MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
SHA3-384 hash: df3aad2cb71f188729a4cc29b0a7901952290926d4b475c420282dbb6c0c6975a97e826a0d681c573417d5d76c442738
SHA1 hash: baa2208823f49dcf58b96846e719c9054804bd33
MD5 hash: 14e3270ea2dc6157e4f92e50a2ad864a
humanhash: georgia-lemon-white-mango
File name:8F9CDF75C272FDA7DF367232756EA065600077804B165.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'692'706 bytes
First seen:2021-11-12 21:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yX+SzmX/omnhacIis9ElLe9PV4WBEo/yDaOj3u6xFaUNLs:yOSLAwcIis9ElLu4Wp/6jHxkUq
TLSH T1DE2633483DFB0159E75243B59DEFAB72BD7C68430018036E77A0016C958EE6AA3D7DA3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://g-localdevice.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://g-localdevice.biz/check.php https://threatfox.abuse.ch/ioc/247491/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205376/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer clipbanker mokes overlay packed
Link:
https://www.filescan.io/uploads/618ee1c9a00afa9663a57e8b/reports/4d504dc3-c92c-4e91-877a-149650310201/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zenlod
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa4cbfe1-e97a-4359-996c-e3b8f0ddf7ff
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888408
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520881 Sample: 8F9CDF75C272FDA7DF367232756... Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 77 a.goatgame.co 2->77 79 people4jan.com 2->79 81 17 other IPs or domains 2->81 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Antivirus detection for URL or domain 2->105 107 Antivirus detection for dropped file 2->107 113 17 other signatures 2->113 10 8F9CDF75C272FDA7DF367232756EA065600077804B165.exe 10 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 4 2->15         started        17 6 other processes 2->17 signatures3 109 May check the online IP address of the machine 77->109 111 Tries to resolve many domain names, but no domain seems valid 79->111 process4 file5 75 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->75 dropped 19 setup_installer.exe 17 10->19         started        process6 file7 53 C:\Users\user\AppData\...\setup_install.exe, PE32 19->53 dropped 55 C:\Users\user\AppData\...\Fri21b228e442.exe, PE32 19->55 dropped 57 C:\Users\user\...\Fri21935b83d1f957d.exe, PE32 19->57 dropped 59 12 other files (7 malicious) 19->59 dropped 115 Antivirus detection for dropped file 19->115 23 setup_install.exe 1 19->23         started        signatures8 process9 dnsIp10 97 127.0.0.1 unknown unknown 23->97 99 hsiens.xyz 23->99 137 Performs DNS queries to domains with low reputation 23->137 139 Adds a directory exclusion to Windows Defender 23->139 27 cmd.exe 23->27         started        29 cmd.exe 23->29         started        31 cmd.exe 1 23->31         started        33 8 other processes 23->33 signatures11 process12 signatures13 36 Fri2150291a84dc0e4f.exe 27->36         started        41 Fri211560103352e8.exe 29->41         started        43 Fri216916fdfc.exe 31->43         started        101 Adds a directory exclusion to Windows Defender 33->101 45 Fri21684b0cedde86b.exe 33->45         started        47 Fri216f165b95966f4.exe 33->47         started        49 Fri210dab64aa0b24.exe 1 33->49         started        51 3 other processes 33->51 process14 dnsIp15 83 212.192.241.15, 49771, 49780, 49793 RAPMSB-ASRU Russian Federation 36->83 91 2 other IPs or domains 36->91 61 C:\Users\...behaviorgraphh2Rnp6nxNThUQ401wFpsK38.exe, PE32+ 36->61 dropped 63 C:\Users\user\...63iceProcessX64[1].bmp, PE32+ 36->63 dropped 117 Antivirus detection for dropped file 36->117 119 Multi AV Scanner detection for dropped file 36->119 121 Detected unpacking (creates a PE file in dynamic memory) 36->121 135 2 other signatures 36->135 65 C:\Users\user\AppData\...\jwang-game.exe, PE32 41->65 dropped 67 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 41->67 dropped 69 C:\Users\user\AppData\Local\...\chrome3.exe, PE32+ 41->69 dropped 71 C:\Users\user\AppData\Local\Temp\2.exe, PE32 41->71 dropped 123 Machine Learning detection for dropped file 41->123 125 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->125 127 Checks if the current machine is a virtual machine (disk enumeration) 43->127 85 eduarroma.tumblr.com 74.114.154.18, 443, 49752 AUTOMATTICUS Canada 45->85 73 C:\Users\user\...\Fri216f165b95966f4.tmp, PE32 47->73 dropped 129 Obfuscated command line found 47->129 87 a.goatgame.co 49->87 93 2 other IPs or domains 49->93 89 s.lletlee.com 172.67.176.199, 443, 49746, 49754 CLOUDFLARENETUS United States 51->89 95 7 other IPs or domains 51->95 file16 131 Performs DNS queries to domains with low reputation 87->131 133 Tries to resolve many domain names, but no domain seems valid 89->133 signatures17
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 13:35:59 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6on65ocol62pxzwoizhk3vamvqaa54ajmlfa3xfuqqdk4jsqilq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar botnet:706 aspackv2 backdoor evasion stealer trojan
Link:
https://tria.ge/reports/211112-1qgx6secd2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Unpacked files
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
24b7cab984558a7367f0537619848c16705b06d1b7a3517b472d86d865eb1e6c
MD5 hash:
44340616b18291984f461a47fc5918f8
SHA1 hash:
fa99a8b6456e32d83419982b26ae47ced69e9f1f
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
3920a600f7257784883c4cc203e094b8baf44efed8f7b33acf45bf2a932f7b48
MD5 hash:
7aac4db98d760b77b15af793cc0c0b15
SHA1 hash:
beccf7ea0816571ce1c193b36fbde234ae67c743
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
05f6fdbe6b040c5c46966eafba6e95eb4b12a9dffa8dbde445e13655da75d1c9
MD5 hash:
f68caed1e3ef4e8c85f531bf9660c559
SHA1 hash:
93dee545fd3757b276dd6a1482c91c3d940662bb
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
ccc9ae38269aef9efc17eaf1b28a1f1f3a8194c45c92a469f3d6e8bb75b5d744
MD5 hash:
665ada34d8fcc2912a3573860f424eaf
SHA1 hash:
7bec0c49a6cc151680c9ec2ea37f353a81b20168
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
d001a9408cf1c71fc8250cf81fa6ae7d50b0227c06c401415da3cf85169c0f20
MD5 hash:
c0c9a38574dde12de573d7d2dee86f0b
SHA1 hash:
5438569db6c8064fae40b418a4f5c4846a117a5c
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
fde54a2a925ca3fd1c35480f31fa5df6542c682e3069f3f7d040790a86eb2e86
MD5 hash:
d5eaca2556aac8ba284283d23229f34b
SHA1 hash:
1e64c9ef5a5d1006675ee1cebca37352f5f3ef35
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
cbe9cfeda139dd3deb8eb4d460573578a2afabd91c9e4f8538fc2cb9188fa603
MD5 hash:
75d01c598f6c8f5cdc26fc282f77f768
SHA1 hash:
002a7e565dcabcad2c80eede524e125ba9b93110
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
f40df33696579c8b1e52905f3d11c970dc78440ee5842b9f4af3753d3310aa74
MD5 hash:
38ee89c417d30822717a95accf741d39
SHA1 hash:
1f22dc2b1f3057ac96ec6bae92381a0a9449eaf3
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
c1e096782878b094649c62abe8f6c90e4a6a9cb488bce731f47fb304cc626e92
MD5 hash:
3552bf1fa8d20cd96680330f4f93644f
SHA1 hash:
cb43c29d9d33fd17c50be398a17e7bdbbaad380e
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
ad778cad9f317ef1d86ca7f7dc4e4ffad55acbab6672d7705ddf8b570ba5088e
MD5 hash:
700f65c6e7436a17750e4553da940b92
SHA1 hash:
d0ef3854e2386c9776c099311bd03e232b733a8b
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
8fcc6aefe96e7fbef7f0d6a9d34300d4cea78f6631db0e2c703d6dd4a6b79c46
MD5 hash:
f298e12fc243cab3c06c1b6946b54f13
SHA1 hash:
0e209e9676349bd3b2911d37d5bcf477bf38195c
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
be1a995a50d0cff9dd3f6699a1d13b56a5661263e78cc0e13718aa09ef97fb7a
MD5 hash:
5a71b5ff3bb399bbef1450b5e54ce594
SHA1 hash:
72166dd78ba76d74741900cacb03bb98e1055a1e
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
SH256 hash:
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
MD5 hash:
14e3270ea2dc6157e4f92e50a2ad864a
SHA1 hash:
baa2208823f49dcf58b96846e719c9054804bd33
Link:
https://www.unpac.me/results/3c7b9171-c83f-42b6-8520-121c238f3231/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8f9cdf75c272/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205376/

Comments