MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 8 File information Comments

SHA256 hash:	8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
SHA3-384 hash:	f05f18e2b735ec6f014d593e710eaf2424e6f690d465d8c56dbf26b94974e5c294966ac90aa9c1393b1d08c31455c869
SHA1 hash:	1937bd66b1c9aeb2dd10561e8f20003d582c39a2
MD5 hash:	afb09650da6a333eca094a9153723f47
humanhash:	ohio-steak-edward-happy
File name:	afb09650da6a333eca094a9153723f47.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	7'377'258 bytes
First seen:	2022-02-02 19:16:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	196608:JC7WJJZbhWUDj56e5TNu0678KKAVF69UD3wnrG64aw/:J6WxbQsgQ/67dKAfhDWrG64Z
TLSH	T14B7633632D961AF7FBF18B38053D17959C727005286CC06D97061ECB3EDA7492EEA329
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
116.203.252.195:22021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
116.203.252.195:22021	https://threatfox.abuse.ch/ioc/377489/

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/230583/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Packed.Tiny-9901377-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Sending a custom TCP request

DNS request

Searching for synchronization primitives

Creating a window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5811/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61fad8b4a0f6a794b334859d/reports/92633971-b605-4c54-bea5-2beb0a032368/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8dd0869c-bebf-47f4-97b1-136163e28c83

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/932701

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2022-01-31 07:54:02 UTC

File Type:

PE (Exe)

Extracted files:

435

AV detection:

33 of 43 (76.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r22gjxp7runuqrdedz7b5364xhgvqmfd4y6rt7qmayo3niq3iqcq._file

Verdict:

malicious

Result

Malware family:

socelars

Score:

10/10

Tags:

family:redline family:socelars botnet:v1user1 aspackv2 discovery infostealer persistence spyware stealer suricata

Link:

https://tria.ge/reports/220202-xzdekabcaq/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates processes with tasklist

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Process spawned unexpected child process

RedLine

RedLine Payload

Socelars

Socelars Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://www.tpyyf.com/
116.203.252.195:22021

Unpacked files

SH256 hash:

ea4a436cda457c2080e6f785e53919f14b6881790753c037383b5034fc88b5bb

MD5 hash:

c19f23dc3aa765c4d388c703880c5a39

SHA1 hash:

ca9dee28428a3d772e2e5b20cb9886f0db35811b

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0

MD5 hash:

da70ba6fa59896248f7c05fdcb7d581e

SHA1 hash:

174cb2b083e327a362b6ecac68fe939a40743ffb

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06

MD5 hash:

9d9c68549cf06b0485742e0865f5390c

SHA1 hash:

b23241ac8419df6bb0a930ac80cdae9edbd55893

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc

MD5 hash:

64638fe3e9d9acbcfe027bac3d0a7fab

SHA1 hash:

ff0d35497c4d6676a01a57db299df9847b382126

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

8a13f698d21786fc3fe5ce5e09fea10497551266eeec07fdf6abe3c55f9065d0

MD5 hash:

7db5edf513053778186311771126f449

SHA1 hash:

cf7143b4722932f329543f8b2c870753568e8e1a

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

474c9fc8b2e352497b55335f49c558ad2415f2f81ead253a512928d15406aea5

MD5 hash:

8490e18e04632ab9caabc81068118bc2

SHA1 hash:

cf624298c3aa3023f7d8a9b37d60ed12be0ddc08

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

559a787925ef30c1fb14cda16eff88571c82a381e4bed0e04d67d94ce0e599dd

MD5 hash:

cb4de0af0156eef48229850364613eef

SHA1 hash:

ba486209ed98a58dd32ccb0fdb33f47cbe94bf76

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

ecd1ba7beff437fedf4cf1e724829a5f7209896935c8dc9387a40b0acb69987a

MD5 hash:

609676a0a747ed2294a0fc07476b12c4

SHA1 hash:

9792b766e0e1c48f860d2e2833fc8f7d18ced51f

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

52296dd5fff7e1ec5f159ce7974ab53f17fd967836f6155ddac2fabbedb3e221

MD5 hash:

441673ba438d6820734e94ab2cf83801

SHA1 hash:

