MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA3-384 hash: 8082d735cdde5164b94c993392c5437bccdca5657f1063e7a1998ddd5da53e45639893edb907dc61451ceeefaf53aa85
SHA1 hash: 0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
MD5 hash: 0c3f670f496ffcf516fe77d2a161a6ee
humanhash: red-carbon-ceiling-mockingbird
File name:sonia_5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'038'848 bytes
First seen:2021-07-18 16:17:54 UTC
Last seen:2021-07-18 16:47:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dfdbbaddb8a136421be0aeeb6bc8616a (1 x RedLineStealer)
ssdeep 12288:F3b7quLrjGT+OeO+OeNhBBhhBBf3z4EVXzUJozTUlrDmxJtEbHuExnR6VeJNTFHv:1b7quLfjfVQJWxEh8eJ9F1NUT73r5w
Threatray 870 similar samples on MalwareBazaar
TLSH T100254B23A201B015ECB2CCF6A9AEA6BB751C6D30535444EF73C4791A5E711F3AA30AD7
Reporter James_inthe_box
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.189.40.76:80 https://threatfox.abuse.ch/ioc/161039/
176.114.11.244:80 https://threatfox.abuse.ch/ioc/161040/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-07-18 15:41:27 UTC
Tags:
evasion trojan stealer vidar loader keylogger agenttesla rat redline amadey phishing raccoon
Link:
https://app.any.run/tasks/83aa61a7-5ae3-4a24-bf60-212054dfdcef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172430/
Detection(s):
ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0565012e-3853-4df8-ad3d-28195d232d0b
Result
Threat name:
Backstage Stealer Glupteba RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817946
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Backstage Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450357 Sample: sonia_5.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 106 google.vrthcobj.com 2->106 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Antivirus detection for URL or domain 2->128 130 23 other signatures 2->130 9 sonia_5.exe 4 55 2->9         started        signatures3 process4 dnsIp5 108 www.anderesitebrauchen.com 9->108 110 37.0.11.41, 49728, 80 WKD-ASIE Netherlands 9->110 112 15 other IPs or domains 9->112 88 C:\Users\...\sEz4d3WisevwHGi1I5crOHLn.exe, PE32 9->88 dropped 90 C:\Users\...\rlhQyL25oOGVAjtXlY6OxsmI.exe, PE32 9->90 dropped 92 C:\Users\...\jZX6JXfBSevK_gsSK5t1tcYU.exe, PE32 9->92 dropped 94 33 other files (22 malicious) 9->94 dropped 146 Drops PE files to the document folder of the user 9->146 148 May check the online IP address of the machine 9->148 150 Performs DNS queries to domains with low reputation 9->150 152 Disable Windows Defender real time protection (registry) 9->152 14 ZqIM7XNoElaaqfvoGbAkJwSs.exe 9->14         started        17 QuuWNF_XecGEQAWiiGUZju4c.exe 87 9->17         started        21 ClDaAalDLauSmM1ap1ep3H18.exe 9->21         started        23 15 other processes 9->23 file6 signatures7 process8 dnsIp9 154 DLL reload attack detected 14->154 156 Contains functionality to inject code into remote processes 14->156 158 Injects a PE file into a foreign processes 14->158 25 ZqIM7XNoElaaqfvoGbAkJwSs.exe 14->25         started        96 116.202.183.50 HETZNER-ASDE Germany 17->96 98 sslamlssa1.tumblr.com 74.114.154.22 AUTOMATTICUS Canada 17->98 66 12 other files (none is malicious) 17->66 dropped 160 Detected unpacking (changes PE section rights) 17->160 162 Detected unpacking (overwrites its own PE header) 17->162 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->164 172 2 other signatures 17->172 54 C:\Program Files (x86)\...\md8_8eus.exe, PE32 21->54 dropped 56 C:\Program Files (x86)\Company\...\jooyu.exe, PE32 21->56 dropped 58 C:\Program Files (x86)\...\jingzhang.exe, PE32 21->58 dropped 68 2 other files (1 malicious) 21->68 dropped 29 md8_8eus.exe 21->29         started        32 jooyu.exe 21->32         started        34 jingzhang.exe 21->34         started        36 file4.exe 21->36         started        100 91.241.19.12 REDBYTES-ASRU Russian Federation 23->100 102 ip-api.com 208.95.112.1 TUT-ASUS United States 23->102 104 8 other IPs or domains 23->104 60 C:\Users\...