MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
SHA3-384 hash: 34c5e951b145b28eb001a762cb0ee954a3718a78e05d314b60ec39ae330fe20d76099be312cf50c29bb256e368563b2a
SHA1 hash: 1af2a65956ba61ded056f90ef48e08abb7e4e6b5
MD5 hash: 7ba00a7f8bf0f2d0237bd01bb12a825b
humanhash: georgia-moon-freddie-music
File name:7BA00A7F8BF0F2D0237BD01BB12A825B.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'445'700 bytes
First seen:2021-08-11 10:40:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JK0LsE9LvEbGRN0nM1BOhu3uiJgR2qpNeJ:JK4sIoGDhBuu8j8J
Threatray 288 similar samples on MalwareBazaar
TLSH T17AF5331D4B520FE9CF81CD72BCA3A997007CEB291C66732716550BE5BB3AB72AC4E504
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://ggc-partners.in/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.in/decision.php https://threatfox.abuse.ch/ioc/170210/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178188/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9884565-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da6a10e5-d05d-4c86-9317-28c8896a1a8b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830824
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463253 Sample: 10EqncBIA8.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 101 37.0.10.236 WKD-ASIE Netherlands 2->101 103 37.0.11.8 WKD-ASIE Netherlands 2->103 105 19 other IPs or domains 2->105 127 Antivirus detection for URL or domain 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 Yara detected Vidar stealer 2->131 133 9 other signatures 2->133 11 10EqncBIA8.exe 10 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->87 dropped 16 setup_installer.exe 17 11->16         started        process6 file7 51 C:\Users\user\AppData\Local\...\zaiqa_4.txt, PE32 16->51 dropped 53 C:\Users\user\AppData\Local\...\zaiqa_3.txt, PE32 16->53 dropped 55 C:\Users\user\AppData\Local\...\zaiqa_2.txt, PE32 16->55 dropped 57 12 other files (1 malicious) 16->57 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 107 104.21.54.206 CLOUDFLARENETUS United States 19->107 109 127.0.0.1 unknown unknown 19->109 79 C:\Users\user\AppData\...\zaiqa_6.exe (copy), PE32 19->79 dropped 81 C:\Users\user\AppData\...\zaiqa_3.exe (copy), PE32 19->81 dropped 83 C:\Users\user\AppData\...\zaiqa_2.exe (copy), PE32 19->83 dropped 85 6 other files (1 malicious) 19->85 dropped 135 Detected unpacking (changes PE section rights) 19->135 137 Machine Learning detection for dropped file 19->137 24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        28 cmd.exe 19->28         started        30 5 other processes 19->30 file10 signatures11 process12 process13 32 zaiqa_3.exe 89 24->32         started        37 zaiqa_2.exe 26->37         started        39 zaiqa_6.exe 28->39         started        41 zaiqa_1.exe 2 30->41         started        43 zaiqa_5.exe 30->43         started        45 zaiqa_4.exe 4 30->45         started        dnsIp14 89 74.114.154.18 AUTOMATTICUS Canada 32->89 91 176.123.2.239 ALEXHOSTMD Moldova Republic of 32->91 77 12 other files (none is malicious) 32->77 dropped 113 Detected unpacking (changes PE section rights) 32->113 115 Detected unpacking (overwrites its own PE header) 32->115 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->117 125 2 other signatures 32->125 119 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->119 121 Checks if the current machine is a virtual machine (disk enumeration) 37->121 93 104.21.92.87 CLOUDFLARENETUS United States 39->93 61 C:\Users\user\AppData\Roaming\7654642.exe, PE32 39->61 dropped 63 C:\Users\user\AppData\Roaming\6915441.exe, PE32 39->63 dropped 65 C:\Users\user\AppData\Roaming\6844705.exe, PE32 39->65 dropped 67 C:\Users\user\AppData\Roaming\5625636.exe, PE32 39->67 dropped 123 Creates processes via WMI 41->123 47 zaiqa_1.exe 41->47         started        95 208.95.112.1 TUT-ASUS United States 43->95 97 8.8.8.8 GOOGLEUS United States 43->97 99 3 other IPs or domains 43->99 69 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 43->69 dropped 71 C:\Users\user\AppData\...\aaa_v010[1].dll, DOS 43->71 dropped 73 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 45->73 dropped 75 C:\Users\user\AppData\Local\...\chrome2.exe, PE32+ 45->75 dropped file15 signatures16 process17 dnsIp18 111 104.21.70.98 CLOUDFLARENETUS United States 47->111 59 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->59 dropped file19
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 01:35:25 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vaczlvlxof242tnfctw3a3jym5uirwxweyedng4bnmxrdnvkttba._file
Verdict:
unknown
Similar samples:
261b33850dd1404b22acfd5fe7e46806dce68f710f9b21b7ec00a264804e2137
RedLineStealer
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
RedLineStealer
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
RedLineStealer
9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9
RedLineStealer
aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
RedLineStealer
bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
RedLineStealer
+ 278 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:937 aspackv2 backdoor dropper evasion infostealer loader persistence stealer suricata trojan
Link:
https://tria.ge/reports/210811-6trmwqdfh6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
e29c9603b1fa93d574948fa64e5b87b399a95c2a63669689d28c5a561b8b9583
MD5 hash:
7ae724de4cb426f69a5ea01ed45c887f
SHA1 hash:
37ffb39c93031a505691ae64fc4f17af9aac6eb4
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
25bece56369e558ace38148f3f1a1758bf7babade2e1e7f08dddfda3ae6a1efa
MD5 hash:
cd5fe9380dc60a963c2977c4345ac077
SHA1 hash:
1f8f193d74681b25850e1e1feb273a31c37a44de
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
f210a12e838e52eb42457f730c252e31f8203030a3364176d46b10b357b40ade
MD5 hash:
782d365078baf7f5fa471db7332a6a53
SHA1 hash:
1351fe8115ea9db8b1c531f2acc7d8b1a5c7ab21
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
da371e462bcaee4513b2b0b8f9cd115d6a0aa41713c50e9e39088c12960d26f7
MD5 hash:
cdc02870ffe64771ff6d9fb361e216c8
SHA1 hash:
c8299cf9d1a6b178f7661f69c350c008e77205c7
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
MD5 hash:
c85639691074f9d98ec530901c153d2b
SHA1 hash:
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b
MD5 hash:
fdaa4ceadfc95047aa93dbd903669f25
SHA1 hash:
97549c52142d192383e8f2018141901a1a0ec112
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1
MD5 hash:
8595f5515fac09b73ff463056cb07a15
SHA1 hash:
80f39da9a52cffb70edaa4d7de82f543ba4d417e
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768
MD5 hash:
44dc205a5701b53f391a3a750c2c4712
SHA1 hash:
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
420e894dc544a34c87f49a611cde40ff48aec9c3ca1a581350fd8be0c85ba19e
MD5 hash:
3465976f20ebb5eaa5bcb761c69dc9e4
SHA1 hash:
55ee769fe642aba6e1d2da0b04c73602030befb3
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
SH256 hash:
a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
MD5 hash:
7ba00a7f8bf0f2d0237bd01bb12a825b
SHA1 hash:
1af2a65956ba61ded056f90ef48e08abb7e4e6b5
Link:
https://www.unpac.me/results/4b45cf82-441f-4b9d-830a-6fca76cecafb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a80595d57771/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178188/

Comments