MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
SHA3-384 hash: 7ed1faa3eb0a1eacf32ad95d9ae49a5a9bd9a68a246a4889f0b716aaf2488c3bfbadfed163693f9963adec9300c106ef
SHA1 hash: f21b1dc0c622e4c084107e8cc159cfdce3f781e4
MD5 hash: 5499fd2b9a83a2de834ba2539d2d210d
humanhash: purple-tango-september-sweet
File name:5499fd2b9a83a2de834ba2539d2d210d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'191'470 bytes
First seen:2021-06-19 04:53:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 24576:pAT8QE+kBdI1k1n5hjo2ZQridOHBV8sBdUtjLc02WdK3D4yVWK/Vhl:pAI+m/hjVZe/3BdAj92+WDN3Pl
Threatray 366 similar samples on MalwareBazaar
TLSH F2452339B681427AC1620D36488BD376B53BBB44AB7C55CF77ED0E2C9D332091AA4397
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.57.217.111:80 https://threatfox.abuse.ch/ioc/136590/

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5499fd2b9a83a2de834ba2539d2d210d
Verdict:
No threats detected
Analysis date:
2021-06-19 04:56:10 UTC
Tags:
installer
Link:
https://app.any.run/tasks/51129804-5c23-4fb4-9800-e0040657d305

