MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99127e15abbe4b00cf7693d0a8d58773fc1e50d6da3d14d39b350f2ce9c26d7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99127e15abbe4b00cf7693d0a8d58773fc1e50d6da3d14d39b350f2ce9c26d7b
SHA3-384 hash: d4c3dbb678546470efed001ad97934a985c1f39941d668eb9928a451b3e6ab179ab083eaed5b5aea59e60e3eb35b64b7
SHA1 hash: 76c9f895717c3a6e1f27973a619e7cd9317c0d35
MD5 hash: b82ac9242ac7f4b08b9a8f2b5a186994
humanhash: sad-kitten-fillet-pizza
File name:b82ac9242ac7f4b08b9a8f2b5a186994.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'027'056 bytes
First seen:2021-12-18 17:37:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:J1pCZrl972PioltY6MIX3SSrXE7G+VX+expRqpqS49DH8:JHCZrluicJ2SrIG+VXDxOpqS4Z8
Threatray 819 similar samples on MalwareBazaar
TLSH T1376633BD9664EC45CB71A4332D76E487FC822E3602CC6C0D6369BFFD5A536C8D812662
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.247:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.247:11452 https://threatfox.abuse.ch/ioc/277407/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2529/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61be1c434ab5c44cbf48104e/reports/3dc593f6-97ec-43d2-9d59-d39338b35bf8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1745185-3eaf-412b-b9cf-97adb49de576
Result
Threat name:
Cookie Stealer RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909624
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542099 Sample: CfAG7RLYwP.exe Startdate: 18/12/2021 Architecture: WINDOWS Score: 100 66 2.56.59.42, 49786, 49795, 49800 GBTCLOUDUS Netherlands 2->66 68 111.90.158.95, 49777, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 2->68 70 20 other IPs or domains 2->70 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 82 20 other signatures 2->82 10 CfAG7RLYwP.exe 10 2->10         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->44 dropped 13 setup_installer.exe 24 10->13         started        process6 file7 46 C:\Users\user\AppData\...\setup_install.exe, PE32 13->46 dropped 48 C:\Users\user\AppData\...\Mon10ef1d2d393.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Mon10ebbf34bd88.exe, PE32 13->50 dropped 52 19 other files (12 malicious) 13->52 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 72 Adds a directory exclusion to Windows Defender 16->72 74 Disables Windows Defender (via service or powershell) 16->74 19 cmd.exe 16->19         started        21 cmd.exe 16->21         started        23 cmd.exe 16->23         started        25 9 other processes 16->25 process10 signatures11 28 Mon1002d814a78.exe 19->28         started        31 Mon100f9a3964d1.exe 21->31         started        33 Mon103def16a554bc591.exe 23->33         started        84 Adds a directory exclusion to Windows Defender 25->84 86 Disables Windows Defender (via service or powershell) 25->86 36 Mon100f9b49c10f7bc8.exe 25->36         started        38 Mon10ebbf34bd88.exe 25->38         started        40 Mon10ef1d2d393.exe 25->40         started        42 3 other processes 25->42 process12 dnsIp13 88 Multi AV Scanner detection for dropped file 28->88 90 Detected unpacking (changes PE section rights) 28->90 92 Machine Learning detection for dropped file 28->92 98 3 other signatures 28->98 94 Antivirus detection for dropped file 31->94 96 Injects a PE file into a foreign processes 31->96 54 cdn.discordapp.com 162.159.129.233, 443, 49773, 49776 CLOUDFLARENETUS United States 33->54 56 forwardstorage.biz 33->56 58 niemannbest.me 172.67.221.103, 443, 49770, 49801 CLOUDFLARENETUS United States 36->58 60 topniemannpickshop.cc 36->60 64 3 other IPs or domains 36->64 62 s.lletlee.com 42->62 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99127e15abbe4b00cf7693d0a8d58773fc1e50d6da3d14d39b350f2ce9c26d7b/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 15:47:21 UTC
