MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
SHA3-384 hash: 21206be08f78c28255b221cc3a49f7c5564c3465f00c35bb31495a07d4cf3a5a86005996588b86b8658e6d2e86175cd8
SHA1 hash: 4965f08f4c2013bf1e42c07cc1e10dc4e1d3280a
MD5 hash: a53d50df7fd45816d60dae9008440e5a
humanhash: five-ink-lima-vegan
File name:a53d50df7fd45816d60dae9008440e5a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:12'545'173 bytes
First seen:2022-08-23 12:25:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 196608:cJPNkpvG050OTEK3WaCA/poracPhgviuif28YHr1DGBPrcQcOODq/Os2W2a8l2pa:myP5LTE9cprcPhIa2nrgQQcLDq/OPYpa
TLSH T134C633A2B962BF32DC964738765BC67C4438AEE30229B276D2F13D033B6444186775B7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b2a88e86ccccb270 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://135.181.104.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://135.181.104.248/ https://threatfox.abuse.ch/ioc/844709/
http://88.119.169.27/ https://threatfox.abuse.ch/ioc/844803/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a53d50df7fd45816d60dae9008440e5a.exe
Verdict:
Malicious activity
Analysis date:
2022-08-23 12:26:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79ca15ab-c0e5-4aae-9ce1-77a6c163ff89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/300550/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61263335.9865.868.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen17.50710.23904.4114.UNOFFICIAL
Create hunting rule

