MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
SHA3-384 hash: 92107bb0983146dda966a92d06de67b7be718ac537f6c58bd8a4436241ec1037881687440c8261de0f31da97d555d23c
SHA1 hash: f0c4606916e2f9f1eb179e973f15c0d4abb22581
MD5 hash: 2cce5533ec8f52ac272dee02e36c3260
humanhash: floor-autumn-queen-sink
File name:96F34985E744EDAE462B513FD68856056C135078302D8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'996'342 bytes
First seen:2021-10-28 17:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBCEwJ84vLRaBtIl9mVzHYjlJ/a7RwauPEi3kNE0d5tzKaZyw:xYCvLUBsgT8raZdNHzNZyw
TLSH T1F49523417DC6C8FBDA469030CA4C2B7466BAC3580B320CE7B7D4962C5F6D9A8D21F95B
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.49:29659

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.49:29659 https://threatfox.abuse.ch/ioc/239240/

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201017/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2725e397-1915-49a6-85ec-fcdf9727c63f
Result
Threat name:
AveMaria FormBook RedLine SmokeLoader So
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878789
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Drops script at startup location
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AveMaria stealer
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UACMe UAC Bypass tool
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511223 Sample: 96F34985E744EDAE462B513FD68... Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 114 88.99.75.82 HETZNER-ASDE Germany 2->114 170 Malicious sample detected (through community Yara rule) 2->170 172 Antivirus detection for URL or domain 2->172 174 Antivirus detection for dropped file 2->174 176 20 other signatures 2->176 11 96F34985E744EDAE462B513FD68856056C135078302D8.exe 8 2->11         started        14 husettc 2->14         started        signatures3 process4 file5 78 C:\Users\user\AppData\...\setup_install.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->80 dropped 82 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->82 dropped 84 3 other files (none is malicious) 11->84 dropped 17 setup_install.exe 8 11->17         started        178 Detected unpacking (changes PE section rights) 14->178 180 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->180 182 Maps a DLL or memory area into another process 14->182 184 2 other signatures 14->184 signatures6 process7 dnsIp8 112 127.0.0.1 unknown unknown 17->112 70 C:\Users\user\AppData\...\e3cc86d5adae521.exe, PE32 17->70 dropped 72 C:\Users\user\AppData\...\788074178a2.exe, PE32 17->72 dropped 74 C:\Users\user\AppData\...\3adf8a1dd5.exe, PE32 17->74 dropped 76 4 other files (1 malicious) 17->76 dropped 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        27 7 other processes 17->27 file9 process10 dnsIp11 30 788074178a2.exe 4 61 21->30         started        35 3adf8a1dd5.exe 23->35         started        37 1cfb31c117e4.exe 12 25->37         started        124 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->124 39 e3cc86d5adae521.exe 15 3 27->39         started        41 bcc130ef83.exe 27->41         started        43 2e81c5b534319006.exe 27->43         started        45 332e1afd1b67.exe 27->45         started        process12 dnsIp13 126 45.142.182.152 XSSERVERNL Germany 30->126 128 37.0.11.8 WKD-ASIE Netherlands 30->128 134 12 other IPs or domains 30->134 86 C:\Users\...\nes4rEsFg7GuyS21WCOSrB7I.exe, PE32 30->86 dropped 88 C:\Users\...\cyZuQYiT5NpU3I5E7oO_xjBP.exe, PE32 30->88 dropped 90 C:\Users\...\9T8d_7_fHEvi3cxnSWqBSd35.exe, PE32 30->90 dropped 92 30 other files (12 malicious) 30->92 dropped 140 Creates HTML files with .exe extension (expired dropper behavior) 30->140 142 Tries to harvest and steal browser information (history, passwords, etc) 30->142 144 Disable Windows Defender real time protection (registry) 30->144 47 nes4rEsFg7GuyS21WCOSrB7I.exe 30->47         started        51 9T8d_7_fHEvi3cxnSWqBSd35.exe 30->51         started        54 K2R_hx6BldoDvdmnW1jTdab5.exe 30->54         started        64 7 other processes 30->64 146 Detected unpacking (changes PE section rights) 35->146 148 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->148 150 Maps a DLL or memory area into another process 35->150 158 2 other signatures 35->158 56 explorer.exe 35->56 injected 136 2 other IPs or domains 37->136 152 Antivirus detection for dropped file 37->152 154 Machine Learning detection for dropped file 37->154 58 WerFault.exe 37->58         started        130 88.99.66.31 HETZNER-ASDE