MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 4 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
SHA3-384 hash: af9a439e2ae057912ab83bf1f7dfc5239ee4aeb4c54ae6aa69044de42add78481ed23f216992a2efe6e03f5786cd9cc6
SHA1 hash: 6a054be41ac9a5badab8d38552b8703c12b33cca
MD5 hash: 19008dabdac3c666e9006648027c4754
humanhash: alpha-bulldog-sink-comet
File name:B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'783'763 bytes
First seen:2021-11-26 16:25:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xjCvLUBsgNnyceLlQgFzTU7V2y/VroqAG7oGF:xYLUCgNngQETe7j
Threatray 1'697 similar samples on MalwareBazaar
TLSH T1B806333039CAC4FAEE8132395D199BB795FEC74D063A64D77330D5AA8E1584AD33B01A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.181.152.177:21142

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.152.177:21142 https://threatfox.abuse.ch/ioc/254437/
195.242.111.44:37939 https://threatfox.abuse.ch/ioc/254926/
45.130.151.74:81 https://threatfox.abuse.ch/ioc/254927/
65.21.226.115:27660 https://threatfox.abuse.ch/ioc/254928/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe
Verdict:
No threats detected
Analysis date:
2021-11-26 16:30:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5288d38a-ccee-4f3b-bf9c-c4f5677b4d6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9890301-1
Create hunting rule

Win.Dropper.Generickdz-9891172-0
Create hunting rule

Win.Dropper.Generickdz-9894088-0
Create hunting rule

Win.Dropper.Generickdz-9894095-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
DNS request
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Moving a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer azorult barys overlay packed
Link:
https://www.filescan.io/uploads/61a10a9db71ceed41531d0d3/reports/3e68f5c3-e1a4-4900-acb1-f0d3e19cc930/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5564437c-d4a7-44aa-a28e-1264e6bc54a1
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896865
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529343 Sample: B10274561191CEDB0B16D2A69FD... Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 72 staticimg.youtuuee.com 2->72 74 cdn.discordapp.com 2->74 76 a.goatgame.co 2->76 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 15 other signatures 2->110 11 B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe 17 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_install.exe, PE32 11->52 dropped 54 C:\Users\user\...\Tue06fef1eb6915a54.exe, PE32 11->54 dropped 56 C:\Users\user\...\Tue06a05305b6ee3.exe, PE32 11->56 dropped 58 12 other files (7 malicious) 11->58 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 100 127.0.0.1 unknown unknown 14->100 102 hsiens.xyz 14->102 130 Performs DNS queries to domains with low reputation 14->130 132 Adds a directory exclusion to Windows Defender 14->132 18 cmd.exe 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 14->22         started        24 8 other processes 14->24 signatures8 process9 signatures10 27 Tue0676b4d32ba71a3.exe 18->27         started        32 Tue0699904d3988.exe 20->32         started        34 Tue0634f55dcf1.exe 22->34         started        112 Adds a directory exclusion to Windows Defender 24->112 36 Tue06490e70c2.exe 24->36         started        38 Tue06a05305b6ee3.exe 24->38         started        40 Tue062aa86676e1a963.exe 24->40         started        42 4 other processes 24->42 process11 dnsIp12 78 136.144.41.58, 49769, 49776, 49797 WORLDSTREAMNL Netherlands 27->78 82 8 other IPs or domains 27->82 60 C:\Users\...\470Np4qSukTKptULUc9uTl1Y.exe, PE32+ 27->60 dropped 62 C:\Users\user\...62iceProcessX64[1].bmp, PE32+ 27->62 dropped 114 Antivirus detection for dropped file 27->114 116 Multi AV Scanner detection for dropped file 27->116 118 May check the online IP address of the machine 27->118 120 Disable Windows Defender real time protection (registry) 27->120 84 3 other IPs or domains 32->84 122 Tries to harvest and steal browser information (history, passwords, etc) 32->122 86 2 other IPs or domains 34->86 124 Machine Learning detection for dropped file 34->124 88 3 other IPs or domains 36->88 64 C:\Users\user\...\Tue06a05305b6ee3.tmp, PE32 38->64 dropped 126 Obfuscated command line found 38->126 44 Tue06a05305b6ee3.tmp 38->44         started        80 185.215.113.15, 6043 WHOLESALECONNECTIONSNL Portugal 40->80 90 8 other IPs or domains 42->90 128 Performs DNS queries to domains with low reputation 42->128 48 Tue06fef1eb6915a54.exe 42->48         started        file13 signatures14 process15 dnsIp16 92 the-flash-man.com 44->92 94 best-link-app.com 44->94 66 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 44->66 dropped 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->68 dropped 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->70 dropped 96 staticimg.youtuuee.com 48->96 98 a.goatgame.co 48->98 50 conhost.exe 48->50         started        file17 process18
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 17:29:00 UTC
File Type:
PE (Exe)
Extracted files:
194
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=webhivqrshhnwcyw2ktj7xgu4udc5x7cmimef2wnkwkf77pnh5lq._file
Verdict:
malicious
Similar samples:
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
RedLineStealer
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
RedLineStealer
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
RedLineStealer
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd
RedLineStealer
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
RedLineStealer
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
RedLineStealer
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
RedLineStealer
+ 1'687 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:706 botnet:pab777 aspackv2 infostealer spyware stealer suricata
Link:
https://tria.ge/reports/211126-txhpqaddgr/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
https://kipriauka.tumblr.com/
185.215.113.15:6043
http://www.ecgbg.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
856406c9c7b31f0c00351ad33116eef6266e808f62707dbdd452d78d87c15b49
MD5 hash:
dcb44b893efae5ddd8cb122af5c988f2
SHA1 hash:
b7a5c73b39271c594545f0d35e5c1f739f37fa7f
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
Parent samples :
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
bb714b088b9945fecd70f12c16055a554ba9ef911dd1ac6e6c8454a7c1e56830
MD5 hash:
0c44fa294e3ba33b26b0f75a8d36ffc9
SHA1 hash:
dc03c1b4770c6238764de3ac40594ddf5db237f6
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
85c0574b48df124cb351cf102246e547a82619fbf7521d0bc515828b480aeb49
MD5 hash:
5dbebf819f64fc4691f2168c520160ea
SHA1 hash:
74d9e9ad214b51e6ffefb661b31f3f1c592867c1
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
c0ea00225f5d4da9fe390b8a301876fb36a9efcf5b9e224bb89e1e89108787f2
MD5 hash:
02492d9e1e889a6c23cdfe059099239f
SHA1 hash:
3908ce40f70cbeb0765dd03048effcb4953ba22f
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
98628754e589e8eadaa6d2272f82de370dac26034b56bef3f2d386062fb8d284
MD5 hash:
b30cf0b08987a2326ad8cbe6a4de902a
SHA1 hash:
25344641a9b5eb53f63109d4d8cc3f5ecf16ee92
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
802916a589989b0dea8ba87dad8ed5e3146d52994fc0dff270bee5e74f553087
MD5 hash:
65ef5067b4e421c8a7d7345197d1f187
SHA1 hash:
2163beace0c45bcb13b49f5339953669e957db73
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
9d9bf40ad62d6ef8123be1205bad4bcd954a408fd7b5dce255fb662bb5d16af7
MD5 hash:
9ab450b63abcd03c30d4a1712d947608
SHA1 hash:
d095dc6b266816133172c5efa99eaa93523c5c3a
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
0396d91829330fa6c35bc9986d886f5baa1b314e3d91417d07da16f82eb9788e
MD5 hash:
4f1da746bc00c0fc4ab4d9dc4d6b2d65
SHA1 hash:
69fb88462aadeb931401ba3ea8944d3a1c017d40
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
8640d9853339cc5a1abe1f97bc3f1ad92dcff0a60ed370b8fd577667eb0976e3
MD5 hash:
75a6cb4d3d5d7b126fc7de9d81b6dedb
SHA1 hash:
e40f8f9a62564fc4dac73fdbf33ec031eeb95357
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
4f3677f045f005c8fb045f85fcf303e9f5e596b9af2797db9fde830de2d1ab83
MD5 hash:
c4aebd8278437488aa8ad62d38877dcc
SHA1 hash:
0492f552121532c5a5fa208b6bbb99767079bcfa
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
SH256 hash:
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
MD5 hash:
19008dabdac3c666e9006648027c4754
SHA1 hash:
6a054be41ac9a5badab8d38552b8703c12b33cca
Link:
https://www.unpac.me/results/078a0bc1-5a46-4ee3-a3ba-b790bd34cf1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments