MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 3 YARA File information Comments

SHA256 hash:	854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
SHA3-384 hash:	4b18118c28b1dc8d0e432077d98a136d926a4f016c804b2a3cd352a573f068078c1a7669eaa68df96658adf0b4f395c5
SHA1 hash:	2c69cb985d7c422faa5c2e424b72ca45e94a6666
MD5 hash:	7d12550f98dc72b2f48816a9e979dfe9
humanhash:	maryland-harry-eleven-eleven
File name:	7D12550F98DC72B2F48816A9E979DFE9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'861'253 bytes
First seen:	2021-08-11 20:25:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:yju4l+nX+HrTHNIgv9Ks/54b2X1sPPlki4YRTTLDPK:y8OH3HNXv9Ks/5Ge1sPPl+sTTS
Threatray	291 similar samples on MalwareBazaar
TLSH	T1BE2633784246C2F6C6BDD1B438BBCE471B90DE025339A85BAF907A857C2D991EC35B0D
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://74.119.195.135/	https://threatfox.abuse.ch/ioc/171652/
http://cleaner-partners.top/decision.php	https://threatfox.abuse.ch/ioc/172113/
45.14.49.128:16334	https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/178390/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Deleting a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bsymem

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/43d27d08-e48e-4c24-9df6-2f77ccae4620

Result

Threat name:

RedLine Socelars Vidar Xmrig

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831247

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender real time protection (registry)

Drops PE files to the document folder of the user

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

glupteba

Link:

https://mwdb.cert.pl/sample/854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a/

Threat name:

Win32.Spyware.Socelars

Status:

Malicious

First seen:

2021-08-10 16:37:00 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qvhfydn6wmnqsu6edm3nzch2j2kzyagijd5xepoc7erdv222gwna._file

Verdict:

unknown

RedLineStealer

321ad36cf8f20be8c53d060b3043706a58ba49c4c25c994c96d19932137838cb

RedLineStealer

44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e

RedLineStealer

4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8

RedLineStealer

5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc

RedLineStealer

8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d

RedLineStealer

9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9

RedLineStealer

aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e

RedLineStealer

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

RedLineStealer

+ 281 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:7new aspackv2 backdoor infostealer persistence stealer suricata trojan

Link:

https://tria.ge/reports/210811-vd4mwarwys/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Process spawned unexpected child process

Raccoon

Raccoon Stealer Payload

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80

Unpacked files

SH256 hash:

6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13

MD5 hash:

9806f3f87bcb267281009a6fc5c420fa

SHA1 hash:

1e36820c67183d74e9c1f94cfa63863e520b0598

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

Parent samples :

549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234

SH256 hash:

207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9

MD5 hash:

4955a27a03f35933fdbd801f425b6c58

SHA1 hash:

97f3b8f33fd1a49cf9db5a246d996047beef3c12

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

Parent samples :

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818

SH256 hash:

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

MD5 hash:

0965da18bfbf19bafb1c414882e19081

SHA1 hash:

e4556bac206f74d3a3d3f637e594507c30707240

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

MD5 hash:

13a289feeb15827860a55bbc5e5d498f

SHA1 hash:

e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

081f98edcc1f80cf0ce2c428a9324820ed6f039ffbff4dbd5566d95cc0b5cdf3

MD5 hash:

914ed92ed191f615e8fde6c30586a1dd

SHA1 hash:

d83a6c7764636122e91311bf526fd31fdf89ae97

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

20f141968ca94ce06fdd226e4669be3f924db0bf40b5133f3361a095c7dbd24f

MD5 hash:

413b067278fc114a0ec67440c47ec167

SHA1 hash:

b7b8d76c314b966aeabe6e6a1a8b4112d30ca708

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

MD5 hash:

c0d18a829910babf695b4fdaea21a047

SHA1 hash:

236a19746fe1a1063ebe077c8a0553566f92ef0f

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

a7abe50505fc2fd6a920828b3cad0d45756d5c645dbed69f1fbabb006a78f9ec

MD5 hash:

c94637bcd99414ea70328b46a9ae9a97

SHA1 hash:

f6cc4ffa67c2092e7535921d716db695cd4a7222

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

MD5 hash:

7aaf005f77eea53dc227734db8d7090b

SHA1 hash:

b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

dce21c183a366ab2cbd82e2cf4ae0c45634d4fd4469110485455a005d5bd4a8c

MD5 hash:

edcf0859069fe9acba0a1a528fec8c4d

SHA1 hash:

69992bd13adff8bacd1c94583cb35c263489173c

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

ddbe26b2ac611988d9035c782fa4f8ef01ed7b8fb4995cab60f7ec4a933657a3

MD5 hash:

f058187cd33c10725678e55e672b0bb1

SHA1 hash:

f2644114ba4f8a2aeb5769ac9c0413b0b59cde6b

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

61494bca647b46aa9c7cfe3530385a7d6f9dc2287c9b0b4fd61dfa701ba7a4ad

MD5 hash:

df2208cc1e06995916314451713aa5b0

SHA1 hash:

ae2d9d9cdbe24556f5359b13767533bbe9c046d1

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

dd5c306519cc94125348f67bd6a533e9ec5fe06a0be2404e7f7175dd150cdeaa

MD5 hash:

12c4e83713e044a173a2a56d0689cc4c

SHA1 hash:

a72587ad2fd0c93a469edb802cfc753bc00f1fff

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

e811f993638c622c71e0fdb895b57bdbe86d13915785a93673064b1e9a6007b3

MD5 hash:

acac1d2458bcf0cf39520d2326aa42f5

SHA1 hash:

e9d60cdc2444a0c5abd0ca816733143335f29141

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

3dc34665672aa3b5c9d5c2a73aab735610d272209d41af69b76051b7261e3817

MD5 hash:

5966ae3a490bd2ec1f3c25d52e6b606e

SHA1 hash:

a8d820533b71ba52b596c6a3374acffb7f7e83a3

Detections:

win_socelars_auto

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

SH256 hash:

854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a

MD5 hash:

7d12550f98dc72b2f48816a9e979dfe9

SHA1 hash:

2c69cb985d7c422faa5c2e424b72ca45e94a6666

Link:

https://www.unpac.me/results/e9341448-fff3-445e-a357-364f5416cb26/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/854e5c0dbeb3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178390/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample