MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57
SHA3-384 hash: de865fb9070d5302205764d5c5edc79cafb8f04c2ac28ae49b085539637b412446249a65f5fb3a7802d0d9a4e0248f32
SHA1 hash: 86ccef66be89113b7deef5a09e3354cdd13b0585
MD5 hash: 0af9c941d86c3914df0d442d51536bd8
humanhash: fanta-nuts-nitrogen-apart
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'112'022 bytes
First seen:2021-12-18 19:36:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JKtR9T1HusScfQ2BFDg6E801cUMDDYNvyuBbBcb:JwpHbLf9USYNKuUb
Threatray 1'905 similar samples on MalwareBazaar
TLSH T14A86339401455866C1FF6CB2ADB23F238A61AF449FAB8DAF713C2C4F9F6180D219875D
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter iam_py_test
Tags:exe RedLineStealer spyware


Avatar
iam_py_test
Pretends to be cracked software

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215049/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Searching for the window
Running batch commands
DNS request
Sending an HTTP GET request
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2539/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61be38618991ba72b38baa3f/reports/6627db21-f823-4b73-bb2a-34da73876d71/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4bda053-c344-4163-ab6e-cb9b1030e35b
Result
Threat name:
Raccoon SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909644
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542122 Sample: setup_x86_x64_install.exe Startdate: 18/12/2021 Architecture: WINDOWS Score: 100 91 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 2->91 93 208.95.112.1 TUT-ASUS United States 2->93 95 10 other IPs or domains 2->95 131 Multi AV Scanner detection for domain / URL 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus detection for dropped file 2->135 137 17 other signatures 2->137 11 setup_x86_x64_install.exe 10 2->11         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->59 dropped 14 setup_installer.exe 24 11->14         started        process6 file7 61 C:\Users\user\AppData\...\setup_install.exe, PE32 14->61 dropped 63 C:\Users\user\...\Sat19d470e8e0597fc47.exe, PE32 14->63 dropped 65 C:\Users\user\...\Sat19ccc19655a1ffcf.exe, PE32 14->65 dropped 67 19 other files (4 malicious) 14->67 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 87 104.21.50.158 CLOUDFLARENETUS United States 17->87 89 127.0.0.1 unknown unknown 17->89 127 Adds a directory exclusion to Windows Defender 17->127 129 Disables Windows Defender (via service or powershell) 17->129 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        26 cmd.exe 17->26         started        28 11 other processes 17->28 signatures10 process11 signatures12 30 Sat191705f5bd9d1.exe 21->30         started        139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->139 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->141 143 Adds a directory exclusion to Windows Defender 23->143 145 Disables Windows Defender (via service or powershell) 23->145 35 powershell.exe 12 23->35         started        37 Sat19ccc19655a1ffcf.exe 26->37         started        39 Sat19d470e8e0597fc47.exe 3 28->39         started        41 Sat195518974c.exe 28->41         started        43 Sat196a179a23a4a4a2.exe 28->43         started        45 5 other processes 28->45 process13 dnsIp14 97 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 30->97 99 185.112.83.8 SUPERSERVERSDATACENTERRU Russian Federation 30->99 105 16 other IPs or domains 30->105 69 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 30->69 dropped 71 C:\Users\user\AppData\...\search21[1].exe, PE32 30->71 dropped 73 C:\Users\user\AppData\...\install4[1].exe, PE32 30->73 dropped 83 30 other files (5 malicious) 30->83 dropped 113 Creates HTML files with .exe extension (expired dropper behavior) 30->113 115 Tries to harvest and steal browser information (history, passwords, etc) 30->115 117 Disable Windows Defender real time protection (registry) 30->117 119 Injects a PE file into a foreign processes 37->119 121 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 37->121 47 Sat19ccc19655a1ffcf.exe 37->47         started        123 Sample uses process hollowing technique 39->123 75 C:\Users\user\AppData\...