MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439
SHA3-384 hash: 64244989e900d7046c036387c14eacf4b52774e5f5c1baa82c3d3427f86c6391f3fa0bf15ec76390f9910ac182d0c6f8
SHA1 hash: 586eeb28c512f63371f1bb3fd2ff5014be13aecf
MD5 hash: 3ad67010f1d4a291524a848856543ec8
humanhash: coffee-august-maine-lemon
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'245'083 bytes
First seen:2021-10-28 16:55:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Jvk8kKlUbjHv45laZZqO5Re4HNMHn1dPpkyRtBHvN9+MNIB3olyPeIftSCQeJVSb:J88rlUnP45AHZ5E4Hkn1dRky9N8EnO0b
Threatray 665 similar samples on MalwareBazaar
TLSH T105563363715AA14BD738D570CD65F018E0F8384085D9BADEE1BF4F40643AAD26E2A7CE
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.152.7:46927 https://threatfox.abuse.ch/ioc/239332/
91.243.32.4:4249 https://threatfox.abuse.ch/ioc/239333/
18.190.26.16:61391 https://threatfox.abuse.ch/ioc/239334/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201005/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4922a97c-4d69-4777-9fcf-097b22bd953d
Result
Threat name:
Backstage Stealer FormBook SmokeLoader S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878768
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511202 Sample: setup_x86_x64_install.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 98 Multi AV Scanner detection for domain / URL 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 22 other signatures 2->104 10 setup_x86_x64_install.exe 10 2->10         started        process3 file4 48 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->48 dropped 13 setup_installer.exe 24 10->13         started        process5 file6 50 C:\Users\user\AppData\...\setup_install.exe, PE32 13->50 dropped 52 C:\Users\user\...\Thu16df61afc736951.exe, PE32 13->52 dropped 54 C:\Users\user\...\Thu16bc3b15a4444202.exe, PE32+ 13->54 dropped 56 19 other files (11 malicious) 13->56 dropped 16 setup_install.exe 1 13->16         started        process7 dnsIp8 76 104.21.94.238 CLOUDFLARENETUS United States 16->76 78 127.0.0.1 unknown unknown 16->78 94 Adds a directory exclusion to Windows Defender 16->94 96 Disables Windows Defender (via service or powershell) 16->96 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 15 other processes 16->26 signatures9 process10 signatures11 29 Thu162733b99d.exe 20->29         started        34 Thu166c1215a981f68.exe 2 22->34         started        36 Thu1606bb7d69a6b7f5b.exe 24->36         started        106 Adds a directory exclusion to Windows Defender 26->106 108 Disables Windows Defender (via service or powershell) 26->108 38 Thu162e6d3705bb431ce.exe 26->38         started        40 Thu167779daeb725.exe 26->40         started        42 Thu1648fcb1fa2474.exe 26->42         started        44 10 other processes 26->44 process12 dnsIp13 80 45.142.182.152 XSSERVERNL Germany 29->80 82 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 29->82 90 10 other IPs or domains 29->90 58 C:\Users\...\WWF9RlxGwFu3Zb7qjwest9J2.exe, PE32 29->58 dropped 60 C:\Users\...\6HFrVwU3QHHIUZsg0WSD2kfL.exe, PE32 29->60 dropped 62 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 29->62 dropped 72 31 other files (10 malicious) 29->72 dropped 110 Antivirus detection for dropped file 29->110 112 Creates HTML files with .exe extension (expired dropper behavior) 29->112 114 Disable Windows Defender real time protection (registry) 29->114 116 Machine Learning detection for dropped file 34->116 118 Sample uses process hollowing technique 34->118 120 Injects a PE file into a foreign processes 34->120 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->122 124 Checks if the current machine is a virtual machine (disk enumeration) 36->124 84 192.168.2.1 unknown unknown 38->84 64 C:\Users\...\Thu162e6d3705bb431ce.exe.log, ASCII 38->64 dropped 66 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 38->66 dropped 86 208.95.112.1 TUT-ASUS United States 44->86 88 192.236.176.216 HOSTWINDSUS United States 44->88 92 4 other IPs or domains 44->92 68 C:\Users\user\AppData\...\source3[1].cfg, PE32 44->68 dropped 70 C:\Users\user\AppData\Roaming\8088798.exe, PE32 44->70 dropped 74 3 other files (none is malicious) 44->74 dropped 126 Tries to harvest and steal browser information (history, passwords, etc) 44->126 46 mshta.exe 44->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 16:56:06 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzkdt3t45a2kf7q3xw7damgjeipqficgbosrbra6utzenxs2yq4q._file
Verdict:
unknown
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
RedLineStealer
2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f
RedLineStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RedLineStealer
5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58
RedLineStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
