MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
SHA3-384 hash: f5e7accfa9d709f23ba503d4b097c7fb3b8306b7f9d5e924faeb59ddf131d9790bf36b9eb1a1ea364c2987a3fe0451bb
SHA1 hash: f1486e9d6a07002930b13e731b2d456261c3ecb7
MD5 hash: a61c8ee3775554f49f81bc819d6dacbd
humanhash: uncle-september-undress-ack
File name:a61c8ee3775554f49f81bc819d6dacbd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'168'847 bytes
First seen:2021-10-04 10:20:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:PbgDp9rTdiYuZWZ/xK7yLobM3LmFAwxOjlWJzscojwosUIrNTlXnF/0kRYaRMyR3:PgTdOZw/xtp3SFAw2dcbosrRlXFcYvlX
Threatray 144 similar samples on MalwareBazaar
TLSH T1B8563322AB915971D5326D33902A7A45327ABA301FD88A5BA380567DDA73DC0F330FD7
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.2.93.217:59309

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.2.93.217:59309 https://threatfox.abuse.ch/ioc/230020/

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194533/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Running batch commands
DNS request
Connection attempt
Sending a custom TCP request
Launching cmd.exe command interpreter
Creating a file in the Windows subdirectories
Deleting a recently created file
Launching a service
Reading critical registry keys
Replacing files
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/615c0f50b95458900cdc600c/reports/58fd311f-2d0b-40fd-8675-91464ccaab3c/overview
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38999675-d3b4-4234-86f4-b376544b319a
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863862
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496291 Sample: yIJqFrR1xW.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 88 149.154.167.99 TELEGRAMRU United Kingdom 2->88 90 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->90 92 16 other IPs or domains 2->92 124 Antivirus detection for URL or domain 2->124 126 Antivirus detection for dropped file 2->126 128 Multi AV Scanner detection for dropped file 2->128 130 9 other signatures 2->130 12 yIJqFrR1xW.exe 15 2->12         started        signatures3 process4 file5 80 C:\Users\user\Desktop\pub2.exe, PE32 12->80 dropped 82 C:\Users\user\Desktop\md9_1sjm.exe, PE32 12->82 dropped 84 C:\Users\user\Desktop\FoxSBrowser.exe, PE32 12->84 dropped 86 7 other files (2 malicious) 12->86 dropped 15 File.exe 12->15         started        20 FoxSBrowser.exe 14 6 12->20         started        22 Graphics.exe 1 24 12->22         started        24 7 other processes 12->24 process6 dnsIp7 96 37.0.8.119 WKD-ASIE Netherlands 15->96 98 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 15->98 106 9 other IPs or domains 15->106 56 C:\Users\...\tEs1tJ98IPFJ8UVrku3FH1mE.exe, PE32+ 15->56 dropped 58 C:\Users\...\sLNgqlKYR_0SoOwFE4AWu7lY.exe, PE32 15->58 dropped 60 C:\Users\...\fJWkXt1ChxVgjtBfFaHjkq5N.exe, PE32 15->60 dropped 70 15 other files (13 malicious) 15->70 dropped 110 Drops PE files to the document folder of the user 15->110 112 Creates HTML files with .exe extension (expired dropper behavior) 15->112 114 Disable Windows Defender real time protection (registry) 15->114 26 tEs1tJ98IPFJ8UVrku3FH1mE.exe 15->26         started        100 172.67.214.80 CLOUDFLARENETUS United States 20->100 62 C:\Users\user\AppData\Roaming\7816303.scr, PE32 20->62 dropped 72 2 other malicious files 20->72 dropped 116 Drops PE files with a suspicious file extension 20->116 29 1001697.scr 20->29         started        64 C:\Users\user\AppData\Local\...\start.exe, PE32 22->64 dropped 33 start.exe 20 22->33         started        102 208.95.112.1 TUT-ASUS United States 24->102 104 91.107.126.10 MGNHOST-ASRU Russian Federation 24->104 108 5 other IPs or domains 24->108 66 C:\Users\user\Documents\...\md9_1sjm.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 24->68 dropped 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->118 120 Creates processes via WMI 24->120 122 Checks if the current machine is a virtual machine (disk enumeration) 24->122 35 conhost.exe 24->35         started        37 conhost.exe 24->37         started        file8 signatures9 process10 dnsIp11 76 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 26->76 dropped 94 172.67.144.208 CLOUDFLARENETUS United States 29->94 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->140 142 Tries to harvest and steal browser information (history, passwords, etc) 29->142 144 Tries to steal Crypto Currency Wallets 29->144 78 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 33->78 dropped 39 cmd.exe 33->39         started        file12 signatures13 process14 signatures15 132 Submitted sample is a known malware sample 39->132 134 Obfuscated command line found 39->134 136 Uses ping.exe to check the status of other devices and networks 39->136 42 cmd.exe 39->42         started        45 conhost.exe 39->45         started        process16 signatures17 138 Obfuscated command line found 42->138 47 Irrequieto.exe.com 42->47         started        49 findstr.exe 42->49         started        51 PING.EXE 42->51         started        process18 process19 53 Irrequieto.exe.com 47->53         started        file20 74 C:\Users\user\AppData\Roaming\RegAsm.exe, PE32 53->74 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 19:38:50 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7p5253bp7yntk4a4q5bi5ud2wk3emjwtxpzyggsys7wrvithu5a._file
