MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a
SHA3-384 hash: 8ca7e1925eb417af1c32ee35525947a4cb4a4c3142b9ff702625c1ee1db56f3ed8378848ec4f04739bf48c3214ae400f
SHA1 hash: 91ba4cf7e046e1ec164ea4e7ac930daa8aefb1e6
MD5 hash: ac5ac3dc9105407cdcea292bbb1e2282
humanhash: kentucky-finch-glucose-queen
File name:ac5ac3dc9105407cdcea292bbb1e2282.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'154'530 bytes
First seen:2022-04-04 03:00:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:J5OOa//h7LtA7MIYH9ohniTadHd/OjMdtJrJplMOoakfUPG8FuZOcEQUuGcu:J8Oah7RA7LYH9oRhd/oqJrHlXkfURIZy
Threatray 7'454 similar samples on MalwareBazaar
TLSH T192A6336E6050C02BC1226F7196BEDF30D627D3A6E471EB26E76E395C5D21FE30C69422
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.217.188.140:20326

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.188.140:20326 https://threatfox.abuse.ch/ioc/488446/
185.215.113.34:41166 https://threatfox.abuse.ch/ioc/488447/

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260301/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12468/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe exploit overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624a5f71db9ca5cf8417e69e/reports/2cc02262-de59-4371-b54e-bdb8385a5e4b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb0e26cf-b899-4537-b7fa-08a828148654
Result
Threat name:
SmokeLoader Socelars Zealer Stealer only
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969669
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected onlyLogger
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Zealer Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602156 Sample: 3HJ7vwnq1k.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 84 5.23.50.132 TIMEWEB-ASRU Russian Federation 2->84 86 151.115.10.1 OnlineSASFR United Kingdom 2->86 88 6 other IPs or domains 2->88 104 Multi AV Scanner detection for domain / URL 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 16 other signatures 2->110 12 3HJ7vwnq1k.exe 10 2->12         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 82 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->82 dropped 21 setup_installer.exe 21 12->21         started        process6 file7 58 C:\Users\user\AppData\...\setup_install.exe, PE32 21->58 dropped 60 C:\Users\...\624248c2870d6_Mon23e0b3b0.exe, PE32 21->60 dropped 62 C:\...\624248c03c802_Mon23cf6fc42c67.exe, PE32 21->62 dropped 64 16 other files (10 malicious) 21->64 dropped 24 setup_install.exe 1 21->24         started        process8 signatures9 140 Adds a directory exclusion to Windows Defender 24->140 27 cmd.exe 24->27         started        29 cmd.exe 1 24->29         started        31 cmd.exe 24->31         started        33 11 other processes 24->33 process10 signatures11 36 624248c03c802_Mon23cf6fc42c67.exe 27->36         started        41 6242487ebee69_Mon2360fbbe475.exe 1 29->41         started        43 624248845c537_Mon23d60fef.exe 31->43         started        100 Adds a directory exclusion to Windows Defender 33->100 102 Disables Windows Defender (via service or powershell) 33->102 45 624248bae0b4f_Mon2315c1392c.exe 33->45         started        47 624248bc6d13c_Mon235f07b88ae.exe 33->47         started        49 6242487fd82aa_Mon2391599e.exe 14 4 33->49         started        51 6 other processes 33->51 process12 dnsIp13 90 50.116.86.44 UNIFIEDLAYER-AS-1US United States 36->90 92 5.101.153.227 BEGET-ASRU Russian Federation 36->92 66 C:\Users\user\AppData\Local\Temp\IGKIH.exe, PE32 36->66 dropped 68 C:\Users\user\AppData\Local\Temp\H5J5H.exe, PE32 36->68 dropped 70 C:\Users\user\AppData\Local\Temp\CMFDI.exe, PE32 36->70 dropped 80 3 other files (2 malicious) 36->80 dropped 114 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->114 116 Creates HTML files with .exe extension (expired dropper behavior) 36->116 118 Machine Learning detection for dropped file 36->118 136 2 other signatures 36->136 120 Multi AV Scanner detection for dropped file 41->120 122 Detected unpacking (changes PE section rights) 41->122 124 Disables Windows Defender (via service or powershell) 41->124 53 cmd.exe 41->53         started        138 3 other signatures 43->138 94 185.173.38.91 ECO-ASRU Russian Federation 45->94 126 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->126 96 208.95.112.1 TUT-ASUS United States 47->96 128 Antivirus detection for dropped file 47->128 130 Tries to detect virtualization through RDTSC time measurements 47->130 98 104.21.45.60 CLOUDFLARENETUS United States 49->98 72 71e483db-e320-40d2...7dae0821e701402.exe, PE32 49->72 dropped 74 C:\Users\...\62424882a2d43_Mon2366e91c07.tmp, PE32 51->74 dropped 76 C:\Users\...\624248bf51749_Mon23fd163f29.tmp, PE32 51->76 dropped 78 C:\Users\user\AppData\Local\...\wjZ~Mf~9.0s, PE32 51->78 dropped 132 Obfuscated command line found 51->132 134 Injects a PE file into a foreign processes 51->134 file14 signatures15 process16 signatures17 112 Disables Windows Defender (via service or powershell) 53->112 56 powershell.exe 53->56         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 15:10:25 UTC
