MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1800c7c08af465ceebe146c259576b81ecb4e6c20b2ffcfee24ef5c37843e77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1800c7c08af465ceebe146c259576b81ecb4e6c20b2ffcfee24ef5c37843e77
SHA3-384 hash: 66e3ac5d76a6ae34502cefd78611e9d20bdf78addaeacd7e51a083276e60d93cf8acb4d2ceb945de64b950f26c145a52
SHA1 hash: 547030b05a4bc764ef23d057827f2d920db6152b
MD5 hash: 8cad0eedc5d09fc7297388d2aeee0411
humanhash: yankee-green-golf-march
File name:8cad0eedc5d09fc7297388d2aeee0411.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'312'512 bytes
First seen:2022-02-08 01:34:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 98304:wQjYSxM6a4z5SqM+DahbZJXrdF+jIZNQwDqRNtViaY5b6+:w8xM6hVSqzehbZJJMcZNQ4SY5
Threatray 4'330 similar samples on MalwareBazaar
TLSH T1B8366B75F6C5D2FFF6B45AC26938C998C48FBC83B984AD4E2C6221CD18946C1D7E7848
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.113.76:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.113.76:80 https://threatfox.abuse.ch/ioc/381622/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237364/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.9657.10009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Creating a file
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/6201c8cec79b424d7206dd87/reports/0c29d954-be5a-4dc6-8e62-ee1890dfa9fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/503b50c7-39d7-49b8-be6a-7d7ecf5583bf
Result
Threat name:
RedLine Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935669
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 568148 Sample: 5paOkfbgoe.exe Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 46 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->46 48 162.159.129.233, 443, 49767, 49772 CLOUDFLARENETUS United States 2->48 50 3 other IPs or domains 2->50 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 13 other signatures 2->72 8 5paOkfbgoe.exe 15 2->8         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\lingzhang.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\inst1.exe, PE32 8->42 dropped 44 11 other files (10 malicious) 8->44 dropped 11 inst1.exe 8->11         started        14 askinstall63.exe 8->14         started        17 LightCleaner2352312.exe 14 4 8->17         started        20 4 other processes 8->20 process6 dnsIp7 74 Antivirus detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Contains functionality to infect the boot sector 11->78 86 2 other signatures 11->86 56 iplogger.org 148.251.234.83, 443, 49760, 49763 HETZNER-ASDE Germany 14->56 58 www.listincode.com 149.28.253.196, 443, 49758 AS-CHOOPAUS United States 14->58 80 May check the online IP address of the machine 14->80 60 presstheme.me 172.67.201.63, 443, 49773 CLOUDFLARENETUS United States 17->60 26 67b1a275-30bf-466b-83d2-eca545e36369.exe, PE32 17->26 dropped 82 Multi AV Scanner detection for dropped file 17->82 62 195.189.226.81 OMNILANCEhttpomnilancecomUA Ukraine 20->62 64 files.fastbestapp.com 104.21.60.62, 443, 49762 CLOUDFLARENETUS United States 20->64 28 C:\Users\...\Routes License Agreement.exe, PE32 20->28 dropped 30 C:\Users\user\AppData\Local\...\System.dll, PE32 20->30 dropped 32 C:\Users\user\AppData\Local\...\INetC.dll, PE32 20->32 dropped 34 C:\Users\...\Routes%20Installation[1].exe, PE32 20->34 dropped 84 Creates processes via WMI 20->84 22 lingzhang.exe 2 20->22         started        file8 signatures9 process10 dnsIp11 52 104.21.40.196, 443, 49759 CLOUDFLARENETUS United States 22->52 54 v.xyzgamev.com 172.67.188.70, 443, 49755 CLOUDFLARENETUS United States 22->54 36 C:\Users\user\AppData\Local\Temp\db.dll, PE32 22->36 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1800c7c08af465ceebe146c259576b81ecb4e6c20b2ffcfee24ef5c37843e77/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-02-05 17:06:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgaay7aiv5dfz3v6crwclflwxapmwttmeczp7t7oetxvyn4ehz3q._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a
RedLineStealer
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
RedLineStealer
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
RedLineStealer
51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3
RedLineStealer
5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270
RedLineStealer
6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
RedLineStealer
