MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
SHA3-384 hash: 8c7ce392d901841304144d2c29a30e6b11a455bc250579e69ba50ea8e269b4c7b7df4f22f5bb52de0d11d0c0376a627a
SHA1 hash: 80ee82ca5f6fae94de2a6c7228b88b78c1554323
MD5 hash: 03a6e8e5557d35d9d1c0b8dd9702bab5
humanhash: shade-colorado-mockingbird-zebra
File name:8A8ED9F1DBE9F72DD7F60806BE5130DAF6148443A45D6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'951'146 bytes
First seen:2022-03-10 19:12:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xnwp8LztZbgzePW4QYWmMS0AXFZ1ZNi9iySw1P7owENeY:xwpazTgzkQHmMDYZ1ZTySw1sReY
Threatray 6'542 similar samples on MalwareBazaar
TLSH T10F66332837E454B3E9306970675827F275E97B294E24405B33D498CCFEBDDAB612D0CA
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.11.73.55:22201

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.212/ https://threatfox.abuse.ch/ioc/393367/
185.11.73.55:22201 https://threatfox.abuse.ch/ioc/393506/

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249219/
Detection(s):
Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622a4dc7b94fb38cb454ce1e/reports/ca74b1e2-4eb9-48bb-9bbe-3ee7f20e756e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f9ae8ac-3782-4da5-8523-70aa8ce78c50
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954463
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586944 Sample: 8A8ED9F1DBE9F72DD7F60806BE5... Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 53 ip-api.com 208.95.112.1, 49779, 80 TUT-ASUS United States 2->53 55 195.24.68.20 RU-CENTERRU Russian Federation 2->55 57 18 other IPs or domains 2->57 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 16 other signatures 2->69 9 8A8ED9F1DBE9F72DD7F60806BE5130DAF6148443A45D6.exe 22 2->9         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_install.exe, PE32 9->45 dropped 47 C:\Users\...\61fe1aa6ee147_Sat06d007b4c.exe, PE32 9->47 dropped 49 C:\...\61fe1aa69ac24_Sat063c09c3ec81.exe, PE32 9->49 dropped 51 17 other files (12 malicious) 9->51 dropped 12 setup_install.exe 1 9->12         started        process6 signatures7 91 Disables Windows Defender (via service or powershell) 12->91 15 cmd.exe 12->15         started        17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        21 7 other processes 12->21 process8 signatures9 24 61fe1a9e52294_Sat060a0e504a36.exe 15->24         started        27 61fe1a9728ac7_Sat0678e9b6fd9.exe 3 17->27         started        29 61fe1a9c1c8f9_Sat06f820f69d.exe 19->29         started        71 Disables Windows Defender (via service or powershell) 21->71 32 61fe1a9a2d543_Sat06ff5596cab1.exe 14 3 21->32         started        34 61fe1a99440cb_Sat06a7b44b4.exe 2 21->34         started        37 61fe1a965c625_Sat0600b0c20f.exe 1 21->37         started        39 2 other processes 21->39 process10 dnsIp11 73 Multi AV Scanner detection for dropped file 24->73 75 Detected unpacking (changes PE section rights) 24->75 77 Machine Learning detection for dropped file 24->77 89 4 other signatures 24->89 79 Antivirus detection for dropped file 27->79 81 Sample uses process hollowing technique 27->81 83 Injects a PE file into a foreign processes 27->83 59 appwebstat.biz 45.129.96.174, 49798, 80 GMHOST-EE Estonia 29->59 85 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 29->85 61 104.21.76.213 CLOUDFLARENETUS United States 32->61 41 C:\Users\...\61fe1a99440cb_Sat06a7b44b4.tmp, PE32 34->41 dropped 87 Obfuscated command line found 34->87 43 C:\Users\user\AppData\Local\Temp\o33f.Kuh, PE32 39->43 dropped file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-06 06:43:00 UTC
File Type:
PE (Exe)
Extracted files:
298
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkhnt4o35h3s3v7wbadl4ujq3l3bjbcdurowyigrisne4siig7eq._file
Verdict:
malicious
Similar samples:
0608db47a51634204b29ea7e166c28e039721eefc409173f804fb2c488440e72
RedLineStealer
2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256
RedLineStealer
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0
RedLineStealer
c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba
RedLineStealer
cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948
RedLineStealer
+ 6'532 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:media450 botnet:v1user1 aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220310-xw4gksdeaq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://www.tpyyf.com/
