MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d
SHA3-384 hash: 593722bb0974bf03834bebf85a532e80840a626038826fbe5c0a4b2c6f3cc907ec019e8ec4aa1bf3552cc439670db0d4
SHA1 hash: 5632dbbe965bcd947492f290b9d49f8b96578747
MD5 hash: 4082607aaeab3dd7cf36491a62e2ce3b
humanhash: bravo-west-fillet-vermont
File name:4082607AAEAB3DD7CF36491A62E2CE3B.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'501'133 bytes
First seen:2021-07-12 14:40:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbfX1z8yFximSATdA8xdssvk3upL/NwUTWt1:UDXRxHSATdA8MsvkuLDE
Threatray 84 similar samples on MalwareBazaar
TLSH T1D6F533417A8196B1D5361D354A75AB11A93C7C200F348BEFA3F4255DDA3A1C2EF32BA3
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.140.147.193:35789

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.140.147.193:35789 https://threatfox.abuse.ch/ioc/159762/
185.153.198.53:57843 https://threatfox.abuse.ch/ioc/159777/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4082607AAEAB3DD7CF36491A62E2CE3B.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 14:43:06 UTC
Tags:
autoit evasion trojan stealer vidar loader
Link:
https://app.any.run/tasks/80d8057e-c637-428b-8dac-347cdb5ea043