File Type:
PE (Exe)
Extracted files:
1209
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tejh4fnlxzfqbt3wspikrvmhop6b4ugw3i6rju43guhsz2ocnv5q._file
Verdict:
malicious
Similar samples:
0f31fcaa49855c3a40398e2e85604dc062bb4f51e538d689dad2851ea18760ab
RedLineStealer
236dad58970dbb32df7df1c6e317cf5c2a4cba4ec44e872542d926c709026f6c
RedLineStealer
87a0e76ffaebb434696dff4449ad27f6912937899749b7d8eb3b623615176a78
RedLineStealer
e282ef9e1d23c80f8ef68d929b2a45352d7932e4f115d662774044b349fe7857
RedLineStealer
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
RedLineStealer
+ 809 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:media0711 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211218-v65raagcfk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.hhgenice.top/
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
91.121.67.60:23325
Unpacked files
SH256 hash:
f0ab0913dee4e613213c5623684c015bcac987596b2d7ed108894491524ac058
MD5 hash:
f8680b73874909215251aa7748820d49
SHA1 hash:
7a7a96b58917a4194a65ef4be1f5bfa5bd4dda23
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
4b5f35a8e69d6fdc6bc69dea86caa2ced5d74bcc22067d33c5fbacca237ca8d8
MD5 hash:
63c934c37102c8cf670aa84d18f33591
SHA1 hash:
93036bfc13d361d2ea61798574a9910abded640b
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SH256 hash:
2b714df4fcc1be8a29d2778a0e88744a090b41a17462ab2b2339a4bef5893020
MD5 hash:
4362b522e7b97357888de6e5d68d4148
SHA1 hash:
fc09fc8cfd96806a0a168bfe5e8baa5b5cc4c372
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
e6cdba660d5f171d9dda44f91956b4c0992705f4921cf4714c54e066c598178d
MD5 hash:
ae86519c8af5678937a72431fbb83a43
SHA1 hash:
e08795f31250677e92bd43ca93f98d0884693ac8
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
41e3a2fc623255bf0242d98b5ec250e936bffbd2f5088699a450ef3079cb8107
MD5 hash:
2ed7bbac4969a0fe0466893cc12c7f51
SHA1 hash:
db8d430d28ab9a207fb9413b2a4ebb5ca182d4b2
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
c602ccaa6d7d635a3c42d11419880e83f2f1c5b8349f50c2ebc1189a23f0a580
MD5 hash:
c32f8cc5fe24552e4cbb55c6434edc35
SHA1 hash:
d97c55376e0623d097775b834b4837b84c4fec2e
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
38b316fbeb9d86e79f005af2638bbc202ecd487c75f5abe8022fad313b81049b
MD5 hash:
f1bb77ec872cc9eff756e2c53f539b16
SHA1 hash:
ccd050e0d5081469f93930b9ea15e3f919b412f0
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
58adaa3c0f9eabbd6a6599758394667b4381fb19bac437de41f17d22469de8a8
MD5 hash:
b0465c432f768d948198115c1613d161
SHA1 hash:
ac96d465f1756e8a041eb5f2b0fd299c50499f6c
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
90aa3166e41d12d647e5f66fcad42fe6f3eb409043d52eb68b5c5aca9683f20e
MD5 hash:
c4f3d204e51dbe42909ed04ded4b0c45
SHA1 hash:
769a89436863768913d0f7827c635f7c9951ba64
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
c0219617eebc0f5682fbdc289821f73919d1c3980d9e5e4ca0c22b570087d790
