac02a667607e888cd170d67a28b7f05
SHA1 hash: 569b3ee943692121c4e6d2c74dd0f2f2a23b1482
MD5 hash: aa9dada212c09a080511ab2d6da355a1
humanhash: hotel-nevada-speaker-iowa
File name:aa9dada212c09a080511ab2d6da355a1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'095'396 bytes
First seen:2022-02-07 07:20:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:Jiz1k0O0lcNgHnyfTJhhjGo/bPPnWfmIEebQHXr1w:JixkSlggHnyb7hjGo/OmteQHXBw
Threatray 5'333 similar samples on MalwareBazaar
TLSH T1B366339490F3E4A7E7718AF364B187A72CC7927835A4CC97080C462F7E50A71EA7E5B4
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://178.79.161.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.79.161.18/ https://threatfox.abuse.ch/ioc/381450/
94.140.113.76:80 https://threatfox.abuse.ch/ioc/381622/
162.55.174.44:3450 https://threatfox.abuse.ch/ioc/381632/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/234038/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Creating a window
DNS request
Creating a process with a hidden window
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6189/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6200c860accdde96b5e41b31/reports/db44d044-fca0-40fc-87eb-1b817c4dd040/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67e9372a-5057-4fc2-a847-3deacfea411e
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935053
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567534 Sample: BjEwXjK71p.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 63 ip-api.com 208.95.112.1, 49756, 80 TUT-ASUS United States 2->63 65 175.120.254.9 SKB-ASSKBroadbandCoLtdKR Korea Republic of 2->65 67 13 other IPs or domains 2->67 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 18 other signatures 2->81 10 BjEwXjK71p.exe 10 2->10         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->53 dropped 13 setup_installer.exe 23 10->13         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 13->55 dropped 57 C:\Users\...\61fba6876b91b_Thu097c2ed39c6.exe, PE32 13->57 dropped 59 C:\...\61fba6872066c_Thu096a4ec63383.exe, PE32 13->59 dropped 61 18 other files (13 malicious) 13->61 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 73 Disables Windows Defender (via service or powershell) 16->73 19 cmd.exe 16->19         started        21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        25 7 other processes 16->25 process10 signatures11 28 61fba67dea88d_Thu09f05bb0e4.exe 19->28         started        31 61fba67a03040_Thu09021314.exe 21->31         started        35 61fba6770bb10_Thu09c11604660d.exe 3 23->35         started        83 Disables Windows Defender (via service or powershell) 25->83 37 61fba67b4800f_Thu09848a7b579b.exe 25->37         started        39 61fba6792129d_Thu09c73ec6867.exe 2 25->39         started        41 61fba67f5b098_Thu0958e841.exe 25->41         started        43 2 other processes 25->43 process12 dnsIp13 85 Multi AV Scanner detection for dropped file 28->85 87 Detected unpacking (changes PE section rights) 28->87 89 Machine Learning detection for dropped file 28->89 101 4 other signatures 28->101 69 104.21.76.213 CLOUDFLARENETUS United States 31->69 45 9dc16e60-72cf-44c4-9354-6e510f2f5316.exe, PE32 31->45 dropped 47 4762feb6-7ab1-4941-b7e7-04ed16edc4c8.exe, PE32 31->47 dropped 91 Detected unpacking (overwrites its own PE header) 31->91 93 Sample uses process hollowing technique 35->93 95 Injects a PE file into a foreign processes 35->95 71 91.206.92.4 ASBAXETNRU Russian Federation 37->71 97 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 37->97 49 C:\Users\...\61fba6792129d_Thu09c73ec6867.tmp, PE32 39->49 dropped 99 Obfuscated command line found 39->99 51 C:\Users\user\AppData\Local\Temp\cbbT.b8d, PE32 41->51 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 07:59:00 UTC
File Type:
PE (Exe)
Extracted files:
407
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p77k5boj4s7gm5nkqx47xcedzgsbsyg6f52dppu6ieuinarstm6a._file
Verdict:
unknown
Similar samples:
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
RedLineStealer
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
RedLineStealer
4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff
RedLineStealer
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
RedLineStealer
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
RedLineStealer
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
RedLineStealer
ea2aba1a17de28fee1a6097e91c4ceb0f3887f6bbcce46dfe4d2e342b87bef9e
RedLineStealer