Verdict:
malicious
Similar samples:
05bb79760b2d993c39d526717da95aec99ad74d8fc23eb82d7bffe64595a9d70
RedLineStealer
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
RedLineStealer
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
RedLineStealer
5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
RedLineStealer
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
RedLineStealer
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
RedLineStealer
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
RedLineStealer
+ 134 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:921 botnet:937 botnet:first build botnet:ruzkiinstalls2 botnet:udp agilenet backdoor discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211004-mdnnasgbc2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
45.9.20.20:13441
195.2.93.217:59309
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.156.21.209:56326
https://mas.to/@bardak1ho
asyndenera.xyz:15667
Unpacked files
SH256 hash:
90b0e7d902727351e4a88f3b02c2d3d15d202b2a0ea118c961c21c258617c1cf
MD5 hash:
6ac070b383c57c84bce059f1611a8bc0
SHA1 hash:
f8768f72c0cc63945cbe31b75e39a9d207db06b5
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
74ec8e7f6661e87226bb95a4ba97ae828c45f3142b78d068492cff7162bbbd47
MD5 hash:
f007c18cee4cbdd6992122a8a216ccc0
SHA1 hash:
5b931b76947bb4484ae7b94a60e83c65f92b21b3
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
fc667313899f6647f9d67a16af1234ac6b109223b7c3ce0d178614985cfd27e9
MD5 hash:
24eb234842defb045592109e300bed32
SHA1 hash:
4fa3017ddf932a7f7ae7fbbeda7eacbea609f283
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
0c837595cf71d59bf83858b4b013a35b3bd9d97c0817b6b9283d1b92824967b9
MD5 hash:
f083aba3453b6fa1bb38ea6880298b2f
SHA1 hash:
c735be060091b47f478d7d9c38481a918147b582
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
MD5 hash:
6392e9b2e0c05648865427b8852fb3b4
SHA1 hash:
745a86e36461beff8f4e85e3aba78d20248d7375
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
MD5 hash:
09c2e27c626d6f33018b8a34d3d98cb6
SHA1 hash:
8d6bf50218c8f201f06ecf98ca73b74752a2e453
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
742e05080e8f278696ae0f76935c6c56a931d930c024c2315d5973933245c28a
MD5 hash:
ffd104a3c222e3bca893bc0babe95e01
SHA1 hash:
87da55f26a4d42570d60aa1f672dae719cc42305
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
d9c78bb48cd63b6c6ad6534cb4840aadbabd633e9a4a6fe51a8771f185b21134
MD5 hash:
bddb328a20be5af6e5d83833be33748e
SHA1 hash:
e2b12026f306a32e33f0e256c8ae490a6c1108d8
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
c9f9cf1d69ecc1c2b2c67db4326e4d731d1493dac649f52fcb0249b014af9156
MD5 hash:
2cc79bc05c3e1b8d3fa199a38be74373
SHA1 hash:
f1b663c597b39b3a4271588894df726353dfecec
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
8a5cf8b0367aa32e9aa7be133170bd3142f3cd4ef87b7f24ff0ca58057433a99
MD5 hash:
52797b905d1c62bd4b8d9e89c5d93f96
SHA1 hash:
7ff679fa24e6c5d09d41cce3e0fd4c49cae9928c
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
43f5fecdbafe9296ceddf7bafe828219117d8e61cc73cfaeb2af253c7117d54a
MD5 hash:
f54f75269fd7f09c092910d376c30b13
SHA1 hash:
1f9b422156b607bbc2c0d50731ace43adbb60789
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
687c5ef9643ec6f77ca25e267f82273ff4b665595b757fdc477928ad02e25724
MD5 hash:
abb212d9f8178a3a26c5513fb2493b86
SHA1 hash:
8484ac85db6189c46324a6a14f6e8e4865edfd46
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
300ab8e7ad6303dc87772ad3f1d6c2ce606152db5a86c336f6ab6aaad724e89d
MD5 hash:
bcf8d87d4b1330dcbbdf4616c58abdc5
SHA1 hash:
80ed979b429fdbe06c29e3e34e6058dd6fcb7600
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
25fcbc19a448d814cdb641a52007c396607585749cdf0cfa8da60f80ca6fa4da
MD5 hash:
c89751b6a2ccfb405448c43b166f5943
SHA1 hash:
5a68712943eee86311257ac0ca8dc2317db64909
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
3b9a18de016f6921ab0017b544823a47d7b079ecda891380106111ae60303422
MD5 hash:
f258e59837e7595ae41f121694c4bd4f
SHA1 hash:
a9d7c85113591a92dd0dab1171b7628297e83008
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
SH256 hash:
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
MD5 hash:
a61c8ee3775554f49f81bc819d6dacbd
SHA1 hash:
f1486e9d6a07002930b13e731b2d456261c3ecb7
Link:
https://www.unpac.me/results/3d4f6336-5eaf-4c98-82f2-dc84bdc2fdd4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7dfdd77617f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194533/

Comments