\Sat195518974c.tmp, PE32 41->75 dropped 125 Obfuscated command line found 41->125 101 159.69.92.223 HETZNER-ASDE Germany 43->101 103 149.28.78.238 AS-CHOOPAUS United States 43->103 77 C:\Users\user\AppData\...\freebl3[1].dll, PE32 43->77 dropped 79 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 43->79 dropped 85 10 other files (none is malicious) 43->85 dropped 81 C:\Users\user\AppData\Local\Temp\...\@.cmd, PE32 45->81 dropped file15 signatures16 process17 dnsIp18 107 51.38.94.87 OVHFR France 47->107 109 185.82.219.137 ITL-BG Bulgaria 47->109 111 8.211.2.226 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 47->111 51 C:\Users\user\AppData\Local\...\null[1], PE32 47->51 dropped 53 C:\Users\user\AppData\Local\...\rolle2[1].exe, PE32 47->53 dropped 55 C:\Users\user\AppData\...\55479332677.exe, PE32 47->55 dropped 57 2 other files (none is malicious) 47->57 dropped file19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 19:40:17 UTC
File Type:
PE (Exe)
Extracted files:
323
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul47liezu2y4fothrhx756qvblwffrkyp2c57gtjmp6qhnk5jvlq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
05bb79760b2d993c39d526717da95aec99ad74d8fc23eb82d7bffe64595a9d70
RedLineStealer
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
RedLineStealer
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
RedLineStealer
+ 1'895 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:164fb74855c13a4287d8fe7ac579a35bdf7002ab botnet:915 botnet:media19n botnet:v3user1 aspackv2 backdoor evasion infostealer stealer suricata trojan upx
Link:
https://tria.ge/reports/211218-ybs1sagdcj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.biohazardgraphics.com/
https://noc.social/@sergeev46
https://c.im/@sergeev47
65.108.69.168:13293
159.69.246.184:13127
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
0ebe3d34213181f148537d13f6c49eaa94bc01b5bbafb382483972d139131b0d
MD5 hash:
5496bd5ee65985d7bfed73e46495c62b
SHA1 hash:
ea4a26c342e75d3c1155ffe6e65a9465c069e04c
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
5b1226e98a6ad358913232cfe2b7ea93758768d4248af49a9a5a5a78883f00de
MD5 hash:
e1bb32daf752f49e0353df2c0d45b24b
SHA1 hash:
f03484a8c9e3a7fa81ae27a1c3b948307ce12083
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
84d3648a14ec9e5c31c5b68921c73839da1b62a85051946aaf73228a91f82cbc
MD5 hash:
503bb2f2088d21149786cb91a271de1a
SHA1 hash:
d659ba946b1bced18853349803021acedde83c6d
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
cbe093c709165f55db4ec2f362f7dccee0086f6d6edd34fe57434c70433cbbc6
MD5 hash:
0a2dcc9563fc8c74829e8c82b4ca28a2
SHA1 hash:
c9f4a03ff61995ab854c6dfab5b3979cc6e69f05
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
47c6ab577b9fa97312df57a7fc57a0c0c392c6ef1297c030c41822fefd62a605
MD5 hash:
6d25411538d9fc319f179cae0378c5a1
SHA1 hash:
7625390b7ecee07d650e68c1dc01a07a5177bd80
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
dcc1725b855ec8f21f1a78a72bc3951682a20709b129d16051cbbbfca2361c2a
MD5 hash:
851857aa313098b41716720126d1e9e1
SHA1 hash:
748d3a025f04a0526678af71a341097570c88e7e
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
0b31f1cb396d79e6a426a4c02e77ba88f86da783febcc7b363623960c1b225df
MD5 hash:
4050a75943647a6b899cae669f204a15
SHA1 hash:
43d5d365ccd17ba36786e134812e91020a4a5f85
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
0aa9168a76c7aa3d115cd12b473901bee1656abac6fedfd4b799466caf355257
MD5 hash:
406703a856d544faced5a415e9dc856a
SHA1 hash:
40da8d92df9174745678039b89ca07fac072d09c
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
1042bc1158147c1ca3cdd04ac79d06b01d22cdf76a72aa5e1f1ad98d96ec1eb8
MD5 hash:
08d67e67ed6c5c44e1703be6c85d1720
SHA1 hash:
2bc10a62b2cde0ba3343439aa710cd38d44ae300
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
f58f2154e5d75dd06c1666f6b3cbe17b32ce6c8779f72626d01574e6c3a1b386
MD5 hash:
a6658c56eb3c41765abbd12cdeee21f4
SHA1 hash:
243bfd8dcf97b2f2c5ad4710017ed296f8a70125
