MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a
SHA3-384 hash: d55bdd2c5306b5bd37fca8f565f3dd6b2d842a1c482f1da43ba39981766f23198f63e5935aa144006c7c35fc5d52b4a4
SHA1 hash: b7b37a93db95321fb31c57645b4c61e1c5e4fc77
MD5 hash: 5692bc30e83b7a435a60f1d76794db03
humanhash: wyoming-snake-foxtrot-avocado
File name:grs.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'364'021 bytes
First seen:2022-03-24 18:07:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA30Z/Scrx0pUg3VHNdMMav2KrguE/8IDztT7jWw6cQiOCZyWsVwkvpD9:UbFx7glBaeKrgZ0IDpbWw6cVw2kvpD9
Threatray 11'308 similar samples on MalwareBazaar
TLSH T1EBF53322BAC594B0E1720E325A79D325A53CBC212F188FDF73E465AE59311C2E63573B
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter adm1n_usa32
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257274/
Detection(s):
Win.Packed.Bulz-9840169-0
Create hunting rule

Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the Program Files directory
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Searching for the browser window
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11175/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/623cb38bdfdfa8501cda1fd9/reports/5de725e8-d707-4318-8f78-622d6584ca5f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/563c25e2-87c9-47b1-824f-8f12ea30aa01
Result
Threat name:
Cookie Stealer Nitol RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964173
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops PE files to the document folder of the user
Found API chain indicative of debugger detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Nitol
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 596653 Sample: grs.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 68 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->68 70 45.150.67.141 ASDETUKhttpwwwheficedcomGB Montenegro 2->70 72 iplogger.org 2->72 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 12 other signatures 2->98 10 grs.exe 1 27 2->10         started        signatures3 process4 file5 46 C:\Users\user\Desktop\pub2.exe, PE32 10->46 dropped 48 C:\Users\user\Desktop\jg4_4jaa.exe, PE32 10->48 dropped 50 C:\Users\user\Desktop\agdsk.exe, PE32 10->50 dropped 52 4 other files (1 malicious) 10->52 dropped 13 pub2.exe 10->13         started        17 wf-game.exe 3 10->17         started        19 ujqb.exe 10->19         started        21 5 other processes 10->21 process6 dnsIp7 54 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 13->54 dropped 126 DLL reload attack detected 13->126 128 Detected unpacking (changes PE section rights) 13->128 130 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->130 138 4 other signatures 13->138 24 explorer.exe 13->24 injected 56 C:\Program Files\patch.dll, PE32 17->56 dropped 29 rundll32.exe 17->29         started        58 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 19->58 dropped 31 File.exe 19->31         started        74 192.168.2.4, 137, 443, 49725 unknown unknown 21->74 76 101.36.107.74, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 21->76 78 8 other IPs or domains 21->78 60 C:\Users\user\Documents\...\jg4_4jaa.exe, PE32 21->60 dropped 62 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 21->62 dropped 64 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 21->64 dropped 66 3 other files (none is malicious) 21->66 dropped 132 Detected unpacking (overwrites its own PE header) 21->132 134 Drops PE files to the document folder of the user 21->134 136 Found API chain indicative of debugger detection 21->136 33 jfiag3g_gg.exe 21->33         started        35 chrome.exe 21->35         started        file8 signatures9 process10 dnsIp11 80 172.105.162.84 LINODE-APLinodeLLCUS United States 24->80 82 127.0.0.127 unknown unknown 24->82 44 C:\Users\user\AppData\Roaming\egjdice, PE32 24->44 dropped 108 Benign windows process drops PE files 24->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->110 112 Writes to foreign memory regions 29->112 114 Allocates memory in foreign processes 29->114 116 Creates a thread in another existing process (thread injection) 29->116 37 svchost.exe 29->37 injected 118 Multi AV Scanner detection for dropped file 31->118 120 Sample uses process hollowing technique 31->120 122 Injects a PE file into a foreign processes 31->122 124 Tries to harvest and steal browser information (history, passwords, etc) 33->124 84 clients.l.google.com 142.250.185.110, 443, 49767, 56439 GOOGLEUS United States 35->84 86 142.250.185.65 GOOGLEUS United States 35->86 88 6 other IPs or domains 35->88 file12 signatures13 process14 signatures15 100 System process connects to network (likely due to code injection or exploit) 37->100 102 Sets debug register (to hijack the execution of another thread) 37->102 104 Modifies the context of a thread in another process (thread injection) 37->104 40 svchost.exe 37->40         started        process16 dnsIp17 90 facebook.websmails.com 204.11.56.48 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 40->90 106 Query firmware table information (likely to detect VMs) 40->106 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 09:53:52 UTC
File Type:
PE (Exe)
Extracted files:
231
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=syy5rplu2sqdqtfoiolotmh2l5mjqslafdreuj2phvlrzzocfm5a._file
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RedLineStealer
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RedLineStealer
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
RedLineStealer
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
RedLineStealer
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
RedLineStealer
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
RedLineStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RedLineStealer
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
RedLineStealer
+ 11'298 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:v113 agilenet backdoor discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220324-wqxamscde6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.fddnice.pw/
http://www.sokoinfo.pw/
http://www.zzhlike.pw/
http://www.wygexde.xyz/
http://perseus007.xyz/upload/
http://lambos1.xyz/upload/
http://cipluks.com/upload/
http://ragnar77.com/upload/
http://aslauk.com/upload/
http://qunersoo.xyz/upload /
http://hostunes.info/upload/
http://leonisdas.xyz/upload/
45.150.67.141:8054
Unpacked files
SH256 hash:
b22166f86a0cd5081e6b0d5d39e24a3175b372b6c24cc1ceea255cf61987e3a9
MD5 hash:
6406923e55b108252871f2db45b8aa71
SHA1 hash:
e7c82260b9a0107bbf696fc1fb0ed5ccec047cd8
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
d8c2fcf9083d2d170308e6d07c209a09afb134160dcc456a469bb0a2d9cbc22a
MD5 hash:
502ccb6f08abf88eeb309e0c1f29b893
SHA1 hash:
bcb86137137884d6d27f3cab6a37e8ddd3de806c
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
df1a9a45a3f7c5041ad2bd3db44d8f08042168e09a51cba5704731078123c8cf
MD5 hash:
d67ac553f53c2f60a5e12842bfe5a8b6
SHA1 hash:
af304f23a4e418f91924212abd87f59fb0fe460f
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
4709f2a7c1d03e0af4fa962d25d5b87f59cc6a48a2807c25d1ffb425156f6105
MD5 hash:
9e75f4622a7e68837547f77dcf291edf
SHA1 hash:
55d4dcbc5153de24b13968366dd4f7d5b5052122
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
00cb52b80d015d1b692158ce9ca867b99b1ac82d9538090a09881b9edaa0c417
MD5 hash:
75ca86f2b605a5924edeb57b180620e7
SHA1 hash:
df2fda930efd40c2ae7c59533e5097bd631c3b47
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
39ed68982fd0243c6e50b57162182e415b85871e4a83f764f607a1b64e587d04
MD5 hash:
eca4350cdab1176e63fea22f9597e821
SHA1 hash:
c0110a45cdbc0012122eb970a4680e0b303444cd
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
bf5b31063ae254fad48cb5d152cbd103f3b5039db0452bd734fa125955778ceb
MD5 hash:
7b42af79b6a0b1cea631b65d06f5b0f9
SHA1 hash:
5d56e95b6977e7adf9c68038eeb46e61469c43db
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
7ed19355e991132dafa16f97fd8e8e619f5efa1a75fadddf09b3427f9d0746c3
MD5 hash:
fe230b0b5014f449f4670986eee8563e
SHA1 hash:
e0fb083261b93991470e1402e87f040b3059ea76
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
728dd329989a1840ad26871337f1594f051d5c50f8a28a0e1cc1d2b00248a5b2
MD5 hash:
19a8e490ae15e6dd641db80f9748dbfa
SHA1 hash:
7fd298c515064f66da537c948d93104ce032bbb0
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
816b3cb72c986209b69ff867c282b2d5a87d179704daa0e53cb8a9879ef1a62d
MD5 hash:
ecb50727932e9dc0094302fe7481775e
SHA1 hash:
adf0d75fcb7fa9d32818b657dd49154f24632c4d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
Parent samples :
9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2
9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a
SH256 hash:
a9aea14d113b4dbcd31bcb9d97df48330a2a5bb067ba8a140a5e6557ccee1175
MD5 hash:
29f81901316edf5749d4c96c4413d2b5
SHA1 hash:
a4058e211889c10ca2da4176ad5b78249803702b
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
ce53f8d9eb723509b64bf13a8b362bd9558efade76c9839e36d273e62fb79437
MD5 hash:
792ff0c3b56908e0d493e95c200f68bd
SHA1 hash:
002580e575d35992a7e994904c3e52023fe10b49
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
SH256 hash:
9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a
MD5 hash:
5692bc30e83b7a435a60f1d76794db03
SHA1 hash:
b7b37a93db95321fb31c57645b4c61e1c5e4fc77
Link:
https://www.unpac.me/results/83fd2a72-7be2-457d-b5b7-0a23b531c261/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_Fabookie
Create hunting rule
Author:ditekSHen
Description:Detects Fabookie / ElysiumStealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257274/

Comments