MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8773c82cb505a8512920776b02bab6b260b0b8d20eead6a2ade96070d625d0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8773c82cb505a8512920776b02bab6b260b0b8d20eead6a2ade96070d625d0e2
SHA3-384 hash: eb99fbd901e536af26260dcb4349d0359e6372598e9a921d10590a69d38acc3453b1e81826a17a9985ef0eed2817c049
SHA1 hash: fdc62113e43d705023e61579683e47f3132def98
MD5 hash: 87b17db984ca86539913eca6025bdc36
humanhash: happy-oven-colorado-muppet
File name:87B17DB984CA86539913ECA6025BDC36.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'429'777 bytes
First seen:2021-08-15 17:51:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xsCvLUBsgD40Wu2UttSSzlcLS/cX76c1EDpQMBRZ8y:xxLUCgD40WwttxzlcekXL1EfRZp
Threatray 361 similar samples on MalwareBazaar
TLSH T1ABF53311BA8290FAE44164305A483FB37979C78D0731DCEFA3549A6C6F66CB5E02B71E
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.163.45.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.248/ https://threatfox.abuse.ch/ioc/188584/

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179372/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9885385-0
Create hunting rule

Win.Malware.Jaik-9885387-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f96a5dce-0ed6-44a2-867a-e183d203c413
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833187
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample is protected by VMProtect
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465617 Sample: wuFp6oB9yG.exe Startdate: 15/08/2021 Architecture: WINDOWS Score: 100 75 104.21.36.217 CLOUDFLARENETUS United States 2->75 77 172.67.145.153 CLOUDFLARENETUS United States 2->77 79 3 other IPs or domains 2->79 99 Multi AV Scanner detection for domain / URL 2->99 101 Antivirus detection for URL or domain 2->101 103 Antivirus detection for dropped file 2->103 105 15 other signatures 2->105 9 wuFp6oB9yG.exe 8 2->9         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\setup_install.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 9->43 dropped 45 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 9->45 dropped 47 3 other files (none is malicious) 9->47 dropped 12 setup_install.exe 8 9->12         started        process6 dnsIp7 95 172.67.186.33 CLOUDFLARENETUS United States 12->95 97 127.0.0.1 unknown unknown 12->97 67 C:\Users\user\AppData\...\f2d1bb34f87a27.exe, PE32 12->67 dropped 69 C:\Users\user\AppData\...\f000f9495d2d52.exe, PE32 12->69 dropped 71 C:\Users\user\AppData\...\43efaf5ea296.exe, PE32 12->71 dropped 73 4 other files (2 malicious) 12->73 dropped 16 cmd.exe 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 1 12->20         started        22 6 other processes 12->22 file8 process9 process10 24 1be4d61b298.exe 16->24         started        29 43efaf5ea296.exe 18->29         started        31 f2d1bb34f87a27.exe 20->31         started        33 f000f9495d2d52.exe 15 9 22->33         started        35 09d64cbbc1.exe 12 22->35         started        37 828d25cde4.exe 14 5 22->37         started        39 fc69270419d284a3.exe 2 22->39         started        dnsIp11 81 37.0.10.236 WKD-ASIE Netherlands 24->81 83 37.0.11.8 WKD-ASIE Netherlands 24->83 89 13 other IPs or domains 24->89 49 C:\Users\...\bWbwUzT483vUr4IfVbhwKzT8.exe, PE32 24->49 dropped 51 C:\Users\...\6e_8GDq1YlaIuGhrmXqSVTsR.exe, PE32 24->51 dropped 53 C:\Users\...\1BKz7LykEMUMMQ0X6e6oXQaN.exe, PE32 24->53 dropped 63 47 other files (20 malicious) 24->63 dropped 107 Tries to harvest and steal browser information (history, passwords, etc) 24->107 109 Disable Windows Defender real time protection (registry) 24->109 111 Machine Learning detection for dropped file 29->111 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->113 115 Checks if the current machine is a virtual machine (disk enumeration) 29->115 85 186.2.171.3 DDOS-GUARDCORPBZ Belize 31->85 55 C:\Users\user\...\f2d1bb34f87a27.exe, PE32 31->55 dropped 117 Drops PE files to the document folder of the user 31->117 91 2 other IPs or domains 33->91 57 C:\Users\user\AppData\Roaming\8190730.exe, PE32 33->57 dropped 59 C:\Users\user\AppData\Roaming\5651426.exe, PE32 33->59 dropped 65 3 other files (none is malicious) 33->65 dropped 119 Detected unpacking (changes PE section rights) 33->119 121 Detected unpacking (overwrites its own PE header) 33->121 87 74.114.154.18 AUTOMATTICUS Canada 35->87 93 2 other IPs or domains 37->93 61 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 37->61 dropped file12 signatures13