89833fc0dd88f077bc155efcfd85866c21706256

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

a4516e3b3589efa8ce00fb1f4fe6f7d5b41634356cb0c8fb8d88c36354304c90

MD5 hash:

963f96f1c4e417ef8d0dff8f04003db2

SHA1 hash:

556190e60686ed7166dfdbf9cd883d72622f35dd

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

43c4545fe9b0cb3723bc481c7786209d125ac012fda11f3a243f5fdd239d2437

MD5 hash:

bbdde020cb1aa8c82b0130020d250b0b

SHA1 hash:

284bb91341e198d42d145aa316e73fa8349d2662

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112

MD5 hash:

ce54b9287c3e4b5733035d0be085d989

SHA1 hash:

07a17e423bf89d9b056562d822a8f651aeb33c96

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

56bc47d13a1d7ac385634f70075ca750b5e6455bef63152eb6ccf4276b9cefa5

MD5 hash:

86e406c290b0e202bbd56c69d9930e12

SHA1 hash:

228b209f2e930be14605dd8ad54c618643367ad1

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

0d3cf19f775376600ee8dc44dd3edd984bf43a21de339da32aaf60d344c5f801

MD5 hash:

95161d444154a3bb27619fc5806c8bec

SHA1 hash:

6ea1996a9c65821bf810cdc800d191ea67e2e0f7

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

e2331a60754583c5493112235e71cba451309d3e745ad657e7f892d154566409

MD5 hash:

84b4c53f6d70c61483892126c41a1e58

SHA1 hash:

eb264a262f23b9fa6d7c66ff3ed2db80eabaeac6

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

a2da5b6a3aaa8091662f3690675149bbd813affd41eb5122df722585505ddad4

MD5 hash:

3984943ba84970de9b154f38843b1c38

SHA1 hash:

36c9bece4f07325e6e9a0e2af44ab7cef15487da

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

6b7dba8bea5b893225f6fbf56bf546d742c58648133612cee0e26f1df3d3d4c8

MD5 hash:

eee718451c883233c3e221b32c241f74

SHA1 hash:

270987d57d5281eb531190afa4d9848d7e4bfc93

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

7fe8a76ebb7c60c7a435665e84c7084bf28f9962376e2de12fd9479a1dba6774

MD5 hash:

8196ab9f540374159bec7375b639a53e

SHA1 hash:

6b13b8d8344b22806e0ba870e2e3365d12879588

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

0e8161add1d676fd8047302871a45cbea7edbf04d174aba28289d627ac2d484e

MD5 hash:

9b6a125eb94a7eb1f249b683392527e0

SHA1 hash:

397a03748dd4ac145e5a177875251044b1147a20

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

5edfe3cc46cfddeb8d24131cb18c4937d95014775559a8edc661a8ee044c223d

MD5 hash:

f3233e08ac652b9375e1d59bc27e0734

SHA1 hash:

54d67575f5ca91416fbed55d9a533df3e4e4385b

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

f82f7ef14010b839f34c3316c345542baffccb637202df3dcce04cb8a78734fc

MD5 hash:

f486a9a003a882bf2cd434e00d2a2bc9

SHA1 hash:

794fbbb198e953dc4ba702c97cb992293b1aca5d

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

76eaaef9b3eb754a54eafbdb18ca6f76bdf8ea493856548a649a5a9dc8bd647b

MD5 hash:

fa3c3439813ac908e0312111e57c3761

SHA1 hash:

d5fd0140c1c1cfda50ad5157ed5dcdce4e76d3d6

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

SH256 hash:

8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405

MD5 hash:

afb09650da6a333eca094a9153723f47

SHA1 hash:

1937bd66b1c9aeb2dd10561e8f20003d582c39a2

Link:

https://www.unpac.me/results/ec07bdd8-7eb9-487d-b28c-7c1f511ec57a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	MALWARE_Win_DLInjector03 Create hunting rule
Author:	ditekSHen
Description:	Detects unknown loader / injector

Rule name:	MALWARE_Win_OnlyLogger Create hunting rule
Author:	ditekSHen
Description:	Detects OnlyLogger loader variants

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/230583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample