MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
SHA3-384 hash: 549ef4bc456f08ded354ff28c307550ad6d9bac26021b0a1c086f88a7b7e0d772c1d1b57ec3ef1d5f4749ee8ea9ada2c
SHA1 hash: d6ce17a13bed7f913c94be0a5ba343cb067cb745
MD5 hash: b1187fc9b34a62c13f8ace3b55b98463
humanhash: september-snake-music-bravo
File name:b1187fc9b34a62c13f8ace3b55b98463.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'849'372 bytes
First seen:2022-01-04 21:50:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:PbA37xJM9bRIDztjt59xGgdIAh2vhTrq4xzBB3LViBoQOF4/woBxoITcONijP:PbKM9bRIDpjdeAGq4t7LoU4/woPD3iz
TLSH T193D52362BBC16572EA310C364579AB24263DBC214FE0DB5B67C0062A9A35DC0F732F5B
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.143.179.186:4633

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.186.120/ https://threatfox.abuse.ch/ioc/290704/
95.143.179.186:4633 https://threatfox.abuse.ch/ioc/290925/
185.151.240.132:33087 https://threatfox.abuse.ch/ioc/290926/
185.215.113.50:19704 https://threatfox.abuse.ch/ioc/290933/
34.223.113.1:12167 https://threatfox.abuse.ch/ioc/291051/

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1187fc9b34a62c13f8ace3b55b98463.exe
Verdict:
Malicious activity
Analysis date:
2022-01-04 21:53:02 UTC
Tags:
evasion trojan rat redline stealer
Link:
https://app.any.run/tasks/5a8f79a7-2bb3-46ff-b0b7-8b9dfe67a562

