MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5
SHA3-384 hash: b602a10e3f3baced5137935b70ebff54d97424d811dfb70f3a05815973d12756e04e03fed952470d940e6e29eb598689
SHA1 hash: 03afe4d56dd1260daeb971e8012e9c7859d6dcec
MD5 hash: a9650583455ebb93e83a9e841bcec75e
humanhash: nebraska-nuts-papa-aspen
File name:a9650583455ebb93e83a9e841bcec75e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'183'598 bytes
First seen:2021-11-19 16:11:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xsLUCgzIdu6hasI2Ovj2QYFFsnhQQ6pqPeBJrJSPPrTc4W65i:xwdgzIduMTOvU3z9JSPDTfM
Threatray 707 similar samples on MalwareBazaar
TLSH T1F99633C176B2C0F1D0156175830C9A38F7ECC2E96B6084EB6BD4982A0365ED6D47FF9A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
146.185.239.5:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
146.185.239.5:80 https://threatfox.abuse.ch/ioc/251032/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://free4pc.org/bandicam-crack/
Verdict:
Malicious activity
Analysis date:
2021-11-15 03:15:10 UTC
Tags:
trojan evasion rat redline loader opendir stealer vidar raccoon
Link:
https://app.any.run/tasks/c99d32e1-4e47-4eea-acc7-089b9ace6452

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/6197ccd62695a62af9f3ef64/reports/84032722-87a6-450e-ae7d-4d4fad12b0d7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7c5855c-29b2-4452-a40d-292db0770caf
Result
Threat name:
Amadey RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892789
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Amadey bot
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525262 Sample: CVfKJhwYQW.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 96 185.215.113.45 WHOLESALECONNECTIONSNL Portugal 2->96 98 194.195.211.98 NEXINTO-DE Germany 2->98 100 5 other IPs or domains 2->100 104 Multi AV Scanner detection for domain / URL 2->104 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 17 other signatures 2->110 10 CVfKJhwYQW.exe 20 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\setup_install.exe, PE32 10->68 dropped 70 C:\Users\user\...\Mon03d682baddfde24a.exe, PE32 10->70 dropped 72 C:\Users\user\...\Mon03d4568a3971c731.exe, PE32 10->72 dropped 74 15 other files (10 malicious) 10->74 dropped 15 setup_install.exe 1 10->15         started        process6 signatures7 138 Adds a directory exclusion to Windows Defender 15->138 140 Disables Windows Defender (via service or powershell) 15->140 18 cmd.exe 15->18         started        20 cmd.exe 15->20         started        22 cmd.exe 15->22         started        24 10 other processes 15->24 process8 signatures9 27 Mon03427abf6d.exe 18->27         started        30 Mon037dad19d6f20c.exe 20->30         started        32 Mon03bca493cc52d3.exe 22->32         started        112 Adds a directory exclusion to Windows Defender 24->112 114 Disables Windows Defender (via service or powershell) 24->114 36 Mon03d682baddfde24a.exe 24->36         started        38 Mon03bf96baf5344dba9.exe 24->38         started        40 Mon0365c8b0f4c4ee5.exe 24->40         started        42 4 other processes 24->42 process10 dnsIp11 116 Multi AV Scanner detection for dropped file 27->116 118 Machine Learning detection for dropped file 27->118 120 Creates processes via WMI 27->120 136 2 other signatures 27->136 44 Mon03427abf6d.exe 27->44         started        122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->122 124 Maps a DLL or memory area into another process 30->124 126 Checks if the current machine is a virtual machine (disk enumeration) 30->126 82 212.193.30.29 SPD-NETTR Russian Federation 32->82 84 212.193.30.45 SPD-NETTR Russian Federation 32->84 92 3 other IPs or domains 32->92 50 C:\Users\user\...50iceProcessX64[1].bmp, PE32+ 32->50 dropped 52 C:\Users\...