MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
SHA3-384 hash: a153558f399cd1a7da2561825e4a7f52b9fb2a399e47d0c54b91159cdb0e84cd65ddcbdac4a7c225288e30deaec0f677
SHA1 hash: 4e03a5d24d1d6ed106320778e9135b88f27ecfbe
MD5 hash: 2c1278bdd864323e17dd46c7774e0d08
humanhash: bravo-ack-october-football
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'405'314 bytes
First seen:2021-10-30 10:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JMAtpMHGfcT8Mv/iiRzen+WKQYIlaLai/zhEiqtUmGX3tYZz:JMAfMmET8MnicKLKQRlaLjrqCmGX3y5
Threatray 673 similar samples on MalwareBazaar
TLSH T18E1633968D379827C3D138349D11B91C4DDA992827BBBAC2EF6246CD5E792F06C06F31
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 08:50:30 UTC
Tags:
trojan rat redline loader evasion stealer opendir vidar formbook
Link:
https://app.any.run/tasks/51d6221e-bdc6-4a20-8a2e-08c19d90646d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6155fbb3-e5ae-4cb8-a3ea-38e752657e55
Result
Threat name:
Backstage Stealer FormBook SmokeLoader S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879775
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512209 Sample: setup_x86_x64_install.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 89 149.154.167.99 TELEGRAMRU United Kingdom 2->89 91 45.133.1.182 DEDIPATH-LLCUS Netherlands 2->91 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for URL or domain 2->135 137 Antivirus detection for dropped file 2->137 139 15 other signatures 2->139 11 setup_x86_x64_install.exe 10 2->11         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->53 dropped 14 setup_installer.exe 21 11->14         started        process6 file7 55 C:\Users\user\AppData\...\setup_install.exe, PE32 14->55 dropped 57 C:\Users\user\...\Sat01f932a994dbc6.exe, PE32 14->57 dropped 59 C:\Users\user\...\Sat01e3b3e0fa80800c.exe, PE32 14->59 dropped 61 16 other files (10 malicious) 14->61 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 85 104.21.94.238 CLOUDFLARENETUS United States 17->85 87 127.0.0.1 unknown unknown 17->87 129 Adds a directory exclusion to Windows Defender 17->129 131 Disables Windows Defender (via service or powershell) 17->131 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 1 17->25         started        27 13 other processes 17->27 signatures10 process11 signatures12 30 Sat0188dba58af938.exe 21->30         started        35 Sat0119f3e03c741b02f.exe 23->35         started        37 Sat016e74da9cbf1.exe 4 30 25->37         started        141 Adds a directory exclusion to Windows Defender 27->141 143 Disables Windows Defender (via service or powershell) 27->143 39 Sat01c0e0d4fbb2ea73.exe 27->39         started        41 Sat01b537da2e0af175a.exe 27->41         started        43 Sat01866e4ba0024d.exe 27->43         started        45 9 other processes 27->45 process13 dnsIp14 95 45.142.182.152 XSSERVERNL Germany 30->95 103 4 other IPs or domains 30->103 63 C:\Users\...\hAoVjr5a9kXy81WMh9kG1rut.exe, PE32 30->63 dropped 65 C:\Users\...\fvGGYufQXr9w8FoTLM7JzQnO.exe, PE32 30->65 dropped 73 27 other files (9 malicious) 30->73 dropped 109 Detected unpacking (creates a PE file in dynamic memory) 30->109 111 Creates HTML files with .exe extension (expired dropper behavior) 30->111 113 Detected unpacking (changes PE section rights) 35->113 115 Machine Learning detection for dropped file 35->115 117 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->117 127 3 other signatures 35->127 105 5 other IPs or domains 37->105 67 C:\Users\...\ZaXY9nPTyTl4HFZXGlJwjS5d.exe, PE32 37->67 dropped 75 8 other files (2 malicious) 37->75 dropped 119 Antivirus detection for dropped file 37->119 121 Disable Windows Defender real time protection (registry) 37->121 47 uV1Mr6KDEBnb07RIvwf8H3pG.exe 37->47         started        97 88.119.161.165 IST-ASLT Lithuania 39->97 69 C:\Users\user\AppData\...\1294338813.exe, PE32 39->69 dropped 77 2 other files (1 malicious) 39->77 dropped 99 162.159.134.233 CLOUDFLARENETUS United States 41->99 71 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 41->71 dropped 101 94.140.112.53 TELEMACHBroadbandAccessCarrierServicesSI Latvia 43->101 123 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->123 107 5 other IPs or domains 45->107 79 2 other files (1 malicious) 45->79 dropped 125 Tries to harvest and steal browser information (history, passwords, etc) 45->125 50 Sat01f932a994dbc6.exe 45->50         started        file15 signatures16 process17 dnsIp18 81 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 47->81 dropped 93 172.67.204.112 CLOUDFLARENETUS United States 50->93 83 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 50->83 dropped file19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 10:11:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxse3wasqct7x3yxyghffde56sysreke7paqpuarv4ucu2omgbra._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
RedLineStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RedLineStealer
5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
RedLineStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
+ 663 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:eae58d570cc74796157b14c575bd3adc01116ca0 botnet:srtupdate33 aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211030-l7xydsbecj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
https://mas.to/@lilocc
135.181.129.119:4805
Unpacked files
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
92bc70b3e7e6c99bc93dec85ecd8db8b101a766917bee4967d36b20f5522ff57
MD5 hash:
b78915e5316a375923d57cd80d805845
SHA1 hash:
5ad907aa1adc5f7899a9304b4e814b381e4909de
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
ce7e030f2bb5f0f236c130f48b2c98db580b26c86aac00b0d568b39c5e0fd3a8
MD5 hash:
47e29ee3fb7e8d10c2703e1992c55330
SHA1 hash:
9ffa449c95eee01a4cc96010f6f7992e3f3f572b
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
eb8ffea34c1766bf42f4118fee7407047f71815ef92dec221121baf95338460d
MD5 hash:
138a0694a61a8f01bec3075df64aba30
SHA1 hash:
db4e3180dc492536e7d6a42f086c9b2b4c133e13
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
MD5 hash:
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1 hash:
d290340d1766ac2d112973bc3928a8d7531fe1d7
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
ada643d4b7b36ef9efa0c239adcc0ec6d4e555bde773535108f598e2003ff3c4
MD5 hash:
cfe1eb33f18beceac203b86207492779
SHA1 hash:
b98ab4befa66e1f457b4b1b38834eb669659c84f
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
43831a9f83d9588ac1e3fbbc35bbb732e367d00097a363660ac9c2d07dc95401
MD5 hash:
718a30be9e42bba912ecbc180549bfa1
SHA1 hash:
b5b58e385333fff4f4d1158a10969014c297ddab
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
5bc24e9e6071d673c52ee5677b06311b4e4b0d280181a98dba655d0b3357e61a
MD5 hash:
b0569a27892f4745508332ab513b2c16
SHA1 hash:
901b57160b197071681038f95a056a6efd58ecc0
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
6ef3dcc9c6665e8d93276737d985a5d0074b54e5402e2f07f13bb148a19f2167
MD5 hash:
0845c3e18176706bd2ea5f9e8a85cb01
SHA1 hash:
7402fd7b8669204169fd238b2b7529e3f67d4479
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
8047fd20131b90898ccc1de4571aa5facc41be6b21b2ac569dd4fa5cbd63d64b
MD5 hash:
5378b8c436d97634a9524d8ae6bdc662
SHA1 hash:
6f010be3d0fe41a66dce640803bb2135d5bb7335
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
0772d9393887571ca0fa5a5b0f30b2f7129952822f1e02079ea32da4c3f3ff90
MD5 hash:
03eda0fc62b0c7443b5ee33fc462b27f
SHA1 hash:
6c51cf52c4fefcb3ce2e37d9f1b5ab86a8e88632
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
0cc2ef889a3794f5d4485c77da08f6983296300649b6943a8224968bdcd22b16
MD5 hash:
e94eadb3033dc1cfab87e8bfb9025e25
SHA1 hash:
691953105e0f9f6d518004f74f4792fa34fb89aa
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
d7e6dac7cb8cfcd1817cdc591094be5838e8848f5882601be78cffa3084dca74
MD5 hash:
9b3bda1625f99d5ac9a8645acd5d2285
SHA1 hash:
e0d2f4d390a23bea8607828cfb7de763f4409b93
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
9b1696e9c3c55b41c1f31b2e39d07ba477236e6fafc8e0d6dad577a7124f33fb
MD5 hash:
86d1e083605ee4adfa9e9a3f44aaf73d
SHA1 hash:
b6d17291d21c0c003f1132778e6c5541fb995cf6
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
8b07f3397cc36a51936a3f082042d6ec3d6a894e925a3970394ac19fadb203e6
MD5 hash:
6f35d7d2a845949600499e12047f531d
SHA1 hash:
25a318a58055cea38de2c3e5c59863064ce2d052
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
dbbf10f7bcefb79e5eebd2ee935fcbe0e521c9f3081b3c3ebb009b4361b8313b
MD5 hash:
bf017d154607bed4df52b5bfe4b358e4
SHA1 hash:
f91792d38fc7c318d79064f9de7fd41f7f8959d9
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
SH256 hash:
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
MD5 hash:
2c1278bdd864323e17dd46c7774e0d08
SHA1 hash:
4e03a5d24d1d6ed106320778e9135b88f27ecfbe
Link:
https://www.unpac.me/results/072a9fe8-40c8-4621-baa1-d194738ae8b4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5e44dd81280/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments