MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a2828152f3c0680f7ebd899f380245a240c8677d00f0c9b89a611499d55b3c25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 10
| SHA256 hash: | a2828152f3c0680f7ebd899f380245a240c8677d00f0c9b89a611499d55b3c25 |
|---|---|
| SHA3-384 hash: | 1b6c6801abd6db6831a2b4d7cec87665ed8a49cc84d5f174fd7457e275e885f9e7ebecaca9ac226c71fe3dd494b0cdf6 |
| SHA1 hash: | 262b821dbd748392bf06aba343fad7d6463f98b5 |
| MD5 hash: | a2ac23fdb07e08a0a24e076a6e441b16 |
| humanhash: | oregon-arizona-beer-triple |
| File name: | a2ac23fdb07e08a0a24e076a6e441b16.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 15'808'116 bytes |
| First seen: | 2021-12-13 04:35:17 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 393216:JMHv7V8YHbyqGZP7+4LBTcfGL6awfW34bXCMLQ1Kp0Tk:JMqqYR9TDL6aJAXCMs1c0g |
| Threatray | 799 similar samples on MalwareBazaar |
| TLSH | T121F63376E818DB85C453C97B3A6A3FC58DADC3690F170B05DF89C74CD6802AADD86E84 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 45.9.20.79:11452 | https://threatfox.abuse.ch/ioc/274680/ |
| 89.223.69.92:9295 | https://threatfox.abuse.ch/ioc/275401/ |
| 185.215.113.29:34865 | https://threatfox.abuse.ch/ioc/275409/ |
| 91.206.14.151:5706 | https://threatfox.abuse.ch/ioc/275410/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2ac23fdb07e08a0a24e076a6e441b16.exe
Verdict:
No threats detected
Analysis date:
2021-12-13 04:36:34 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
barys overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Verdict:
Malicious
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Execution Of Other File Type Than .exe
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2021-12-11 15:06:55 UTC
File Type:
PE (Exe)
Extracted files:
410
AV detection:
21 of 28 (75.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Similar samples:
+ 789 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:vidar aspackv2 evasion infostealer stealer suricata trojan
Behaviour
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Unpacked files
SH256 hash:
1908cac443610b332e8adfc72481d2a225b72e679ff468d1643782e9c2d96e7c
MD5 hash:
60d12965e7dd763580b316f0743731c6
SHA1 hash:
54b2f29a834a6f9e931a19e3f53c27a132e19c19
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
SH256 hash:
da37723dbc887717a85940cdc3bda4a630d31e94a7af355558452a7c8d8ca5de
MD5 hash:
18f6ecc14ec6cbf833e7ab3dd31b5b36
SHA1 hash:
c2da6b4b158331a7f7bb9fa47f111e6fec7b8ecb
SH256 hash:
63525b0c1ef894632109c3169876b9e2ce728e38ed7f7c574021d5261d56e502
MD5 hash:
ff9b14f4f607a81117cc58916332262e
SHA1 hash:
aed4fe230075f2a067e4ac61fac117aaeb5ef6f9
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
SH256 hash:
e872344ca4c82587001c1fe3dc69d48c400d77f7b4a1542632ee95e41621025d
MD5 hash:
6b4d4262afc607f1a75e82823d98f5c0
SHA1 hash:
ec58dff2695e23d9521dc9810bdfea2ebfb01db6
SH256 hash:
a44429b17a5bfdf2876442c1ab5da2c0f9c3a281b2312ea9400a3aff3f5c664b
MD5 hash:
04035ca59aa00fb548ad058dac1e8f98
SHA1 hash:
e6985df1ac3938efd9729dc3f5bc64f5b7ddd54c
SH256 hash:
5e59953fbbc0e43630f7156b31a7292d32b0bda6703b299e561a3fd62099d875
MD5 hash:
e4420550d7b6319d4a135ea03a9110ad
SHA1 hash:
e64a668ba23bf5e33e7fc4ba26374a4fb898e957
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
SH256 hash:
2173dbfcfbfe35860e951820fc5ece0920e967b0a805768cb0bca04f18d8f33e
MD5 hash:
d2510de8091200f34a85f5c1b21477f8
SHA1 hash:
a14833e1f8d2f88eeca80723f88c13b76ad73bed
SH256 hash:
91f4307b08da00735206e9d7e96fb06bfb794ce4bf1b85a9c7c2b0e7b6f6eca6
MD5 hash:
81ff6e37b9e8da22dc0ad4b9d5275f08
SHA1 hash:
94eed86f65c1148ed30045501068cf1233c0e92b
SH256 hash:
a2d0b166439fcadf2a9a1a33fad18cacac5cc64eec901e4790daee2c06f30b06
MD5 hash:
7c575c754da905d21b0485cfbbaed5c5
SHA1 hash:
4963cb94677e90d098a555a84f174a52b61dee90