\ZvroaoshFMWjC2qSVT0arcTP.exe, PE32+ 32->52 dropped 128 Antivirus detection for dropped file 32->128 130 Tries to harvest and steal browser information (history, passwords, etc) 32->130 132 Disable Windows Defender real time protection (registry) 32->132 86 104.21.50.241 CLOUDFLARENETUS United States 36->86 54 C:\Users\user\AppData\Roaming\3969222.exe, PE32 36->54 dropped 56 C:\Users\user\AppData\Roaming\3632341.exe, PE32 36->56 dropped 58 C:\Users\user\AppData\Roaming\2937917.exe, PE32 36->58 dropped 60 C:\Users\user\AppData\Roaming\6174338.exe, PE32 36->60 dropped 88 162.159.130.233 CLOUDFLARENETUS United States 38->88 62 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 38->62 dropped 64 C:\Users\user\...\Mon0365c8b0f4c4ee5.tmp, PE32 40->64 dropped 134 Obfuscated command line found 40->134 90 5.9.162.45 HETZNER-ASDE Germany 42->90 94 2 other IPs or domains 42->94 66 C:\Users\user\...\Mon0360a704d3e8dbf7.tmp, PE32 42->66 dropped 47 Mon0360a704d3e8dbf7.tmp 42->47         started        file12 signatures13 process14 dnsIp15 102 8.8.8.8 GOOGLEUS United States 44->102 76 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->76 dropped 78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->80 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 08:25:00 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryvdzgvuemkbm3mtace7x577erovfa4u72q22qj3xa3cwkvgzpkq._file
Verdict:
malicious
Similar samples:
3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5
RedLineStealer
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
RedLineStealer
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
RedLineStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RedLineStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
RedLineStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
RedLineStealer
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
RedLineStealer
ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
RedLineStealer
+ 697 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:1c8f6a44843df90acc18419a2f54cfc1f7304cf0 botnet:933 botnet:media14111 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211119-tnhy5adgh5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Amadey
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
Malware Config
C2 Extraction:
http://www.hhgenice.top/
185.215.113.45/g4MbvE/index.php
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
91.121.67.60:51630
Unpacked files
SH256 hash:
188da30341680680a23d42b909c202a6c0cc2acaec2df51a8c6eef9773f25088
MD5 hash:
d1b9b90bbab7ddd72d53bfd54431491f
SHA1 hash:
b15550cf6bebcf1f6c9b51bc930b2c4d1e4814a3
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f
MD5 hash:
ed5b2c2bf689ca52e9b53f6bc2195c63
SHA1 hash:
f61d31d176ba67cfff4f0cab04b4b2d19df91684
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
1b1d504ebdb420e8afdd0df17621d43ca48d145e6dcb9b4756355e8318896774
MD5 hash:
d94b76fb0a2fca9df7329dab95e4f3bd
SHA1 hash:
291c3c6080b690f1588a7bbb753f8173992e2ab5
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
586a40fdf5db28baa7d8cc93e9d6dd8d4fee0978f0fd0e352881f70ca2039b2e
MD5 hash:
c98aaa2433dcfe1dae649683d9751b4c
SHA1 hash:
d3c6cdb205c788423a088eb9211e054935d866b2
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
544e67e044dafbf651dc08606d63ab2718024c986ab7e0e403246a1e3f32eb87
MD5 hash:
c084fd0820b600f3617d8d91e03fc88b
SHA1 hash:
ba1bdcd94e02b887d0911e5604ce0c8d13c026af
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
c4711f2e60e378902b24bf8609d54c8f71aeefc9c749483a59780f6b7c31f2e1
MD5 hash:
af398238c7e9668ac3259080e20ddf94
SHA1 hash:
a204a3e7ad17fdd79d7c6c95a10c40944d0b2a14
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