92.255.57.154:11841
116.203.252.195:22021
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
Unpacked files
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
fa5cab2a5fa034254140574defa3dcc69de174cabf514fe317cbd0b91d90c1e7
MD5 hash:
1c336c729d3a1413f16d79f1f9b6daf3
SHA1 hash:
305cb36aedb4252c75552b0a8b075b0966cb7bef
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
0e5eea0116bab4580822eb431ad8d22b80ac30927c270594b104151f33bf1739
MD5 hash:
9b2071a9c9263b03768654b6099e491a
SHA1 hash:
29eae909c2c54b75c49c5a0955d57ac055d0dd20
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06
MD5 hash:
9d9c68549cf06b0485742e0865f5390c
SHA1 hash:
b23241ac8419df6bb0a930ac80cdae9edbd55893
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
a6334a93323db29971a851352354d59b6ba2c26bf3ab49895e6db6f7fcbc3283
MD5 hash:
36941f4d11216f011ebb2b6bae57a590
SHA1 hash:
b60c5e36c66986466d589651a7bc2567101eb2de
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
87129de6a9f8b3c4979ad164c907d9bec332227ef7eb112fda98f28574952735
MD5 hash:
bad7c61444a14d7e05cb540d06419265
SHA1 hash:
b08496bfe65eed9c9ed35b9c4d7bbf54374ba0c7
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
3959dc227089d0a9b38d2ea8c387e993db3584c7bb9129780f20673d1fd15e61
MD5 hash:
7eb2d388416744a108c0cf107caf8ef8
SHA1 hash:
876cc415ac9a3832afde3f8bacf86edb7a5b72ce
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
d71accd2bb8cebda92d96a3d1735caeb5bba6e5eee1fb5366fa8303888903037
MD5 hash:
daf81d3ba13a7d9057048bb1020f1064
SHA1 hash:
7d644b40a7b8c05f8399ab8e67014638e81f9007
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
d1f2610773fae24552f7e6111dfe1866054daedf0ffb742bfdd794dbc2bde1ea
MD5 hash:
778d8ddc8a7dc849e74e67acfacbc29c
SHA1 hash:
719fe399f6aac5664450def3be7be3649150627d
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1
MD5 hash:
2fe1fbe1cf3b63c2b9d04859ba27b5a7
SHA1 hash:
6d82b25f27939d2c712ca76d267437569799518a
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
ffff25763fa2a4e8b55fa76adc7e27788078a65c2756172f196ca8eca2cda368
MD5 hash:
fa174344e7083a9406c25720dc323f07
SHA1 hash:
6b78c071b21d02b0efbe14bab36109e8803f546c
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
154fa9dcffb2ce0ed179145257fa0ba9ebbcfe44e69b42cc045c42eaad60d741
MD5 hash:
59af3629f1798de503dc847f059920a7
SHA1 hash:
308e4b0b52665b28970a77406f5ebbfddbc19240
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
1235668841bac7f28df1160ecf5a15c85f956bda8b7c1cd477e4f43acf9be6a9
MD5 hash:
0a6f7c23ae1c0d2131304750cea32f6f
SHA1 hash:
bc281b1f95b489c3ba0bf36782eeec11ddba20a2
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
96e864bdc5da8dd21c094d566867fcd867f948e22087f77ae33b7b6f099b2dc6
MD5 hash:
ca10698c53fa5f5d58c4e03ebf688138
SHA1 hash:
63205966355216b98f6a99b31122d3bedf0ec00d
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
091c8ea176180349367a2f226824b27a484afc740d2031e1d2c5eccde95b9519
MD5 hash:
7adf27a44e2c07a451c0b6b9c86c6906
SHA1 hash:
ff66385d4fe0b5422ba97cbfb7cd678e9c64f83a
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
bcc139704b02be1b1b45e28ffdb8638b768186fa172f90541523b1984264df69
MD5 hash:
5c621207a46eeec1de0398b6fed8d198
SHA1 hash:
21e0cf3bb0ae985802cd7adb1f6b186c91c5d155
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
f4fb9657e5c3ba493270dff0e3c1aef2c0f25a5a3144b4ca1c46a98d45c98fde
MD5 hash:
523cd8250c39f1d525426394d6ce6772
SHA1 hash:
d4a131c30b06b6cf50e89846de737c3c6f38c4ff
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
61645ef72bc9efd800cadb61b8f4d6beeee60c6fe4b9fb7ce1aeee5baee8e95d
MD5 hash:
d9a55734a4df4f1a05b0abefc55e8604
SHA1 hash:
904771ba44066574b5aa658aebb69270547d9ab7
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
d63d7a0a43710f74e5b78fa5de310bf2d334a772ab09a0e3d276fc125f4f0aeb
MD5 hash:
307e29e9eff8f610116d1a6de4d611ae
SHA1 hash:
f1bf90c2b72ca22953282eefaa42e17134d76263
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
SH256 hash:
8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
MD5 hash:
03a6e8e5557d35d9d1c0b8dd9702bab5
SHA1 hash:
80ee82ca5f6fae94de2a6c7228b88b78c1554323
Link:
https://www.unpac.me/results/1ca3f102-a470-4cb8-ad22-4135354b86b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249219/

Comments