\sEz4d3WisevwHGi1I5crOHLn.exe, PE32 23->60 dropped 62 C:\Users\user\Documents\RLHQYL~1.EXE.tmp, PE32 23->62 dropped 64 C:\Users\user\AppData\...\2125982538.exe, PE32 23->64 dropped 70 8 other files (none is malicious) 23->70 dropped 166 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->166 168 Query firmware table information (likely to detect VMs) 23->168 170 Drops PE files to the document folder of the user 23->170 174 7 other signatures 23->174 38 2125982538.exe 23->38         started        40 rundll32.exe 23->40         started        42 FrVn2OKHZhLCepQF7UEOI1eA.exe 23->42         started        44 6 other processes 23->44 file10 signatures11 process12 dnsIp13 72 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 25->72 dropped 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->132 134 Renames NTDLL to bypass HIPS 25->134 136 Checks if the current machine is a virtual machine (disk enumeration) 25->136 46 explorer.exe 25->46 injected 114 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 29->114 74 C:\Users\user\Documents\...\md8_8eus.exe, PE32 29->74 dropped 138 Tries to harvest and steal browser information (history, passwords, etc) 29->138 116 star-mini.c10r.facebook.com 157.240.17.35 FACEBOOKUS United States 32->116 118 www.facebook.com 32->118 120 ip-api.com 32->120 76 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 32->76 dropped 78 C:\Users\user\AppData\Local\...\install.dll, PE32 34->78 dropped 80 C:\Users\user\AppData\...80ewtonsoft.Json.dll, PE32 34->80 dropped 48 conhost.exe 34->48         started        140 Sample uses process hollowing technique 38->140 142 Injects a PE file into a foreign processes 38->142 50 conhost.exe 38->50         started        122 45.155.205.150 SCALAXY-ASNL Russian Federation 40->122 144 System process connects to network (likely due to code injection or exploit) 40->144 82 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 42->82 dropped 84 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 42->84 dropped 86 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 42->86 dropped 52 conhost.exe 42->52         started        file14 signatures15 process16
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 13:42:04 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3m7iefudzi7beye4xg23rgwd6bfmle64fn6qehampzpk2ebfxia._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
masslogger
Create hunting rule
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
RedLineStealer
12344b1913ac3ae118e0924428330f30f3987737a6582094686c286c0de3faa7
RedLineStealer
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
RedLineStealer
245df5e6eb13e960dc2cd57d5ee69c8cee7bd93edc1733cfec479711dac7c777
RedLineStealer
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
RedLineStealer
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
RedLineStealer
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
RedLineStealer
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
RedLineStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RedLineStealer
+ 860 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fickerstealer family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:18_7_r botnet:865 botnet:903 botnet:al botnet:isus_20.2 agilenet backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan upx vmprotect
Link:
https://tria.ge/reports/210718-hhm332fe5j/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Amadey
Fickerstealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
x-vpn.ug/hfV3vDtt/index.php
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
45.14.49.91:60919
https://sslamlssa1.tumblr.com/
xtarweanda.xyz:80
tstamore.info:80
195.133.40.204:80
Unpacked files
SH256 hash:
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
MD5 hash:
0c3f670f496ffcf516fe77d2a161a6ee
SHA1 hash:
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
Link:
https://www.unpac.me/results/e0d1f3b1-a37b-4314-93e7-545a00ddbf02/
Parent samples :
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172430/

Comments