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8773c82cb505a8512920776b02bab6b260b0b8d20eead6a2ade96070d625d0e2/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 03:48:43 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5z4qlfvawufckjao5vqfovwwjqlbogsb3vnnivn5fqhbvrf2dra._file
Verdict:
unknown
Similar samples:
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
RedLineStealer
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
RedLineStealer
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
RedLineStealer
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
RedLineStealer
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
RedLineStealer
bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
RedLineStealer
+ 351 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar family:xmrig botnet:706 botnet:7new botnet:937 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor evasion infostealer miner spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210815-6aqvbvnz92/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Unpacked files
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
df6d674013ce24f66df320faf829d720fda51294f673ab12e6ca660d4f5a0d93
MD5 hash:
ed22a008628e35cdaa23b15d6cc1fac7
SHA1 hash:
7a05e54bd591efa7e2b53112f76ec74effdb59c0
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
c2b57b7467e0847649cfd47c0a22bd8801fa86f920e89c71e99a6896659d2047
MD5 hash:
1a21b6bd3fff783f6b63d512988104ec
SHA1 hash:
442dff9a2584873af7443c1153dc9a670731d877
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
c3f668640e10b6eb17e155cf7f564c54af57b2719ea5f97ce4bd6cbab92bad7f
MD5 hash:
4ea74e00b361ebbe8f5e06d7a104c697
SHA1 hash:
115fb2bb0ca9aeeb597fc3259371a4f77678322b
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
7903663ca52d09ab4df1695a9fda51247725dd38713505b290929f7840da1ef2
MD5 hash:
92a4b23bccf10067299c8dbf3344d964
SHA1 hash:
aa769c5fa7b4c84ca34705e3aa18d198daa422a3
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
MD5 hash:
80a85c4bf6c8500431c195eecb769363
SHA1 hash:
72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
10f128ff840c2f0f63aece165d8c907c7339116113cbfa21acb86b29f46ede99
MD5 hash:
fb1abaead9b5949e21680e35e546ff7d
SHA1 hash:
c8923c58a30f130a1781dcd27015d2e130964188
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
25bb171f5353d6183894da0105db19d449a5aea08d52fab3dc4b1cedccb08ba1
MD5 hash:
64eb129d2c83acdd6bf296e77fef41a3
SHA1 hash:
9837d52a43a40321e41c00fc2192b9b982d5ba1a
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
5a16ebebe4b2eac030de2c87a349a569b28708c48efc5e47cfcab2f808728803
MD5 hash:
02771a9481f30025854272378d370282
SHA1 hash:
704d5d8ec994080d46151ad709c14c90a94588f6
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
b1a38be4ad35c6f3ea289bf0ef59a6ab79ce69bfafe202a1766a509d1c07b72c
MD5 hash:
2179f4b7bfa78ab4bd38ac489f134912
SHA1 hash:
f5ea233c5e35c847dbb957d72fa3b23193c58ca7
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
SH256 hash:
8773c82cb505a8512920776b02bab6b260b0b8d20eead6a2ade96070d625d0e2
MD5 hash:
87b17db984ca86539913eca6025bdc36
SHA1 hash:
fdc62113e43d705023e61579683e47f3132def98
Link:
https://www.unpac.me/results/477fc96c-4c96-40f2-87f6-39a786f3bc28/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8773c82cb505/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8773c82cb505a8512920776b02bab6b260b0b8d20eead6a2ade96070d625d0e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179372/

Comments