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217324/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
DNS request
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Searching for the browser window
Reading critical registry keys
Running batch commands
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker greyware mikey overlay packed
Link:
https://www.filescan.io/uploads/61d4c14a92bdc4b4077ed85c/reports/4847e954-ff77-49a7-ad71-64809922adb3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01531fb1-c9f6-4be8-b41d-a58eae233d52
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915507
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547985 Sample: VmIzagkjCN.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 87 149.154.167.99 TELEGRAMRU United Kingdom 2->87 89 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->89 91 2 other IPs or domains 2->91 129 Antivirus detection for URL or domain 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 14 other signatures 2->135 10 VmIzagkjCN.exe 1 28 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 79 C:\Users\user\Desktop\askinstall492.exe, PE32 10->79 dropped 81 C:\Users\user\Desktop\Folder.exe, PE32 10->81 dropped 83 C:\Users\user\Desktop\Files.exe, PE32+ 10->83 dropped 85 4 other files (1 malicious) 10->85 dropped 19 File.exe 10->19         started        24 RobCleanerInstlSo22812.exe 10->24         started        26 Process.exe 10 10->26         started        30 6 other processes 10->30 28 WerFault.exe 13->28         started        process6 dnsIp7 93 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 19->93 95 185.112.83.8 SUPERSERVERSDATACENTERRU Russian Federation 19->95 103 14 other IPs or domains 19->103 55 C:\Users\...\bNtOU58QVwbPGZlQIJECE4e0.exe, PE32+ 19->55 dropped 57 C:\Users\user\AppData\...\rtst1053[1].exe, PE32+ 19->57 dropped 59 C:\Users\user\AppData\...\install6[2].exe, PE32 19->59 dropped 69 32 other files (4 malicious) 19->69 dropped 137 Creates HTML files with .exe extension (expired dropper behavior) 19->137 139 Disable Windows Defender real time protection (registry) 19->139 32 conhost.exe 19->32         started        97 104.21.34.205 CLOUDFLARENETUS United States 24->97 61 f3190ac8-51f1-405f-b6b7-48de3efb24fa.exe, PE32 24->61 dropped 63 8ec1b4b4-d02d-4a79-bffb-639670b956ce.exe, MS-DOS 24->63 dropped 71 2 other malicious files 24->71 dropped 34 f3190ac8-51f1-405f-b6b7-48de3efb24fa.exe 24->34         started        65 C:\Users\user\AppData\Local\...\Processes.exe, PE32 26->65 dropped 37 Processes.exe 26->37         started        99 208.95.112.1 TUT-ASUS United States 30->99 101 45.136.151.102 ENZUINC-US Latvia 30->101 105 4 other IPs or domains 30->105 67 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 30->67 dropped 141 Creates processes via WMI 30->141 40 11111.exe 30->40         started        42 Folder.exe 30->42         started        45 chrome.exe 14 30->45         started        47 chrome.exe 30->47         started        file8 signatures9 process10 dnsIp11 115 Tries to harvest and steal browser information (history, passwords, etc) 34->115 117 Tries to evade analysis by execution special instruction which cause usermode exception 34->117 119 Tries to steal Crypto Currency Wallets 34->119 73 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 37->73 dropped 75 a0c34eca98414817b6...bbfcf35b.tmp (copy), PE32 37->75 dropped 121 Creates an autostart registry key pointing to binary in C:\Windows 37->121 123 Adds a directory exclusion to Windows Defender 37->123 125 Disables UAC (registry) 37->125 127 Drops PE files with benign system names 37->127 49 powershell.exe 37->49         started        51 powershell.exe 37->51         started        107 172.67.143.210 CLOUDFLARENETUS United States 42->107 77 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 42->77 dropped 109 148.251.234.83 HETZNER-ASDE Germany 45->109 111 172.217.168.1 GOOGLEUS United States 45->111 113 10 other IPs or domains 45->113 file12 signatures13 process14 process15 53 conhost.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-01 14:14:57 UTC
File Type:
PE (Exe)
Extracted files:
158
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlt65jskj2hfnnb464fvwob44bvq2q3vpukdvfntd2u4rw3kywra._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:faker discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/220104-1qgmeaheg4/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://www.yarchworkshop.com/
51.79.188.112:7110
Unpacked files
SH256 hash:
fdb18064670ddbc0bebd6b07ccee39eff7792084854efd72eaa52b5430df6e64
MD5 hash:
e5b4b592a7fdeb6313e0b4eb75bfaee1
SHA1 hash:
1d49594f3363cdf6c4500bbd3061cc8442646aa1
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
91df0d77d4d0028bd5930c8550a8b330a355f3fa524c254226377efd1e884f40
MD5 hash:
71573520048ef86308ebf0bd87855553
SHA1 hash:
b8cfd64d323899a304d43ae80374fc918e7d279e
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
ab2f03de3a4a257cde902b65bab2d1f2c04b6763b4d6c1cd2de4ba1e851a630a
MD5 hash:
a51c444d143628a09cd132f0fc8f7f57
SHA1 hash:
b6863aaf9bd2db22e51330b259f540f82c4c4cae
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
b696a116f1955982df56a4ac4eed6c91fe6839742eade0805733cf94022a62ca
MD5 hash:
fff2a80da07d1ec6891f8ecca7616369
SHA1 hash:
15263b4c110a01297d9d8523a3e5320f8eb75f5f
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
bb05ec4f6337a96592b38f6e94a5c0605353bf18929da07485ce6bcb7f9ddf7c
MD5 hash:
8e20aea5c972e0075c3f019c1f13f8e9
SHA1 hash:
f5f1d66d49050c5bd27288b6880096b51f231dfa
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
0a171a5922b856ead165ce5ee4da7be0e345c04ad5e0d7e8f1b461d6abdbf40b
MD5 hash:
93613173ea9923741121de33a85f9de6
SHA1 hash:
d39f946b44269c39326a0bfe839869c6d8080e37
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
0558d1be3ddc6f7df97cc8ac9c489c9db9bad8605f9158bd1b9d71d282c331e8
MD5 hash:
5463a44330247da71da8fb7acf726394
SHA1 hash:
91d47124406f33116c288d5c70bfd130754ae6e2
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
d6152e7130cf97fadc14da7ea88f7af4b23308000db15dd440d799813db7cd5b
MD5 hash:
79e750fc1c2dcb7f36d0ab69ecde5b74
SHA1 hash:
41a8a6fa135a6c57dfb7c07667769b113b2d3549
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
SH256 hash:
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
MD5 hash:
b1187fc9b34a62c13f8ace3b55b98463
SHA1 hash:
d6ce17a13bed7f913c94be0a5ba343cb067cb745
Link:
https://www.unpac.me/results/d14b3556-403e-4d27-ba87-fdab0dfc4510/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217324/

Comments