+ 5'323 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:money botnet:newmast3 botnet:v1user1 aspackv2 backdoor infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220207-h6nfsahbe5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.tpyyf.com/
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
116.203.252.195:22021
disandillanne.xyz:80
169.197.141.182:47320
Unpacked files
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
553edb84c48b6278a459507319f0c1797c141d5b6f2a7670c346d87392c57f86
MD5 hash:
90b737fff02ccd531ac5876dcb6475ee
SHA1 hash:
d8fc82184979a883f940d2edc36aaff9a90141fa
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06
MD5 hash:
9d9c68549cf06b0485742e0865f5390c
SHA1 hash:
b23241ac8419df6bb0a930ac80cdae9edbd55893
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
dc4c232a236bc778f6c8404ce4b1043c519129b4c788376211221d30455aee17
MD5 hash:
807981caa748a34a1a5dd0eb4beb3d6b
SHA1 hash:
f683ed140dac727dfc6190002fbb5586e944ef3f
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
73052d0724008afb01eb5c097749a8b54201c1223d1cee2658892a970dff04ae
MD5 hash:
8dabbf0a56503fa6d1aef2e34337da9b
SHA1 hash:
dba814896f39173a0ed764cb34ac3d059935fdcf
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
a6334a93323db29971a851352354d59b6ba2c26bf3ab49895e6db6f7fcbc3283
MD5 hash:
36941f4d11216f011ebb2b6bae57a590
SHA1 hash:
b60c5e36c66986466d589651a7bc2567101eb2de
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
509486ae2d429f77ada5367d718d339e9d71883e0b9b4c44a71adc6e51724b84
MD5 hash:
e6c1aa3d620c0ee307dcb2932bd74bc5
SHA1 hash:
a2a0fbc93ac5f31c281f1d37191a6896373096b6
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
3f0e6884aa13de4bda49a8b9eec8dcbaea3a198b7b28a8f35e13bab7457f12cd
MD5 hash:
e67f44278386c41e1c1986bc2605f72e
SHA1 hash:
9231d95f9e521ce5aec4c8122c61076c587fc56b
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
3959dc227089d0a9b38d2ea8c387e993db3584c7bb9129780f20673d1fd15e61
MD5 hash:
7eb2d388416744a108c0cf107caf8ef8
SHA1 hash:
876cc415ac9a3832afde3f8bacf86edb7a5b72ce
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1
MD5 hash:
2fe1fbe1cf3b63c2b9d04859ba27b5a7
SHA1 hash:
6d82b25f27939d2c712ca76d267437569799518a
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
cf90ca84d08f1c0a029c3abb38cdc9e3ea163dbb3007cb1ddd9ae5ded068994e
MD5 hash:
ced5248196f9734259208b2192469de1
SHA1 hash:
3fb60ca1f742980f1d8e99f572945cf498d6d48f
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
129cdfa77494c31eda821e5e12e1c2a4199afcaa68c72cbdf45d046f0e46b6d7
MD5 hash:
67412c770efff5b58ced4e75579e8b18
SHA1 hash:
1cc5801e5a262c7fd7dcff47a5b27bf6bbec6ade
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
61640d23387701ccd27f3af8726ef79d42240e67135ab7b71a8c37d206d4e49e
MD5 hash:
5bb07bab1f934475f15728c2ccb4b827
SHA1 hash:
4136790094c15f70610986b16dd195eed05b3e90
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
3b8756c7f40a151f22c265ab4090953c065d255793cc6c9db0db04c3253c5b1a
MD5 hash:
16002b527a62b9e1caaed680f1f56c4d
SHA1 hash:
6bb67e62f7f4d1d6931b5d47e2922a78e295159b
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
7fb076e848f4fe3e9f6fba281d07871b440f487ce544ec3a4f8b48d80011e646
MD5 hash:
8a95d9cc190321677a4e6c0b26ddda2c
SHA1 hash:
6c1ebff12f49bc5b9cc924f6e932d3b4f3266020
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
cef1e5ba3e071464d13e67f9eb19ec088c4a4a1c8ef6da881f0c3f39360e8116
MD5 hash:
0e4dfb8babd68d59e3f96ff058382c80
SHA1 hash:
990487bfcf0897c7e6c3104952bf5bef8404eafe
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
1f1ec68fcdc070e4e6dc7a1c0cafabb0efc6695584ceedf915868337ac748c1c
MD5 hash:
f7a429a4a84e6d1e37c98d91b7604302
SHA1 hash:
52193e2f63d35493f0be9b7880feac9a3ddece80
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
98628e975fa91323a07e4681cf7c0593d50b02c721f2798fe2359db24c6a8b0c
MD5 hash:
85ab54251be9d998b4445e7f19eb20e4
SHA1 hash:
36a9da843b0e4558053779ef3d49f992347e9034
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
dd49fb4a71acbbfe7051fd339505d4e52d162827d5e9ccf1a274fdfb78f8f39a
MD5 hash:
f718febef3f03972846b43cf73d9aecc
SHA1 hash:
8b4446464abb745952885d03b63b4d71eaf4c929
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
a7b1ddcb3afba570488bcd5072f591aefe7980172733f8762269ec92c276282b
MD5 hash:
bbabb593d175b1f120e121ef411b2b3b
SHA1 hash:
a2a3bb2cc6da8c0ac1d2c84d960d2a4357abf62b
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
SH256 hash:
7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
MD5 hash:
aa9dada212c09a080511ab2d6da355a1
SHA1 hash:
569b3ee943692121c4e6d2c74dd0f2f2a23b1482
Link:
https://www.unpac.me/results/c8cd95a0-04f0-4fe6-a116-59cd112cc91c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/234038/

Comments