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
e14cba13c66d47b10dec422ac1dc57c0baa0fe5a9bb3588f5c04e665ac275115
MD5 hash:
c009e278b87cf96c2e762b7369bf0dab
SHA1 hash:
23a79125576235c0ae8de30caf60bb6a753fbb70
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
87a9f81b4e02e6acc09399917e39fafa4dcf823206b78ba979b9dd0cd6656f0d
MD5 hash:
ef1114af6d2f142467652dd20bf19125
SHA1 hash:
1bea9033d5245cd3208f3299c799a045f8a293f7
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad
MD5 hash:
7e32ef0bd7899fa465bb0bc866b21560
SHA1 hash:
115d09eeaff6bae686263d57b6069dd41f63c80c
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
a6fe15069a6ea98b42471503e427375cdf14b92fd6bf6f69a21dbe2e1a675c98
MD5 hash:
26f0fa618a849f4c2c8a054bb41583d2
SHA1 hash:
2d34f74fafe0c0042e567858ed8a8601ce250d14
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
SH256 hash:
de48339493b2d05af743ff81e8f95a427fe327bbf66b55385ccfecd9bdcdcdc9
MD5 hash:
9baee18e3553be5aeba9ba0f0dea346d
SHA1 hash:
624b9f3ec117d110732253af5630410f07933ed8
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
fa14f0597a35435f9e48cff792c47a49ab0b5fcf01947de14b9588e09eb22c9b
MD5 hash:
29c796ef32c741453e3853293676d837
SHA1 hash:
7c56188570d7257212c42e80384e5a5f006bac4b
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
a244f63075d93d629cd813c96b28866da2ee20e658aef230a958749a3926a48d
MD5 hash:
37691592b8f8cca0658380f3903d335b
SHA1 hash:
91dc00577881732f26b63a96bdc605b58669442e
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
1d208635e491a032ff1313c2df490988461c99a4009202a4865f325b6a80200c
MD5 hash:
fecc3d87b94d3c8d5cc54bd506ade09f
SHA1 hash:
8992fd11aad0236ee2e8fc485e92a4f6a345df58
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
d288d6445ab5956befb7876192a27fb059897d168abc270f9671e064b660e2fd
MD5 hash:
46767bc95f42d0bb5becb56baa9491d3
SHA1 hash:
0849984ec3fabe72e72e69fa53c552b336121cc5
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
845e39a2a63c24287fda706a2083439a7f6dae35899b4d38413984d58853eb75
MD5 hash:
ff04057229611ed3f00f26b6728de578
SHA1 hash:
4f183e7fc47cd72e5c1dfea9669ee5d306af2b93
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
a249e7990e12adeddc37729efbd8b772046ae8a2373a9702b355f499c6374344
MD5 hash:
0b9d27409fbbf7b78dce555ad47f7828
SHA1 hash:
c505689bfd690f8a132bdc21e2753d50173f1041
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
2601fcb8a59ba629a376e750ade933d9dc848d93f7f161276984beae30f28033
MD5 hash:
8f00def44b48361081e0078b7cb1c2e3
SHA1 hash:
f33c77a00e39b87290b15a3729320f8de32d606d
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
6be95e851dea6d4d6f6d41b1ea2f08bb1c27729b1fdcd24f392ec99e87f1aea1
MD5 hash:
e7fff75d992ebfcd7ae7f7f13f538e5f
SHA1 hash:
add3f95aa566b8b5f6f59c2d4afa636bebc45f98
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
e7b8877389f0bfb5fb95f08a799a0e7d06a2f7161a0287552ff3eadf06bd1dd1
MD5 hash:
e9eb471509abbfb4456285e82b25d1c9
SHA1 hash:
b96ef576c147ea8a1b3e0bd5430117ba9ad31096
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
ebcfce073e8cb830630da06b772b97cfdbd17a9814849be9fcaecb617ec80229
MD5 hash:
352493f35ca899281c205eeccb22b231
SHA1 hash:
75a48f4cca4041c2dbd796efbd9ca41fadc401a9
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
261a5f21ad2b9cec0d472036be7d5f3921d0c7b255bde407f93d901468cdfcd3
MD5 hash:
519cd12c49bfc542b6a7d46092b867d4
SHA1 hash:
df1064b87534ac0c904d7257260b39f8d32f4c29
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57
MD5 hash:
0af9c941d86c3914df0d442d51536bd8
SHA1 hash:
86ccef66be89113b7deef5a09e3354cdd13b0585
Link:
https://www.unpac.me/results/a582f0fb-f40f-46de-bafd-db7f4a93f6e7/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a2f9f5a099a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

zip a12d74b1756d49531e21f755fef2049ab6c83626f0834cb945c781c39d40a177

RedLineStealer

Executable exe a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57

(this sample)

  
Dropped by
SHA256 a12d74b1756d49531e21f755fef2049ab6c83626f0834cb945c781c39d40a177
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215049/

Comments