Germany 39->130 156 Detected unpacking (overwrites its own PE header) 39->156 138 2 other IPs or domains 41->138 60 WerFault.exe 41->60         started        62 2e81c5b534319006.exe 43->62         started        132 162.159.135.233 CLOUDFLARENETUS United States 45->132 file14 signatures15 process16 dnsIp17 94 C:\ProgramData\images.exe, PE32 47->94 dropped 108 3 other malicious files 47->108 dropped 160 Creates files in alternative data streams (ADS) 47->160 162 Adds a directory exclusion to Windows Defender 47->162 164 Increases the number of concurrent connection per server for Internet Explorer 47->164 116 149.154.167.99 TELEGRAMRU United Kingdom 51->116 118 45.133.1.182 DEDIPATH-LLCUS Netherlands 51->118 96 C:\Users\...\s_DxhjdaehswQJcyDVSh3r3w.exe, PE32 51->96 dropped 98 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 51->98 dropped 100 C:\...\PowerControl_Svc.exe, PE32 51->100 dropped 102 C:\ProgramData\4086776.exe, PE32 54->102 dropped 104 C:\ProgramData\3459266.exe, PE32 54->104 dropped 106 C:\Users\user\AppData\Roaming\husettc, PE32 56->106 dropped 166 Benign windows process drops PE files 56->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->168 120 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->120 66 conhost.exe 62->66         started        122 149.28.253.196 AS-CHOOPAUS United States 64->122 110 2 other files (none is malicious) 64->110 dropped 68 TzifqCnosy2__WKqjLR3koYu.exe 64->68         started        file18 signatures19 process20
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-24 11:49:03 UTC
AV detection:
27 of 44 (61.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3zutbphitw24rrlke75nccwavwbgudygawye7vma5trplhymyxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar family:warzonerat family:xloader botnet:113 botnet:706 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:937 botnet:easycrypt campaign:s0iw aspackv2 backdoor evasion infostealer loader rat spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211028-v9zz7sggdn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Gathers network information
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Warzone RAT Payload
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
WarzoneRat, AveMaria
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://xacokuo8.top/
http://hajezey1.top/
https://mas.to/@lilocc
http://www.kyiejenner.com/s0iw/
91.243.32.4:4249
135.181.79.37:52491
154.209.249.131:5200
Unpacked files
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
730782c0a967f258e130f12b9ba25a3e582b0bc93b35a122b6b573d45b21adce
MD5 hash:
62fe79781226f327524de7b23525e1c7
SHA1 hash:
20b7a997ea9627320c687d6975ba2c5a6550365f
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
MD5 hash:
a6b572db00b94224d6637341961654cb
SHA1 hash:
9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
6f8a7657b62f79b148d6b930641ef70eb0d8bc909377439819a0db601ca1c0d8
MD5 hash:
5f6f8e5a5e6ba53f8f785b575573451d
SHA1 hash:
97b99adefc3ecca6be60c882b563853091f586ef
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
0dba3fe5275b6a17b44b07baf6f717f908776000ddf62098c712ef89a577f12a
MD5 hash:
1a280feb9ab6b8f0d264fbdfcade9325
SHA1 hash:
669a25d48aa0cc91abeb37f08ae012defeb3fc20
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
6fbd2fcf93bf4a086f9b3391a1effe93b2e4a93a36696a26154bbdd9f53c0a1b
MD5 hash:
601a544e2b685566d56fa8d4c5a34a57
SHA1 hash:
7ac610d9f083de44180981dfaa4831a76886d9ca
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
e484c53c495b1a293267ea144dd644a331e1c82384bd903eaa7aecc2ade2dd49
MD5 hash:
898dbc2a19a4e36398bbc772d89aefd3
SHA1 hash:
47120fc7f60a7e1b2d3207d1137ff5703fa43730
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
62925040c55fdf0caf0b228a17a06abd86826b1be6a185c5c61c74c6de62d01c
MD5 hash:
0388bc623ea0e83f5ded9bfd07c14d20
SHA1 hash:
2b695437f49dd433a99f39433a2c0b975b4ad2cf
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
f6706262cced6412c3aa1355bd726a299df882341c04aa093377b4a9a5155bf2
MD5 hash:
97c3bbcd722ca198770825d03694dfde
SHA1 hash:
c4a21ad0ab828d72771fd4c04712db345ae6eaf2
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
SH256 hash:
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
MD5 hash:
2cce5533ec8f52ac272dee02e36c3260
SHA1 hash:
f0c4606916e2f9f1eb179e973f15c0d4abb22581
Link:
https://www.unpac.me/results/0a859fe7-6cfb-4306-8bb6-3610d7a39c70/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/96f34985e744/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/201017/

Comments