MD5 hash:
d2d2c54cf3c3c3ad390fbb31d47b0be0
SHA1 hash:
6d16e1edd8cb3a90086b3987938d833b7b282689
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
0d062544c685e35062ca3f2ba42fcf0642d1715a47e7e25d88eb071e640efdd4
MD5 hash:
bb836c048e262f2d1ede7b13ccb6fcc1
SHA1 hash:
6637e70fe9052e8bf87c449498f805a60773c59a
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
4fcc3a09cc2dcc9e8da16fdfe29804fe30291ead04cca7e439b015e54e7f6bf9
MD5 hash:
6249f2899ad8c80c881bd70adac7b932
SHA1 hash:
62722837212bcf4887864b7bfb511df390c3e359
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
7692234da928b9032b4f3c103ea883db82b6cb93bf28d8b6f8ec953338f8a6ea
MD5 hash:
56a20b20e51dd1bda839eac8f7607695
SHA1 hash:
4cb7c37c4bc8251bf4de272463a814bf21ee731b
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
dca10dd39bdbd5e186f1832d008129a4f4c3d58dff50a245229b6158ddc795e4
MD5 hash:
774493be9d05619ca0652727adff6a59
SHA1 hash:
3aac42ff97ed510693377b6d4d6c0e99e0a8f551
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
04ffeee0976f40df8da39d6a0a9c7149d30851f6c1457ffebd6d83f30f60cd9b
MD5 hash:
b1a2ed96aa5c8435f4f0f268b70b2736
SHA1 hash:
241c740bb6c53f9b183c35e70190a3c5fd3a073f
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
164733d12323acf4c7e03df4710679808cdbd0394908ed180d5783b528c3b40c
MD5 hash:
a410efd535dc3bf31353fea6c21f57c5
SHA1 hash:
6fbef6ff3d8beb50e67b9789cf6b8dc967d1a45c
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
0f878de6a6dd16bf8c4bcc1fb04696ed92701e673a2236957771a119571d6188
MD5 hash:
176201a16e50f3133a848133a533d3a1
SHA1 hash:
ff2f5781757ec6fb2e1b8e1dcb72f9199caab04d
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
8d1439012d913009fcc1dc5a580d68d95264cddb941ee977dd48803d91c098ef
MD5 hash:
0137e982438623ee737f756300e928f2
SHA1 hash:
1fb5df11cd165614a106b85a41fc7adb5ae53a5b
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
971167a19b9a743b77bc212c6c67c6a6c7ddfe7e84f83f67cf6d035057992097
MD5 hash:
b4a83786df472e0f095ff6f5cf8c7334
SHA1 hash:
bc20e4c2b858bcf0748b9e4ef30d0822717924ad
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
392606cc126ff8b2cf40cedcee2d9bdce597e677a15a11c2378a59dd7b0ae1e0
MD5 hash:
ba66ed75e56108249ecfe88257fef360
SHA1 hash:
ca88c64fa49211fa0cdd597b654c3504ad729bcb
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
5f25ace249f5b2ed4812f9473ddf198baee44c30b42b23b38fc948d3e94b4231
MD5 hash:
24589ac1c9dfaaad7e3149f5ddab485e
SHA1 hash:
01b4e1609bd283f1c71a877e4858caada0d2a8ad
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
276d62b562fb3b513150aa4e6d53176742be185cc0864e868e56041914d06ac5
MD5 hash:
43aeb5e049f410ec6f8fe491af755ce5
SHA1 hash:
08bb09fe8ba842d54c3cc001f66996486fe7adc4
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
0beb1a5674d182c447540e554e327d8f658c1b08c73287066c0a0bab7dbcf338
MD5 hash:
f4f2ac09b11b82da2841816a177b73b2
SHA1 hash:
a7ca45badd727c43ac5dc1d72ec3d22ebd6d447d
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
SH256 hash:
99127e15abbe4b00cf7693d0a8d58773fc1e50d6da3d14d39b350f2ce9c26d7b
MD5 hash:
b82ac9242ac7f4b08b9a8f2b5a186994
SHA1 hash:
76c9f895717c3a6e1f27973a619e7cd9317c0d35
Link:
https://www.unpac.me/results/32ed0deb-8866-4a08-a54d-1038466b636e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99127e15abbe4b00cf7693d0a8d58773fc1e50d6da3d14d39b350f2ce9c26d7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215037/

Comments