MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
SHA3-384 hash: 85ae7930916577d16b53f2a07ff926f1658b810ace188e80a83a6b296b2dc84250e3263f9403b1479a4338ac0b89ac5c
SHA1 hash: 16a40ad88d0e8c93ed10e10ae423b8a0436dcbfd
MD5 hash: 0667ace8cf940d7d56d3aa7ed7fe87e2
humanhash: bulldog-king-purple-carbon
File name:AB948F038175411DC326A1AAD83DF48D6B65632501551.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'994'035 bytes
First seen:2021-10-25 05:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9g32Gtr2/RaimU9FfRpiGvjnaswqbSQXQ6aPXUSBjziTJj9cS:yGAYaFUXewjVwqbSQgb/RBjEjl
Threatray 3'356 similar samples on MalwareBazaar
TLSH T1149533EB5730D2E7DAD64EB58906795AA2B9100018B2779F13F4EF1C62DB162901F38F
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.51.246.132:8926

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.51.246.132:8926 https://threatfox.abuse.ch/ioc/237115/
91.206.14.151:16764 https://threatfox.abuse.ch/ioc/237116/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199715/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b81b0782-a020-49e2-a7fe-82d5d19ed812
Result
Threat name:
SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875937
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508370 Sample: AB948F038175411DC326A1AAD83... Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 86 149.154.167.99 TELEGRAMRU United Kingdom 2->86 88 198.54.121.77 NAMECHEAP-NETUS United States 2->88 90 8 other IPs or domains 2->90 140 Multi AV Scanner detection for domain / URL 2->140 142 Antivirus detection for URL or domain 2->142 144 Antivirus detection for dropped file 2->144 146 15 other signatures 2->146 12 AB948F038175411DC326A1AAD83DF48D6B65632501551.exe 10 2->12         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->66 dropped 15 setup_installer.exe 8 12->15         started        process6 file7 68 C:\Users\user\AppData\...\setup_install.exe, PE32 15->68 dropped 70 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->70 dropped 72 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->72 dropped 74 3 other files (none is malicious) 15->74 dropped 18 setup_install.exe 8 15->18         started        process8 dnsIp9 92 8.8.8.8 GOOGLEUS United States 18->92 94 127.0.0.1 unknown unknown 18->94 58 C:\Users\user\AppData\...\e3cc86d5adae521.exe, PE32 18->58 dropped 60 C:\Users\user\AppData\...\788074178a2.exe, PE32 18->60 dropped 62 C:\Users\user\AppData\...\3adf8a1dd5.exe, PE32 18->62 dropped 64 4 other files (2 malicious) 18->64 dropped 22 cmd.exe 1 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 5 other processes 18->28 file10 process11 process12 30 788074178a2.exe 4 58 22->30         started        35 3adf8a1dd5.exe 24->35         started        37 e3cc86d5adae521.exe 15 3 26->37         started        39 1cfb31c117e4.exe 12 28->39         started        41 332e1afd1b67.exe 28->41         started        43 bcc130ef83.exe 28->43         started        45 2e81c5b534319006.exe 28->45         started        dnsIp13 100 45.142.182.152 XSSERVERNL Germany 30->100 102 37.0.11.8 WKD-ASIE Netherlands 30->102 110 11 other IPs or domains 30->110 76 C:\Users\...\J4aj3bqd041tqWw9YULgeECV.exe, PE32 30->76 dropped 78 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 30->78 dropped 80 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 30->80 dropped 82 23 other files (7 malicious) 30->82 dropped 114 Detected unpacking (creates a PE file in dynamic memory) 30->114 116 Creates HTML files with .exe extension (expired dropper behavior) 30->116 118 Tries to harvest and steal browser information (history, passwords, etc) 30->118 120 Disable Windows Defender real time protection (registry) 30->120 122 Detected unpacking (changes PE section rights) 35->122 124 Machine Learning detection for dropped file 35->124 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->126 134 3 other signatures 35->134 47 explorer.exe 35->47 injected 104 88.99.66.31 HETZNER-ASDE