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
SH256 hash:
bed48982e983ad3b03868da6220b15230c49b18d6fd012849a45ad3f6304db1d
MD5 hash:
167de7657c4473d092eb41d65d1ecb9d
SHA1 hash:
16c92369f810c30c0f00b45d4c1f19c1a57e0a6c
SH256 hash:
fb8dc0272a15b72acb0e9e4836ef4db6b888baae8ee9c40340284cbf802f3675
MD5 hash:
87a1f1791f691c79ccfee34459131f5b
SHA1 hash:
0d3e3375456dc80a57707be394e5facb3d9537bd
SH256 hash:
607325939c59f3c1887e211e5e85ff2e5f5774f0437cbb23a2983c8a61f92c16
MD5 hash:
3f5fac7cbe5c8c75298909e30c8197a9
SHA1 hash:
0c13362a8efb4130bea7f293e0d9b1f7d454a6f6
SH256 hash:
3e627ea5a0a3ed72c6f60b3a9c3ee0a2264cc22178ea20aba1cedb43919a60e3
MD5 hash:
ebfee6765c7e448e3ea21b40550d1a70
SHA1 hash:
08464d94727b3a9f523b93ddbaf21191c65214e5
SH256 hash:
23491f7cfd3e4188496e25651a6e7747549fa02193ed7e28fc5f62df06c1bb46
MD5 hash:
afc39c521ec6a8e19d9138aac3261a81
SHA1 hash:
b774fca05e021f6e21c270a41f5c750023cae001
SH256 hash:
d226a75abbe728580fca776637dafbe09e439504c1fe0b134481db0aee98ea92
MD5 hash:
15719c29e2fd9e8eb9c02ae51df0672e
SHA1 hash:
aaa5dbc932e943dad1ad6c757de6b153149e894b
SH256 hash:
a9ce388d6bf8993725554fd178640ac10d8a194194f4f09b31e0465b83a975b0
MD5 hash:
33b0faae2f9635e7650cde45e82a12ba
SHA1 hash:
0acbfbbf81760a70b05f617717eee9ff4b4aacdc
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
SH256 hash:
a0eb2aca5b5dbd126988e63d6d7a934b8e9a22f49d2e6fdc438785866589fe1c
MD5 hash:
5b1e44f615afd5759ac6165f1a04d857
SHA1 hash:
0c29172cef08c14cf5af545b742f663160a02224
SH256 hash:
a510a09164e7520b92c43099dc2b76edf326219ece7f67f93a5efe9e2dd618b1
MD5 hash:
300aa4738b11ed90a404108f3c34b5ac
SHA1 hash:
b0fcfb8aa975b17eccf8142596fb494338a5f70a
SH256 hash:
5a115ddd06687ba7e18c15b0adcd6a705f2272e79e2755095f08d3e94bf0d501
MD5 hash:
1ec68809f96bd55f6e0e148bf8ae1e4e
SHA1 hash:
148fb458b72c1782fb716815fec6138ce5955c08
SH256 hash:
b77aaae9a821dfff6f299fc6c57a5583c8ddf434d1176a3c7dbbac31eb7d4a45
MD5 hash:
3eff6d8e0789fe575f0e8eeaffea9d0f
SHA1 hash:
543f5240ac181c3a6fd6033ccff368b922ac92ac
SH256 hash:
d30886b764ec2bbfbaf60d44a008fdd6dbfcc067eb5a6eafb7ee5cc0566376c1
MD5 hash:
98be67eea391b20a518df6ee584f1e9a
SHA1 hash:
f0b12efd312ae0520fc1745b2afbae3d8498602e
SH256 hash:
f77548716ede48913f4bf7f4b774eb430f29b058d444294897815c0a6874def6
MD5 hash:
116ccd175574abe376b37a4a98d65ece
SHA1 hash:
86f0b27b3b611f5d412d2f60e9eee56fe059d409
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
SH256 hash:
58a48954c19bc62ff6a3c31e60909c61e2c5038d9fc81b0f2802047090d1db9c
MD5 hash:
206aafa01d586f74563e5dafcbee4371
SHA1 hash:
127b9c42a383b49038241fc5bd30217374b5d846
SH256 hash:
516132f8cac59228d37bbcb130fb160d2201e78c78aaf8ddb297ffa0a7885d12
MD5 hash:
facedee237380e27e303c90038e02a5a
SHA1 hash:
aa5a50c9afcde68304c059b7ff64f575a9389dcb
SH256 hash:
a2828152f3c0680f7ebd899f380245a240c8677d00f0c9b89a611499d55b3c25
MD5 hash:
a2ac23fdb07e08a0a24e076a6e441b16
SHA1 hash:
262b821dbd748392bf06aba343fad7d6463f98b5
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | grakate_stealer_nov_2021 |
|---|
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing SQL queries to confidential data stores. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture |
|---|---|
| Author: | ditekSHen |
| Description: | Detect executables with stomped PE compilation timestamp that is greater than local current time |
| Rule name: | MALWARE_Win_DLInjector06 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects downloader / injector |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
| Rule name: | MALWARE_Win_Vidar |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Vidar / ArkeiStealer |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Vidar |
|---|---|
| Author: | kevoreilly |
| Description: | Vidar Payload |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.