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
RedLineStealer
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
RedLineStealer
+ 4'320 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars family:xmrig botnet:pablicher botnet:test1 discovery infostealer loader miner spyware stealer
Link:
https://tria.ge/reports/220208-bzqh8sbgb5/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
XMRig Miner Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
http://www.tpyyf.com/
185.215.113.10:39759
disandillanne.xyz:80
Unpacked files
SH256 hash:
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
MD5 hash:
2b342079303895c50af8040a91f30f71
SHA1 hash:
b11335e1cb8356d9c337cb89fe81d669a69de17e
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
3cc9f00748917e25208d9c79a527208f96732ca54e9b3e01e18b6cae7c0c6f53
MD5 hash:
a9f1c095a080df7a008fd2b04f57c73b
SHA1 hash:
c7096f65671d61d9ddd8c5ae39103fdef40c850e
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
7fc7da02d4981d221c0cab839e570cb3efcd493a8614b279d3e0fbc7b11ea821
MD5 hash:
df55d8a062d7586f86aca724860b4910
SHA1 hash:
9eb8e378d1367f2e6b058cba805f7624cae2cd9d
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
b355e88f12ee6f3c20818c316372b9571ae9c27344ec4a37aca6a69e63c884e8
MD5 hash:
e68029a00006f6f18d519b5e8942ab64
SHA1 hash:
3b4ec671a7b015ead9aac62dd169f8202df4c9d7
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
c7a6f348b773167092b2ed297738bb2b59626b763ca57d5f1d8d638739008c45
MD5 hash:
d10e7015b72a02547055e0ab25c6b42b
SHA1 hash:
890d267b16afbc51a0aa8c19e27668f316114e7b
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
22da836421d0b9a7e53ec600647675c3136e83a6fcac0ee2077a2145e3abfb9c
MD5 hash:
e1bad62323481a431c80d80689c3370e
SHA1 hash:
608db08fd6f8acf951fa3b1a5d8939e7f0009e26
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
e0c05584bbe479fe3ca5bab69b8a771e134f98673318a1410cab0afda9d7191d
MD5 hash:
005ea5464174c96ca4fdbe4caad19c57
SHA1 hash:
3f3c54bbcc8c856c8957187378f0594ba09b70c9
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
f8b20fe707177a48e2dd25df0c24733f9b7707270ee09b2c0ae3794df06e81db
MD5 hash:
99881dff9928e53d0b65d8174212d75d
SHA1 hash:
d4b4889676a5a8e3024bfae56c446e9250c8845b
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
MD5 hash:
5a940f37dbd4b2a11cbad4e6d2894362
SHA1 hash:
be6de46fbdfdbaf55ce4a8b019ec6a977451a383
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
MD5 hash:
258b1f4b9b3e8238c677756c45b227dd
SHA1 hash:
bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
3640846fcc2dc7313aa008e5063023092ef9b421f304c81c073a3425cd9749ba
MD5 hash:
6553756abb2214b665320f2020699747
SHA1 hash:
7b5a3a057c7aa75cb2356761b65aec8495f9de20
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
MD5 hash:
253d21cd11dd8ad4830fa5e523754b4d
SHA1 hash:
66b0e2e1978186cec8ed9b997dca2e7689c315f7
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
MD5 hash:
1108c7f8925586a62a3ce9972afb0c97
SHA1 hash:
2002d5a140c853ff6b16de5f25431771175f948e
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
fb2f8d2b306e30d1a334bc27876393ecfe59af959ee02014d42e1a9a430fd52e
MD5 hash:
67e3312d1f412ae8098ce721bba049e2
SHA1 hash:
067b08fc2ee3308ef03b54db42a14f20df18c1fe
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
MD5 hash:
2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 hash:
051ae304b8e4bc64078d9d4a788f6580f79cfe2c
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
64e3f1eb536ea95e04f79f062b36a0485c07416aadd2bab92a6b3f2e7b16683e
MD5 hash:
4c148698904bff7a667e9fb7e4cf7039
SHA1 hash:
16006b5c68b2dff07ffdd1efd83ad8c7c797006b
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
38b34afd3b43deb2900c8b55760736cc38e0c966f38e84d4e75f723dced38aa5
MD5 hash:
068bf9ef1edc6b598aa13f39dd268b7b
SHA1 hash:
82865b830ea175783fb1ec22d856972049cb5d7b
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
c6dd80a44d83ba70a152239abf7847acaabb66c3b7b55e45a57f310c667ae259
MD5 hash:
42b5f266bfe4de015b081e601d8631f0
SHA1 hash:
f4a36e1847e76e321efbdbeb55566cfef5d4584a
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
SH256 hash:
b1800c7c08af465ceebe146c259576b81ecb4e6c20b2ffcfee24ef5c37843e77
MD5 hash:
8cad0eedc5d09fc7297388d2aeee0411
SHA1 hash:
547030b05a4bc764ef23d057827f2d920db6152b
Link:
https://www.unpac.me/results/bf05524b-b7f4-4264-8288-61c5253cca79/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/237364/

Comments