Win.Malware.Zusy-9955823-0
Create hunting rule

Win.Downloader.Zusy-9955824-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.61294410.23089.12511.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.249470.10364.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a file in the Program Files subdirectories
Changing a file
Sending a UDP request
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29792/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6304c768393b1c8c47088ba9/reports/6206ac22-7db6-4694-9d16-99dcd4ac82e2/overview
Result
Verdict:
MALICIOUS
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac9a4fba-f3fb-41e5-b7af-25295ddbb6a2
Result
Threat name:
Nitol, Raccoon Stealer v2, RedLine, Soce
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1056259
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Searches for specific processes (likely to inject)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nitol
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688779 Sample: RSg2UWbVWV.exe Startdate: 23/08/2022 Architecture: WINDOWS Score: 100 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for URL or domain 2->135 137 Antivirus detection for dropped file 2->137 139 15 other signatures 2->139 8 RSg2UWbVWV.exe 1 30 2->8         started        12 rundll32.exe 2->12         started        14 aUCtRkgXVMQw0U.exe 2->14         started        process3 file4 85 C:\Users\user\AppData\...\mp3studios_10.exe, PE32 8->85 dropped 87 C:\Users\user\...\iuoytshdgasfcsae.c.exe, PE32 8->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 8->89 dropped 91 4 other malicious files 8->91 dropped 161 Contains functionality to inject threads in other processes 8->161 163 Creates files with lurking names (e.g. Crack.exe) 8->163 165 Searches for specific processes (likely to inject) 8->165 16 file.exe 8->16         started        21 Crym1.exe 3 8->21         started        23 iuoytshdgasfcsae.c.exe 8->23         started        27 2 other processes 8->27 25 rundll32.exe 12->25         started        167 Writes to foreign memory regions 14->167 169 Allocates memory in foreign processes 14->169 171 Creates a thread in another existing process (thread injection) 14->171 173 Injects a PE file into a foreign processes 14->173 signatures5 process6 dnsIp7 101 185.175.200.64 ASTRALUSNL Netherlands 16->101 67 C:\Users\user\AppData\Roaming\00004823..exe, PE32 16->67 dropped 69 C:\Users\user\AppData\Roaming\00000029..exe, PE32 16->69 dropped 71 C:\Users\user\AppData\Local\...\fw3[1].exe, PE32 16->71 dropped 73 C:\Users\user\AppData\Local\...\fw4[1].exe, PE32 16->73 dropped 141 Antivirus detection for dropped file 16->141 143 Machine Learning detection for dropped file 16->143 29 00004823..exe 16->29         started        33 00000029..exe 16->33         started        36 cmd.exe 16->36         started        75 C:\Users\user\AppData\Local\Temp\L123.exe, PE32 21->75 dropped 77 C:\Users\user\AppData\Local\Temp\Crym.exe, PE32 21->77 dropped 38 Crym.exe 1 21->38         started        40 L123.exe 14 4 21->40         started        103 89.185.85.53 OLIMP-SVYAZ-ASRU Russian Federation 23->103 105 5.252.177.92 MIVOCLOUDMD Moldova Republic of 23->105 107 185.143.223.52 INFORMTECH-ASRU Russian Federation 23->107 79 C:\Users\user\AppData\Roaming\p9stuKj5.exe, PE32+ 23->79 dropped 81 C:\Users\user\AppData\Roaming\gJXWtDL6.exe, PE32 23->81 dropped 83 7 other files (none is malicious) 23->83 dropped 145 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->145 147 Query firmware table information (likely to detect VMs) 23->147 149 Tries to harvest and steal browser information (history, passwords, etc) 23->149 159 4 other signatures 23->159 151 Writes to foreign memory regions 25->151 153 Allocates memory in foreign processes 25->153 155 Creates a thread in another existing process (thread injection) 25->155 42 svchost.exe 25->42 injected 46 6 other processes 25->46 109 149.28.253.196 AS-CHOOPAUS United States 27->109 157 Creates processes via WMI 27->157 44 Crack.exe 3 27->44         started        48 2 other processes 27->48 file8 signatures9 process10 dnsIp11 93 C:\Users\user\AppData\...\aUCtRkgXVMQw0U.exe, PE32 29->93 dropped 185 Antivirus detection for dropped file 29->185 187 Drops PE files to the startup folder 29->187 189 Writes to foreign memory regions 29->189 209 3 other signatures 29->209 50 oIzymHMAHkvik.exe 29->50 injected 111 87.251.77.179 HOSTKEY-ASNL Russian Federation 33->111 191 Tries to harvest and steal browser information (history, passwords, etc) 33->191 193 Tries to steal Crypto Currency Wallets 33->193 195 Uses ping.exe to check the status of other devices and networks 36->195 52 PING.EXE 36->52         started        55 conhost.exe 36->55         started        197 Multi AV Scanner detection for dropped file 38->197 199 Machine Learning detection for dropped file 38->199 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->201 57 Crym.exe 38->57         started        113 148.251.234.83 HETZNER-ASDE Germany 40->113 203 Creates HTML files with .exe extension (expired dropper behavior) 40->203 60 WerFault.exe 40->60         started        205 Sets debug register (to hijack the execution of another thread) 42->205 207 Modifies the context of a thread in another process (thread injection) 42->207 62 svchost.exe 42->62         started        115 8.8.8.8 GOOGLEUS United States 44->115 117 104.21.40.196 CLOUDFLARENETUS United States 44->117 119 192.168.2.1 unknown unknown 44->119 95 C:\Users\user\AppData\Local\Temp\db.dll, PE32 44->95 dropped 65 conhost.exe 44->65         started        file12 signatures13 process14 dnsIp15 121 127.0.0.1 unknown unknown 52->121 123 15.235.171.56 HP-INTERNET-ASUS United States 57->123 175 Tries to harvest and steal browser information (history, passwords, etc) 57->175 177 Tries to steal Crypto Currency Wallets 57->177 125 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->125 127 208.95.112.1 TUT-ASUS United States 62->127 129 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 62->129 131 104.21.34.132 CLOUDFLARENETUS United States 62->131 97 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 62->97 dropped 99 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 62->99 dropped 179 Query firmware table information (likely to detect VMs) 62->179 181 Installs new ROOT certificates 62->181 183 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 62->183 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-08-20 03:33:34 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx6cxgd47ld5jmw4qqv66xmwqbzeudmkmw7pf3yxlljokzzoiknq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:5 botnet:crym botnet:nam3 discovery infostealer persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/220823-pl6vysheg2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Process spawned unexpected child process
RedLine
RedLine payload
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://hueduy.s3.eu-west-1.amazonaws.com/nbsdg818/
15.235.171.56:30730
103.89.90.61:34589
176.113.115.146:9582
Unpacked files
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
5808184b2cc0cdfbcbc800e48ec643ff8ddcc0580de79192c0339e6d290c52a1
MD5 hash:
e7f2558b3898b852875c01fe97ba1a71
SHA1 hash:
2d3101412278826a0c02b5cad5fdf5a5768daef2
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
c6a661321a5bb59da4c32da86141452edbe3e675c64dc83d0ccb17fe9d3f1576
MD5 hash:
a23196109926b0d52f100e36ba5e8095
SHA1 hash:
f066fc4d823c902f3f6efa7b32143ef2295cc4f5
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
e9357f1183c29fb059e820418c518e103a9dd9ebc3280deadcf6641cd7b242b2
MD5 hash:
56bd2ddcee32d72e62a9ad0d7363e3c1
SHA1 hash:
0ddfcbda9a60ede8c352503d3521099a1dd7f7fb
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
2b9353b0dca7434ff989d580d7e1292d121d7e427802fe2b6df18b7be0563484
MD5 hash:
d232815aa820253f887673e13f21f34f
SHA1 hash:
cca3cc1a933a258f08ebed7583dbb5b8d913ddc0
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
282e60a8cf310b696c982a28c9e8f633d96bf93eec67f0a7d7fac3e26ed72300
MD5 hash:
917ee4eaab7ddfa9464c8c9678447673
SHA1 hash:
7bff367dc2d3ac97107fee5ab9e93137cd9c6358
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
e1ac9c55c8498a1478f18fa4df90f38be941d12bf8bbaf898b14f4fdcdff2f37
MD5 hash:
0229f42fc4818f844042d93fa4c80170
SHA1 hash:
ea62d01403f548092613c2e9e46ae4dae1541cb0
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
SH256 hash:
9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
MD5 hash:
a53d50df7fd45816d60dae9008440e5a
SHA1 hash:
4965f08f4c2013bf1e42c07cc1e10dc4e1d3280a
Link:
https://www.unpac.me/results/54af1480-0426-40d9-a6ab-78f1b0d4a7b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dfc2b987cfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300550/

Comments