b45aeaafb0e1a0ded6645279d0f828e57550a0b5902373d9e30667d0c3cbdae0
RedLineStealer
f38f738f52674e3f4689cdb299e82d40a6446ccec24abd4cac244fe64cdc07ed
RedLineStealer
+ 655 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:chris botnet:sert23 aspackv2 backdoor infostealer stealer trojan
Link:
https://tria.ge/reports/211028-vfn1vabhg5/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
https://mas.to/@lilocc
135.181.129.119:4805
194.104.136.5:46013
Unpacked files
SH256 hash:
7ad9edd79f03fb782d1a8490f9b56ea25f8e9cd33f10ca5017f8ff5aac6b5eda
MD5 hash:
1ee5fb8981ebc7fb9ddacb9d8607d35c
SHA1 hash:
eefc86ed0839384d351d7229fea251714a5cae1e
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
6525d30654a1a8255ac9a366035d841b991648e442f3a802f919726d604e9ce4
MD5 hash:
799f15cb784fe1bd6922939d46426c20
SHA1 hash:
43cc59cf651dca1208271ab740a7820054df8ba0
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
14ac25cea65bf076c28fccb5d9f5a01e656ae4404db456d6d4e3dd2deb03ccf1
MD5 hash:
d3d2841f74d5ede7a98658e2be89e8b0
SHA1 hash:
3cc65a7f014cb041ab21f5854cfd39bd3bc1b82f
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
e297e89e11933aa6fc67cbd8da44fc0f6b8d8030166738b111b31673d41e4d19
MD5 hash:
2a2667d1fbcd8fde9ca0bd6f50827c79
SHA1 hash:
f6838f02651e1430613bf78de99e240dbcb8d3c7
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
8b0cbdb5c5b4f184700ece38b99ce5e548c9f569abd17c75f007356ee8285929
MD5 hash:
d15be87d34df056cc47f84eadafb2a7b
SHA1 hash:
f8a31543e54d53d10984c146d65ffceed901f037
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
d301b4ee4346173690c390a1ba10620572fb20d3d1d224af990706aae226b8b6
MD5 hash:
2c6cc8f3ef64d4d99f74c8603e741727
SHA1 hash:
eed5456baaae1b0468bd5b6565181bb5fb6e234a
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
2c964c5070502f6000bbb3f66f200a18ac7c394c5d6764c1d1f726783959d40a
MD5 hash:
5b68c333ae0c1d013619eda08f6665db
SHA1 hash:
d616077f94916d44662b6c6bf19b177e32454559
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
b5d20c8d3148e88fbbb68d6f3002057a62244e5938881b2e0a90f7ba5d54ef4e
MD5 hash:
d51d8a61eda3587fe660ac76ff583577
SHA1 hash:
81ae703c2a1e8633c30afa1f09298901de4cd1d0
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
952dc3d4b3cc35e331083e47c731b941ee8e880927f6248b54cf0d3868f45238
MD5 hash:
f917278e55b942d9354c79dec2f94389
SHA1 hash:
7e01f0ad2aba7241af7427123fb35fedc89dbb24
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
2517cfba5bfe4918f22df57a4d578b098cca2b41bc9516e95326f546d5d5e2ef
MD5 hash:
db55cd843e462099b8135a5b3a07f46c
SHA1 hash:
6b725753c0822cba9adbf33aff7801526b65f2c8
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
28f48af13b90f9c45846ee6a605180552e8387aa59999acf40a5218150a94a73
MD5 hash:
39952e705e3657ca10a6538c8b23fc0e
SHA1 hash:
604f301791d167ebb66ce51a4cb143e74e3f06aa
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
f8b7bbc0d80057665fe669ee6314a671ea3979c5afcf2bbc4652af4abb2c620e
MD5 hash:
f3736b57857706efec6082d257f463a3
SHA1 hash:
540da2b1922879d71f97ca523375b9b4802b2efc
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
e8727c5e9114f3234d77075effca68c32072c6cb18377762da8c7c5c4bc7b650
MD5 hash:
769483334615f2ad86cbc8d4490fe1bf
SHA1 hash:
24153cc67f9ee102e63caa1877cc9ef3075b5363
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
1c9eacbb6f314228d66c4ac6101879294025fb179067ae9ff1fa4bbcb45371db
MD5 hash:
6bf50c81d64b7b392945786efb092580
SHA1 hash:
23c42a399c7433aba20b9f2b96f5b3c3a340955e
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
ea788a6785b36f87f7214922e32445990af0aa7ad14152f849353b52096a52b5
MD5 hash:
fbab7f0afd2d15481e1efbda54aa5ead
SHA1 hash:
18bdb59577d400786a27090d1e8b52a2fffd6f3b
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
1f24aeb4a0f4e740a333e55544b1da0ca17f80329870d3feedda6dc048602cb4
MD5 hash:
91a65ede5d2dc7dd2a70a0f979a1980d
SHA1 hash:
d70951adfa91bac81db183b374a7d1a82ca5c44f
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
a14a77df81ae68ba2e7c491b347801300a3d608d81da6696443e5eaa224f800f
MD5 hash:
402e44b910e530e094f98f0abcef884c
SHA1 hash:
67fb964236ea16d714f6804d85f88e4664f198cb
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
c0fb8f8b74f760f5ca51493d93fea68709de5ed3e37d9ad6146695a1e084c1b4
MD5 hash:
3ad5ff1de1fd6551d24d97098e710db0
SHA1 hash:
74cc933ece1ce70c9d30f921b0223694487e6b2b
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
SH256 hash:
a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439
MD5 hash:
3ad67010f1d4a291524a848856543ec8
SHA1 hash:
586eeb28c512f63371f1bb3fd2ff5014be13aecf
Link:
https://www.unpac.me/results/8a5c31ad-ea8b-4749-9536-9d2bfa3f83fc/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a65439ee7ce8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65439ee7ce834a2fe1bbdbe3030c9221f02a0460ba510c41ea4f246de5ac439

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/201005/

Comments