File Type:
PE (Exe)
Extracted files:
345
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2zfdhs7xdn2ooh2dk6cg4jllcoqubxm3ntjabc4o2nlkjbaxufa._file
Verdict:
malicious
Similar samples:
42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49
RedLineStealer
7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad
RedLineStealer
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
RedLineStealer
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
RedLineStealer
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
RedLineStealer
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
RedLineStealer
+ 7'444 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars aspackv2 backdoor discovery infostealer loader persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220404-dhv4haghg2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
af1ed8bc92f9ac26980e6ee5eb06a3cbaf1f0e90b55cf232979b3ae0c2cb521d
MD5 hash:
d7eb5c5999dbf529fae1e968a5bc7d1f
SHA1 hash:
a12a198153a73f97c259be4fef60fa907e950e60
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
6e2e07113b22f13e2fdfa9afc7ae91724572ca86b811f313ee7d4fe606a79ac1
MD5 hash:
f5467867b1edb66916b925a44a9df9c0
SHA1 hash:
ef73c89d6fac641565c1a4a948573852612d8038
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
90c6c77e522e2c17eb1f69f1239d2ee9c5e563da71f77c7ec7ec02205cc5d42e
MD5 hash:
689d0d9be7aab0b05924b6486b841bbe
SHA1 hash:
d0d5681894013e78d41b8a06fe53c902315449ea
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
efedb4cd487538c9ee537ca83a2986750d93faf0622121fb7dccbe0b49d3fd3c
MD5 hash:
937fa5bb3b8509532364f80f12e1750e
SHA1 hash:
9ca86458312a2a4f7ac8cef8cabd71f5945e81a7
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
e7b986e83695743148b32c102b9d9c6441cfc5e94330c213c2ec63f25b019502
MD5 hash:
2e160d453ea05ec68aac4d70250939e3
SHA1 hash:
88d27f9f9c1d7248682c53bcce0b950590ba8a17
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
7391cb31c03713d6f193242c391a18b644f9cfc15e6bb6386a1751733e613714
MD5 hash:
db0fe8608bc0631d225977768dce873d
SHA1 hash:
53798c406f25eaee3b30c0f455e85068ec6505ed
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
1aeb217580540fad1efde800482b113165165520df2ac328a129e548d106283b
MD5 hash:
9c6d61bf8466b2bf17ff08fe02d6c61a
SHA1 hash:
38579ddb2da4bf83007e9bc1489e7fc5eeaf8564
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
652fe1eb4d2423221ed6df459e9ea49352153bb337ad07efd5aab76e42120857
MD5 hash:
9fa07ee81c6b743ec509c8fb20fb2ac8
SHA1 hash:
37f5607313814b723dbf9035339a88318a793a1c
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
ecb7ab211623d182738d52b2bfa1ad5e7cd1eb5278726c34dc6fe93bacbc3608
MD5 hash:
15a5fbf81299b4f4768ef6b013b4a190
SHA1 hash:
3723af7a0ac6e4b797511989989eef5ccb796e89
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
73e94baea88006a8a6bd14a0ddd0b6a21a28939e9576c7e5412b1c9971eb1175
MD5 hash:
b7965338991c148c3288d8ed00f5ee69
SHA1 hash:
137fcaca2c2739f620c65109e3211901ea0a7c5a
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
9e2310fd47d35e832659298351275ec7aa30034d41d3669d22344738ffc23256
MD5 hash:
bf0e3b12f2997dc8963a7185da858ae1
SHA1 hash:
750dfeb4768878a2a70708f7852137b29f84afdc
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
8fa4c5561af2789aa3465830e191a61dac86904878427c76e99e00a760d2eea4
MD5 hash:
58306bb1aca69aee4b2b225d96ef9375
SHA1 hash:
3ea8198510cfd4ed94b4e2e13862aff097a584fd
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
b06283f695d087d471e985d2ea73828205659bcf744ac557df111b0f8422eacd
MD5 hash:
decb080615d9204476c55dfedd23a676
SHA1 hash:
79b781745975b4d759cc1fe07cee66e5521974eb
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
1732b4f6a1a686738789d7812c3a957b957a23ea9add2c3f74ef50989bcc9d23
MD5 hash:
ebf0a607f016511b889d82bbac72afd3
SHA1 hash:
8ca497e6470ca41926720e9d84775dc775ba71ad
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
71246536beb20022d296b1367980e1b4b020de520f7751010017407e7c37a7a9
MD5 hash:
f22e97ee022d10d925f67d3f7e802f16
SHA1 hash:
451b08d95a1f902160cbd54d03bb2997d6990de2
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
1f068b5a915e32af7f25811141d2d5bc597789b765e6710f7e6321c385aeb496
MD5 hash:
615efedf58e62958c279c2e4d35a5efa
SHA1 hash:
8b3e23d79f0bda14c3abdc9b0e70876d7bb9d44e
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
ed57f703ebc1311091396f4af89378d15903b9adca78d87a37e18cc5070b348a
MD5 hash:
33ce9859a07ee327105ec315c70c2ccf
SHA1 hash:
5bf3626c318f298bcc28f1c37f0da067e32c0b29
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
SH256 hash:
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a
MD5 hash:
ac5ac3dc9105407cdcea292bbb1e2282
SHA1 hash:
91ba4cf7e046e1ec164ea4e7ac930daa8aefb1e6
Link:
https://www.unpac.me/results/393827ab-ad3c-499a-90f3-d503d4e56b86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260301/

Comments