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171145/
Detection(s):
Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e33cab2-abb6-4038-aefe-364f4a7052a8
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814961
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447369 Sample: cCEP3pyVp8.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 89 google.vrthcobj.com 2->89 91 149.154.167.99 TELEGRAMRU United Kingdom 2->91 93 34.89.184.90 GOOGLEUS United States 2->93 133 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->133 135 Found malware configuration 2->135 137 Antivirus detection for URL or domain 2->137 139 15 other signatures 2->139 9 cCEP3pyVp8.exe 1 13 2->9         started        12 iexplore.exe 2->12         started        signatures3 process4 file5 49 C:\Users\user\Desktop\pub2.exe, PE32 9->49 dropped 51 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->51 dropped 53 C:\Users\user\Desktop\Installation.exe, PE32 9->53 dropped 55 4 other files (2 malicious) 9->55 dropped 14 Info.exe 9->14         started        19 Files.exe 10 9->19         started        21 pub2.exe 9->21         started        25 4 other processes 9->25 23 iexplore.exe 12->23         started        process6 dnsIp7 105 www.jinhuamz.com 103.155.92.207, 49746, 80 TWIDC-AS-APTWIDCLimitedHK unknown 14->105 107 79.174.12.174, 49737, 80 THEFIRST-ASRU Russian Federation 14->107 115 14 other IPs or domains 14->115 75 C:\Users\...\zRMwOCPGXhIG31_2ZLEnIwfH.exe, PE32 14->75 dropped 77 C:\Users\...\vmu7jIFgUCHYCRTxbVDRFnCY.exe, PE32 14->77 dropped 79 C:\Users\...\sgBsHeln0XuZhrMUsm5SaIEe.exe, PE32 14->79 dropped 87 37 other files (24 malicious) 14->87 dropped 119 Drops PE files to the document folder of the user 14->119 121 Performs DNS queries to domains with low reputation 14->121 123 Disable Windows Defender real time protection (registry) 14->123 81 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 19->81 dropped 27 File.exe 3 20 19->27         started        83 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 21->83 dropped 125 DLL reload attack detected 21->125 127 Renames NTDLL to bypass HIPS 21->127 129 Checks if the current machine is a virtual machine (disk enumeration) 21->129 32 explorer.exe 21->32 injected 109 iplogger.org 23->109 111 101.36.107.74, 49727, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 25->111 113 2no.co 88.99.66.31, 443, 49729, 49733 HETZNER-ASDE Germany 25->113 117 4 other IPs or domains 25->117 85 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 25->85 dropped 131 Creates processes via WMI 25->131 34 Folder.exe 25->34         started        36 WerFault.exe 25->36         started        38 conhost.exe 25->38         started        file8 signatures9 process10 dnsIp11 99 newja.webtm.ru 92.53.96.150, 49732, 80 TIMEWEB-ASRU Russian Federation 27->99 65 C:\Users\Public\run2.exe, PE32 27->65 dropped 67 C:\Users\Public\run.exe, PE32 27->67 dropped 149 Binary is likely a compiled AutoIt script file 27->149 151 Drops PE files to the user root directory 27->151 40 run2.exe 27->40         started        45 run.exe 27->45         started        69 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 34->69 dropped 71 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 34->71 dropped 73 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 34->73 dropped 47 conhost.exe 34->47         started        101 13.64.90.137 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->101 103 192.168.2.1 unknown unknown 36->103 file12 signatures13 process14 dnsIp15 95 74.114.154.22 AUTOMATTICUS Canada 40->95 97 162.55.223.232 ACPCA United States 40->97 57 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 40->57 dropped 59 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 40->59 dropped 61 C:\Users\user\AppData\...\mozglue[1].dll, PE32 40->61 dropped 63 9 other files (none is malicious) 40->63 dropped 141 Multi AV Scanner detection for dropped file 40->141 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->143 145 Machine Learning detection for dropped file 40->145 147 2 other signatures 40->147 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 07:20:03 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wchhwifjnvf7butzlv4dwkygnk77pqgyftfrlzqw35jtqnizh5oq._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
0bcf14216198351151d34d3e6ea6c05bf06c62eee05e15804ba132ea455b3710
RedLineStealer
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
RedLineStealer
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
RedLineStealer
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
RedLineStealer
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
RedLineStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RedLineStealer
+ 74 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:712 botnet:865 botnet:890 botnet:903 botnet:921 botnet:9_7_r botnet:novee botnet:sel10 backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210712-52rpl4py86/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
45.140.147.193:35789
xtarweanda.xyz:80
https://sergeevih43.tumblr.com/
qumaranero.xyz:80
kathonaror.xyz:80
Unpacked files
SH256 hash:
bdc711ac87987626d1dd6e23b4d27d942e8a4b1b386e8d093019a19e925017ed
MD5 hash:
0f61d2c03416ffdbc81c37feeeb4d5f0
SHA1 hash:
3001140d7d070bce39600321a7717c865e0eca13
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
fa8e9649c3ea2415dd1da245b280766263f1344fe8a980944e30fdd4e159bf33
MD5 hash:
155ba44ad55ed22b1b377b42b1928ff6
SHA1 hash:
c5432f0bbb9e6703b8dc490132975c02ba77b203
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
f78cafdf504a8dbc642063f10fad6604919bebbb457621acf9fd12cd9cb8a8d2
MD5 hash:
546ec8e29b9563c6b5f31ebda05dab92
SHA1 hash:
b21d335a6e4468dc57eb3a4368019788b1b4489b
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
ef741c122ea840d444c718852b75da0b27f202e1d8bc0d08fb2227c7d3065ab4
MD5 hash:
b6e0ef10bbdbfc8646c9ffe5e079aa5c
SHA1 hash:
01ec8b37b9a82f31aebe54decf0e926640d302c2
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
76f7d5f475ed641ebcbc5b8d4ac4075e6907fe1a48424517ab5f8824522b348b
MD5 hash:
8586024a3dee9e225fa012569e7218f2
SHA1 hash:
6d05e0705c031e545807db7c178be656ab8311f0
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
cc380bc143d358c248b6fdeb25fabc6d3b86d2529a1c3ad383546badf107fb3d
MD5 hash:
7ac6bfdb386053c56be326e5706b5fd9
SHA1 hash:
76e1b565485b3edf517a2c009ff45fd8b84e01f9
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
db9b1627381525fb3dff5e4a776c7d1c3d4c55a4433c4edbd77bf8bb4420af12
MD5 hash:
14d36cf377d30b3147e1c94f96988e04
SHA1 hash:
785e1f1874de0b4c75089cf9303063b51c26e535
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
0f874d5318cb8d34cb9053734e7d9db0b8918a40d2ceec9d39146091419cab2e
MD5 hash:
41c558099c0b51159a574b6856bdf34e
SHA1 hash:
ae36b19dc30336f02fd11f6f25981e69157323b6
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
SH256 hash:
b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d
MD5 hash:
4082607aaeab3dd7cf36491a62e2ce3b
SHA1 hash:
5632dbbe965bcd947492f290b9d49f8b96578747
Link:
https://www.unpac.me/results/5c151c98-e9b6-420b-8d79-cc95e71611b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171145/

Comments