MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
SHA3-384 hash: 9150dfc8e1be8cbd8de0925aa37f17b39ccfd42d5e599ee54c574f7f3f17b3ff0e2b789e24cf0f63e5eeba0d5d1f759a
SHA1 hash: 0daacd8bcc4867a67cfe9a08514de7ec1f56524e
MD5 hash: c359e494265926fee7567c9565c363dd
humanhash: sixteen-robert-mexico-johnny
File name:991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'606'844 bytes
First seen:2021-11-30 14:17:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xkJVry+z0hva6aVEXeWzx9Y2lyGLn9dM3wRKfMaKIqRAIGYVoxue49dH:xk++z0hvaeXeWLYijjKkaKRLLWa9dH
TLSH T1267633256EE9C0A7E9A20536EE443BF826FFC7594F15CCE33B7884284F15423931A799
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.0.10.174:15466

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.10.174:15466 https://threatfox.abuse.ch/ioc/256402/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
Verdict:
No threats detected
Analysis date:
2021-11-30 14:30:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cbddd81-4421-4ecc-9bca-45408258f901

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/209947/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Win.Packed.Socelars-9901382-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a6329deffcae2254f59209/reports/b6940830-df2b-4d23-981e-84738d2858af/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/02e42cbb-ffd3-4b51-9c16-fe9a1090913b
Result
Threat name:
Cookie Stealer RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898724
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531199 Sample: 991D4DC612FF80AB2506510DBA3... Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 71 208.95.112.1 TUT-ASUS United States 2->71 73 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->73 75 5 other IPs or domains 2->75 91 Multi AV Scanner detection for domain / URL 2->91 93 Antivirus detection for URL or domain 2->93 95 Antivirus detection for dropped file 2->95 97 22 other signatures 2->97 10 991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe 21 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_install.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\...\Fri14fd46b68bd.exe, PE32+ 10->47 dropped 49 C:\Users\user\...\Fri14e5a04914b596.exe, PE32 10->49 dropped 51 16 other files (10 malicious) 10->51 dropped 13 setup_install.exe 1 10->13         started        process6 signatures7 127 Adds a directory exclusion to Windows Defender 13->127 16 cmd.exe 13->16         started        18 cmd.exe 1 13->18         started        20 cmd.exe 1 13->20         started        22 8 other processes 13->22 process8 signatures9 25 Fri144fc72ae8ff3.exe 16->25         started        30 Fri14cd6206e935a5.exe 18->30         started        32 Fri146b97e676608e.exe 20->32         started        99 Adds a directory exclusion to Windows Defender 22->99 34 Fri1477cbb75ea13f.exe 2 22->34         started        36 Fri1486dbd994.exe 2 22->36         started        38 Fri14cceb42198d72.exe 22->38         started        40 3 other processes 22->40 process10 dnsIp11 77 163.181.57.228 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 25->77 79 212.193.30.29 SPD-NETTR Russian Federation 25->79 87 14 other IPs or domains 25->87 53 C:\Users\...\UwMgG6AMo7qjx0lsEMhxVzHT.exe, PE32 25->53 dropped 55 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 25->55 dropped 57 C:\Users\user\AppData\...\rrghost2[1].exe, PE32 25->57 dropped 63 49 other files (12 malicious) 25->63 dropped 101 Antivirus detection for dropped file 25->101 103 Creates HTML files with .exe extension (expired dropper behavior) 25->103 105 Machine Learning detection for dropped file 25->105 121 2 other signatures 25->121 81 91.121.67.60 OVHFR France 30->81 107 Detected unpacking (changes PE section rights) 30->107 109 Query firmware table information (likely to detect VMs) 30->109 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->111 123 2 other signatures 30->123 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->113 125 2 other signatures 32->125 115 Injects a PE file into a foreign processes 34->115 59 C:\Users\user\AppData\...\Fri1486dbd994.tmp, PE32 36->59 dropped 117 Obfuscated command line found 36->117 42 Fri1486dbd994.tmp 36->42         started        83 104.21.85.99 CLOUDFLARENETUS United States 38->83 61 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->61 dropped 119 Creates processes via WMI 38->119 85 8.8.8.8 GOOGLEUS United States 40->85 89 2 other IPs or domains 40->89 file12 signatures13 process14 file15 65 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 42->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->69 dropped
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 02:48:54 UTC
File Type:
PE (Exe)
Extracted files:
413
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=teou3rqs76akwjigkeg3umktdw4zl7r7mqyy7p75jyzh255tnq7q._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars botnet:ani botnet:fe1f102f3334068962b64125bcb00816dba46087 botnet:jamesfuck aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211130-rmav1sacg9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
65.108.20.195:6774
45.142.215.47:27643
Unpacked files
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
9dcf478e78a1ab8f8ea35f853bce86c198e1f2e08e4121079e3b6f13055455c3
MD5 hash:
0272d1265e6a0ebe9dc2af58b9005b7f
SHA1 hash:
98efa29fdc8a73acde9064348761d87ccedf8cfc
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
MD5 hash:
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1 hash:
eb9a4185ddf39c48c6731bf7fedcba4592c67994
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
084b69db467568f37bf702d96427506ddf8d21c103f77acedc12cb481c328adc
MD5 hash:
6c68b41adeb8206d6fa0558d1eec565b
SHA1 hash:
928994fcbd01cb08ed04139d6a55856e761affa0
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
655979cb929aec2baa28806f523bd9f8311092cbdf22c04122f5bf91beb3adc3
MD5 hash:
c68dcf1b3ac869a354526de6b0312296
SHA1 hash:
78a559d04afcd6e985e69f3a6c4ca038864a3629
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
d1b9c71f3299e9c6824f47485a1d142a4ca61608b174949bfdc6aa12dcf2fcf1
MD5 hash:
ee38d051cf471c05645517f6b90745d4
SHA1 hash:
66b639304cfe3a3a90ec860348587b1a8789e408
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
162eea41fce8685027d4c02642ea772b5505afa58107b0637062b9893b07804a
MD5 hash:
f324ab2101d56fd9aaf7e16845ff05da
SHA1 hash:
1a99c5939e5b4c041848e29b9e06d8f4dd5bcd66
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
029156b4b7c2cc44e208cb938428be88c7cbc436772529457d5faab670edae69
MD5 hash:
c1bda74cc887ee28cc8ee8b26c529c58
SHA1 hash:
8f75de863edefa0973bb1a84de7a13a1f3133e16
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
c5192ac2d63e816cd30ab28605f5de2c35ecce78fb1ed9f6047902e5b8c16768
MD5 hash:
0649061773136b746e5ef9b175bcdec9
SHA1 hash:
57f99ca4b1eab1629c4fe7d5ccb66e1d85bc6c3b
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
d5dc2449c08943f2330eaacb6e21431e68bbbd8227b2a148db945bfe1a1eff5f
MD5 hash:
f0fc79dca3c195a0f4c91a6a40b188d4
SHA1 hash:
217292e15262326a7baa8c5c32f84efb2b76390c
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
ee9eeefda4b46bca25a5d069909171c4b05dd8ff9c5194dc550e563c8f95dc9b
MD5 hash:
79fcabe2008d0bfc8db0937519f3046b
SHA1 hash:
75b0735436610becec37df54483f10e2147ea6eb
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
SH256 hash:
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
MD5 hash:
c359e494265926fee7567c9565c363dd
SHA1 hash:
0daacd8bcc4867a67cfe9a08514de7ec1f56524e
Link:
https://www.unpac.me/results/04f0ce71-7a7a-440a-b3c1-6af66430a69a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/991d4dc612ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209947/

Comments