Germany 37->104 128 Detected unpacking (overwrites its own PE header) 37->128 106 74.114.154.22 AUTOMATTICUS Canada 39->106 130 Multi AV Scanner detection for dropped file 39->130 112 2 other IPs or domains 41->112 132 Antivirus detection for dropped file 41->132 108 172.67.176.199 CLOUDFLARENETUS United States 43->108 51 WerFault.exe 43->51         started        54 2e81c5b534319006.exe 45->54         started        file14 signatures15 process16 dnsIp17 84 C:\Users\user\AppData\Roaming\berebvj, PE32 47->84 dropped 136 Benign windows process drops PE files 47->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->138 96 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->96 98 192.168.2.1 unknown unknown 54->98 56 conhost.exe 54->56         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 23:44:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=voki6a4bovar3qzgugvnqppurvvwkyzfafkrrmdvgxjc4pnoro5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RedLineStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RedLineStealer
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RedLineStealer
401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
RedLineStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RedLineStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
RedLineStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RedLineStealer
+ 3'346 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:933 botnet:937 aspackv2 backdoor evasion infostealer spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211025-fre5rafeh4/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://xacokuo8.top/
http://hajezey1.top/
https://mas.to/@xeroxxx
Unpacked files
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
db9c9da8b8dff93878a3d79580fa14c6d94ba629e0bf774aec185031d0b05a54
MD5 hash:
0d3cbea09f4290ba0059e755d7b6eb97
SHA1 hash:
9e19b000f492b6e013e53fe0fd06aa2dec7733f4
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
730782c0a967f258e130f12b9ba25a3e582b0bc93b35a122b6b573d45b21adce
MD5 hash:
62fe79781226f327524de7b23525e1c7
SHA1 hash:
20b7a997ea9627320c687d6975ba2c5a6550365f
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
MD5 hash:
a6b572db00b94224d6637341961654cb
SHA1 hash:
9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
0dba3fe5275b6a17b44b07baf6f717f908776000ddf62098c712ef89a577f12a
MD5 hash:
1a280feb9ab6b8f0d264fbdfcade9325
SHA1 hash:
669a25d48aa0cc91abeb37f08ae012defeb3fc20
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
8d5858913ba5c74aaf16aed486fa512d7aa775cdd25bda19ce62975ce1800ae1
MD5 hash:
3c945c167b21d5593785f59ded5fa285
SHA1 hash:
dfb7cad757c9c6e2a0b66b21e532bc283b419d1c
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
6fbd2fcf93bf4a086f9b3391a1effe93b2e4a93a36696a26154bbdd9f53c0a1b
MD5 hash:
601a544e2b685566d56fa8d4c5a34a57
SHA1 hash:
7ac610d9f083de44180981dfaa4831a76886d9ca
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
e484c53c495b1a293267ea144dd644a331e1c82384bd903eaa7aecc2ade2dd49
MD5 hash:
898dbc2a19a4e36398bbc772d89aefd3
SHA1 hash:
47120fc7f60a7e1b2d3207d1137ff5703fa43730
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
62925040c55fdf0caf0b228a17a06abd86826b1be6a185c5c61c74c6de62d01c
MD5 hash:
0388bc623ea0e83f5ded9bfd07c14d20
SHA1 hash:
2b695437f49dd433a99f39433a2c0b975b4ad2cf
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
87f68d4a3ec76a5f14f23b03367fd281136ca8f66ad7a55fa5f82755bbc0fb16
MD5 hash:
8f9ec5f31d2e9568a5b706da707acabb
SHA1 hash:
a14eeb8c7c82171ead79b124946d8991a653c5a2
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
SH256 hash:
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
MD5 hash:
0667ace8cf940d7d56d3aa7ed7fe87e2
SHA1 hash:
16a40ad88d0e8c93ed10e10ae423b8a0436dcbfd
Link:
https://www.unpac.me/results/2e4127c7-28f9-4e85-8779-d5524a9e02f6/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ab948f038175/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199715/

Comments