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166980/
Detection(s):
Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c2c03bd-5646-4e28-9cef-f6826a40e2ed
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804665
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses regedit.exe to modify the Windows registry
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437076 Sample: VvNO8fiDur Startdate: 19/06/2021 Architecture: WINDOWS Score: 100 127 Multi AV Scanner detection for domain / URL 2->127 129 Found malware configuration 2->129 131 Antivirus detection for URL or domain 2->131 133 13 other signatures 2->133 10 VvNO8fiDur.exe 18 12 2->10         started        13 explorer.exe 2->13         started        15 iexplore.exe 2 83 2->15         started        process3 file4 81 C:\Program Files (x86)\VR\...\Versium.exe, PE32 10->81 dropped 83 C:\Program Files (x86)\VR\...\RunWW.exe, PE32 10->83 dropped 85 C:\Program Files (x86)\VR\...\BSKbrowser.exe, PE32 10->85 dropped 87 C:\Program Files (x86)\VR\...\Uninstall.exe, PE32 10->87 dropped 17 Versium.exe 2 10->17         started        20 RunWW.exe 86 10->20         started        24 BSKbrowser.exe 4 10->24         started        26 iexplore.exe 13->26         started        28 iexplore.exe 53 15->28         started        process5 dnsIp6 71 C:\Users\user\AppData\Local\...\Versium.tmp, PE32 17->71 dropped 30 Versium.tmp 17->30         started        103 159.69.20.131, 49737, 80 HETZNER-ASDE Germany 20->103 105 bandakere.tumblr.com 74.114.154.22, 443, 49735 AUTOMATTICUS Canada 20->105 107 192.168.2.1 unknown unknown 20->107 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->73 dropped 75 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 20->75 dropped 77 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->77 dropped 79 9 other files (none is malicious) 20->79 dropped 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->141 143 Tries to harvest and steal browser information (history, passwords, etc) 20->143 145 Tries to steal Crypto Currency Wallets 20->145 34 cmd.exe 20->34         started        147 Injects a PE file into a foreign processes 24->147 36 BSKbrowser.exe 15 30 24->36         started        39 conhost.exe 24->39         started        41 iexplore.exe 26->41         started        109 iplogger.org 88.99.66.31, 443, 49712, 49713 HETZNER-ASDE Germany 28->109 file7 signatures8 process9 dnsIp10 115 everestsoftrade.com 68.65.120.87, 49733, 49734, 80 NAMECHEAP-NETUS United States 30->115 117 ipinfo.io 34.117.59.81, 443, 49728, 49730 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 30->117 119 ipqualityscore.com 104.26.3.60, 443, 49731 CLOUDFLARENETUS United States 30->119 95 C:\Users\user\AppData\...\itdownload.dll, PE32 30->95 dropped 97 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 30->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->99 dropped 101 C:\Users\user\AppData\Local\...\Setup.exe, PE32 30->101 dropped 43 Setup.exe 30->43         started        46 conhost.exe 34->46         started        48 taskkill.exe 34->48         started        50 timeout.exe 34->50         started        121 yaklalau.xyz 141.136.0.74, 49759, 49761, 49762 NANO-ASLV Latvia 36->121 123 api.ip.sb 36->123 135 Tries to steal Crypto Currency Wallets 36->135 125 iplogger.org 41->125 file11 signatures12 process13 file14 89 C:\Program Files (x86)\...\Updater.exe, PE32 43->89 dropped 91 C:\Program Files (x86)\...\Uninstall.exe, PE32 43->91 dropped 93 C:\Program Files (x86)\...\Toner-Recover.exe, PE32 43->93 dropped 52 Updater.exe 43->52         started        55 cmd.exe 43->55         started        57 Toner-Recover.exe 43->57         started        process15 signatures16 137 Injects a PE file into a foreign processes 52->137 59 Updater.exe 52->59         started        139 Uses regedit.exe to modify the Windows registry 55->139 63 conhost.exe 55->63         started        65 explorer.exe 55->65         started        67 regedit.exe 55->67         started        69 regedit.exe 55->69         started        process17 dnsIp18 111 ynabrdosmc.xyz 178.57.217.111, 49763, 49766, 49767 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 59->111 113 api.ip.sb 59->113 149 Tries to harvest and steal browser information (history, passwords, etc) 59->149 151 Tries to steal Crypto Currency Wallets 59->151 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 02:56:48 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sil5sjucmeualdugukrlxiba5i4amjidmshdeamuwiwrvxqp73uq._file
Verdict:
malicious
Similar samples:
04db0b6b37fcd16563eaeb06996b2ab0c676f53cb1445d9b40eb46fa2c38c641
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
RedLineStealer
5b91bb848d517bcd9a1e86f73bfec348326de4d5fbb0a80b6d0256f3a589e6c3
RedLineStealer
739ea02b27b4ddb79ba40418fe09fbdd723b73ad8dabf5f2706f02e1248197dd
RedLineStealer
7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
RedLineStealer
+ 356 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210619-j81xf82b16/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
RedLine
RedLine Payload
Vidar
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/79c0dff8-3858-4a46-a579-31c1b020df4f/
SH256 hash:
6b8527bc5962b8ca79b72b06a4205118cd98b6d8bf3a0fd445355b0fe76627cd
MD5 hash:
f1d55229fc6bdf5420e1600ce99121f5
SHA1 hash:
3ecf2b180b863bad534773212f128cace190d7d4
Link:
https://www.unpac.me/results/79c0dff8-3858-4a46-a579-31c1b020df4f/
SH256 hash:
cadbb01787c53052f997a4fc593c595eae1127044f5bac267d6d38998f8783b0
MD5 hash:
f4510542c81252e1f89882ae0cd43529
SHA1 hash:
a218cb5d8e7c8f9ea5fe44e72929c58212e01771
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/79c0dff8-3858-4a46-a579-31c1b020df4f/
Parent samples :
531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
24e73e485857368cf7ec4e1b44b5d9cf86a16fbb8eafd89626b47703256db22d
739ea02b27b4ddb79ba40418fe09fbdd723b73ad8dabf5f2706f02e1248197dd
9fdac966350f89fd6b341097a4551fc9cda6abd1e0ccaf92acdee5ca54960367
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
SH256 hash:
ee89ed2bc08b9b7d0278e99437619eb2ed7c236b8be4bb080b8c7d0ed3ae7bb4
MD5 hash:
6b598ea8e6f5b1589010eaeb44c74e58
SHA1 hash:
a8a17365fdb3f9664ede5148dae40f0afd99962c
Link:
https://www.unpac.me/results/79c0dff8-3858-4a46-a579-31c1b020df4f/
SH256 hash:
9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9
MD5 hash:
5499fd2b9a83a2de834ba2539d2d210d
SHA1 hash:
f21b1dc0c622e4c084107e8cc159cfdce3f781e4
Link:
https://www.unpac.me/results/79c0dff8-3858-4a46-a579-31c1b020df4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9217d926826128058e86a2a2bba020ea38062503648e320194b22d1ade0ffee9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1378343/
Cape
Cape
https://www.capesandbox.com/analysis/166980/
  
URLhaus
https://urlhaus.abuse.ch/url/1378575/

Comments