69bed59ccc12881ce11b7f637472308f9370c91a5197225766ec94b7a0ad9adf
MD5 hash:
c35e272c32935dfb1ddb3ade5bd2ec97
SHA1 hash:
a15a537b48fdb760eb1666d4e81da90dad3cd0c2
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
77dc2cc0dbb5bd6afd2bd43ee89d1f26aacbad79fc7d45e9375cd707aeeb8fe3
MD5 hash:
3e0d6e491eb9442248564b750f3700ad
SHA1 hash:
9f32ac8363e88b2144605b6bfd7e8d1825cbb3e2
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
b68160bc92b75666aca152510b72af48394e0ef938e015f9dd2dc4d0c4153c68
MD5 hash:
19c7a574f2a4900f3ec14214e90e14f2
SHA1 hash:
59cdae16294f905dd7b5528f32d8d5e16850e579
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
6cc5f0181e1958b2423184a97b851c198a362dd22e1c92ce56bd913375fabf53
MD5 hash:
fcacd0d71aaf7e91054e51713b223a8e
SHA1 hash:
571dd00abc2c57159feeb2e78afb463a57f63a31
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
33498f8dfd6180152d5a1c2c8e3dd62cf3d2c03be5defd8ebfd5a3a0a5c32e42
MD5 hash:
cec9a8019c69c786d6b8486b66a57be7
SHA1 hash:
42f23eef1a4a3e5f83cca8da0abd1e5107e493f6
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
7f04ae8e77a01f5ef7b490df850af5716b3332653c9f289af2c01c68cedb8ed4
MD5 hash:
0b5ea81db36620c5842b58527a2dde26
SHA1 hash:
3a51f2422e864350067f453fa7008001c39e4592
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
93c4cba30e4e919db036ca03b25885094ff34caf6a52125dc5647c16c454e700
MD5 hash:
f0380d884cef856b846e2128714e63be
SHA1 hash:
a51466452c7ad1b604335cfcf00f6547ba326dfb
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
537446335f337864c34ebd26e909bb9185d6a0dada32e9ebb26559b062b47a42
MD5 hash:
4bdf2fac008ddb06c1285b86effa0fd7
SHA1 hash:
9111aaab85959b97c5583d1389b305116f75b526
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
8190790c47967df2636e9656c1b50ab66b95bf52feb6252701fed33ea239072a
MD5 hash:
31c6c83b040c99a7027e5185fa647085
SHA1 hash:
acd976ecc790cfa64fd86781d5c44a45f770dedc
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
88bb91ffed9c2037cd79831ed821a9b0403133429452e130f32fe18260f11ede
MD5 hash:
c7a74e9f37cf140c4050509cac7e1cd8
SHA1 hash:
8de46dcf44e3fa0a1833c83d9ee21bdc83ab3567
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
1b0a0c67549df844a2788e3029827025ad4516536171882e960e55147d5fa4b5
MD5 hash:
f3cc58ecf3c0b8886fe2175b0ddb09e6
SHA1 hash:
5fdd8b2262c0536706159847e7726a590db23369
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
31c0531383cb27ada52e42c1b711ee6b30fbc08460311b922daffffb62c10837
MD5 hash:
cf1ac1f0ec25b9e8b46927e17c8c3513
SHA1 hash:
36af45be06040991fa0d8121531c0f4e7851263b
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
9ba9e7f05082adfa6ebf528026151ceb6b160d3012b0ca8de6740e57069197dd
MD5 hash:
e64da72d144fd93253b9996d17d88c37
SHA1 hash:
cbc83985e3db329d91f3bd85e3f42a0be93cdbf6
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
5ad78b369a85b87478cd5694ddb59a3dfb8b2eb4eb451ba7e7a81ac42f1d3f3f
MD5 hash:
1975ff3a4abe2c756a2ebf31c4317030
SHA1 hash:
8d10cf643f6e94f06d1cd3feabb520e338892965
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
25745bbd7fbc0b71d8caa1bbea920e0b32ca6119ee4c815091834ba82342928b
MD5 hash:
2762ea4395199e54535fc730cbe600d6
SHA1 hash:
0d90d3d2cc292d38a77d36760fb4635fd345fe6f
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
da967eb8fbcf6f1044fc12dd3cecdfd237e418bbde05eb4b2b6f81095c8dc569
MD5 hash:
716ad5f402da07d3abb107ccf8ca436e
SHA1 hash:
a034ba68c4881fa1ad2d0f8cfe3baeb4dd14b166
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
SH256 hash:
8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5
MD5 hash:
a9650583455ebb93e83a9e841bcec75e
SHA1 hash:
03afe4d56dd1260daeb971e8012e9c7859d6dcec
Link:
https://www.unpac.me/results/31d68e6f-2393-4c13-9eac-5d6594a9cef0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207646/

Comments