MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
SHA3-384 hash:	dbc510b065c0c57d367d7a5db0762c276c517fc556f640dea9ddaabbf4e58e41a6c346b5791556ceea23f1b78bc78a37
SHA1 hash:	725d06f330b6ab00e2b3332b725114c1564569f4
MD5 hash:	f944d681d4aef5cd2b92424c6f2a24a9
humanhash:	pizza-oregon-cold-sweet
File name:	setup_x86_x64_install.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'537'507 bytes
First seen:	2021-09-14 19:50:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:yOM8Vm9qQEPnmlKEDr5YWxPXfh6EwozXiW:yOV4T4oDDr5hR5nzj
Threatray	550 similar samples on MalwareBazaar
TLSH	T1286633743AD1C582F9D79034B460466E4F76CEA6D2EC331B8E488E191CEB924DB07ED9
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	Anonymous
Tags:	exe Loader RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
144.76.112.41:26462	https://threatfox.abuse.ch/ioc/221922/

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_x86_x64_install.exe

Verdict:

No threats detected

Analysis date:

2021-09-14 19:50:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/981299af-532f-431e-89ba-e1f2405d5855

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/187905/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/617511c1db358dd15ed922bd/reports/d694c60f-0484-4216-b1ab-aa74b5e363a3/overview

Malware family:

Glupteba

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/49aa842e-829a-496c-b4b7-76f6243c6707

Result

Threat name:

RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850948

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Downloads files with wrong headers with respect to MIME Content-Type

Drops PE files to the document folder of the user

Drops PE files with a suspicious file extension

Found C&C like URL pattern

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

Performs DNS queries to domains with low reputation

Sets debug register (to hijack the execution of another thread)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

glupteba

Link:

https://mwdb.cert.pl/sample/80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e/

Threat name:

Win32.Trojan.Fabookie

Status:

Malicious

First seen:

2021-09-14 19:51:10 UTC

AV detection:

28 of 43 (65.12%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qbmuythadrj4npgeoluigkomep2rwdjso3eplm5gqybt7djniuxa._file

Verdict:

malicious

RedLineStealer

4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708

RedLineStealer

56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482

RedLineStealer

5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae

RedLineStealer

6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87

RedLineStealer

76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356

RedLineStealer

941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530

RedLineStealer

bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e

RedLineStealer

c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

RedLineStealer

+ 540 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:149f4t botnet:706 botnet:ani aspackv2 backdoor dropper infostealer loader stealer themida trojan vmprotect

Link:

https://tria.ge/reports/210914-yktcxagbh8/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Vidar Stealer

Glupteba

Glupteba Payload

MetaSploit

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

Malware Config

C2 Extraction:

https://dimonbk83.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
185.215.113.104:18754

Unpacked files

SH256 hash:

c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94

MD5 hash:

3367116dc59fc2b806bb5ec8c36bf2b6

SHA1 hash:

f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

Parent samples :

bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf

SH256 hash:

ea29e1b92c51ed92ede7e90acafa239742e5371821457bd18d2cf1c24303f344

MD5 hash:

e1e303ebfa6fab97deb309fe451d30d3

SHA1 hash:

f0b914dedf110c38686fc63f4ba177ac78b898fb

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

9d16ea15d97c623a97a6f03435671527e911e3c0331b0cbe9b474bae031ef044

MD5 hash:

69cf53df9dd1ce7be305796a4a44396b

SHA1 hash:

e9db02ac90a065d5215555b39363fce9e758753f

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

9b8ce7f12b92f9c71054ea14a6dc893d8a180ef6aa29c78c28d4777486900d28

MD5 hash:

f5deb2c5f6dfe337b3eee5cfa695d92c

SHA1 hash:

cf709a678498aa8a69606e94b15d07c6bb78cd5e

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a

MD5 hash:

03cd7541a32149209ecec14115466bc3

SHA1 hash:

bff67b407cffb1d3f3afbbcee15046e968204af3

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

e6ee06c6bc0014b73e3d24bd01d4713c661fafe2e321b0013d726c134e8fa6af

MD5 hash:

e20f9039ea3ab837fcc4d9bfb13558cf

SHA1 hash:

a5e4430e463caf539061c49c75bbab9c587d4500

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

4c7a7b64424daf89960ff6e71600e7f4ea843b8f7dcd4cabbb88f3c56ca87adb

MD5 hash:

cd2c3a6ec84e2fa6f44015c330b3beff

SHA1 hash:

5504a814e0388f110cd2501ee203d563c1b7700a

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

f5eaab8ac7683865a24803a5ac521a9083a16ffd40150721db9c6eadebe3e20f

MD5 hash:

d77b15743ea7a2f60b66bac333e1939d

SHA1 hash:

3cfbe2c1edb5f32a605655963998b1e7e03cda1c

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db

MD5 hash:

70220a3ce6ffd34101b3770342505f2c

SHA1 hash:

b55c421634d8eeaec5c6193f34c04625d21a9ae9

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f

MD5 hash:

4f9c74430d72b9500a0d99cc28fc7a7e

SHA1 hash:

a67cf6a62a6cabec501aa2f14e97c48b71dbd97c

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2

MD5 hash:

33600475b2cc5445df2d3809c3798311

SHA1 hash:

3cb60432de30b82e87b8b607e0180a7843128b5a

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

Parent samples :

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

SH256 hash:

5d812b3e8dbb90a24de02c494934d1987f195945147e0ed8e412385031654f4f

MD5 hash:

aab72f4db207557a798a88a46023c237

SHA1 hash:

27d615388f61e6cca4ca5a0295ec9441c409e6d7

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

ae2a15d1a212d29839edcc51f1725cc525de8528e1eaeac3df6a086c8036d8af

MD5 hash:

ad6e651f6707d6656892f41d3fcce064

SHA1 hash:

18a6f9e469d6263df5443d0804344229e4abe4db

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

cb4cab568fb13f74f2fc6832fb2023941fa9084d6d6d49215511cbb5e483598b

MD5 hash:

1dfeb550c0269d5bce61ed67cdd1780c

SHA1 hash:

47a9cf91530784a90bc876c545d7ec31a66203bb

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

0975589b17f3ce580586d12162da05ff2ec37d70d04ab1303b8ae9431422e04c

MD5 hash:

f8e01052031f576d7a11e6255c993211

SHA1 hash:

1dbc79af61bcbbe0ad4bdc88a0afa8779cddb383

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

0628b41d81a166d7992c44bed937b3f0ad8b5d61d87d98e9b97fa3c481c523fc

MD5 hash:

1c23e73461b5ed178d5f8295cefe2910

SHA1 hash:

bfb941fce9a7dab348bf17c03c691aa609931972

Detections:

win_socelars_auto

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

SH256 hash:

80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e

MD5 hash:

f944d681d4aef5cd2b92424c6f2a24a9

SHA1 hash:

725d06f330b6ab00e2b3332b725114c1564569f4

Link:

https://www.unpac.me/results/f3c7f562-acc3-4a41-b57b-e26e0f1477f8/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/80594c4ce01c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187905/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample