MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd
SHA3-384 hash: 8850e96caa2cd33f4d5528a5edc496100b26d558fa2656db861155db5330f7504a924c3d02931b2a22157d46834339fc
SHA1 hash: 4d0514a2da8278af75ef6cef61c045ef1fc75841
MD5 hash: 6cc8cc6b06447c3e62aee854db3ecab1
humanhash: alanine-triple-monkey-massachusetts
File name:B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'077'673 bytes
First seen:2021-11-19 23:30:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J2XOyshN9u47aBGnCWLHSe4dLWgwaTToYPZ1iQaRgNYdy7QC6IF8x:JcU7u9oCs9qygw0ToeWxzdWXU
Threatray 1'044 similar samples on MalwareBazaar
TLSH T1741633CD6BAA7A4EE1F61BB59F3017F4517BF3658FC9C3A20341992469613E00A0B3E5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.232.40.51:20166

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.232.40.51:20166 https://threatfox.abuse.ch/ioc/251021/

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe
Verdict:
No threats detected
Analysis date:
2021-11-19 23:47:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59b11ff2-3eba-4a9b-9344-2edfa4a91919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed virus
Link:
https://www.filescan.io/uploads/619833b843e8f62b669b1afe/reports/30809bfa-3855-447e-9565-2cb2f439738c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66a54d0c-f706-4249-8603-9729a5330d77
Result
Threat name:
Generic malware RedLine SmokeLoader Soce
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892975
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525448 Sample: B4A1AFA93C65EBA3AB6EFEB4624... Startdate: 20/11/2021 Architecture: WINDOWS Score: 100 92 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->92 94 118.33.109.122 KIXS-AS-KRKoreaTelecomKR Korea Republic of 2->94 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Antivirus detection for URL or domain 2->122 124 Antivirus detection for dropped file 2->124 126 22 other signatures 2->126 14 B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe 10 2->14         started        17 rundll32.exe 2->17         started        19 WmiPrvSE.exe 2->19         started        signatures3 process4 file5 88 C:\Users\user\AppData\...\setup_installer.exe, PE32 14->88 dropped 21 setup_installer.exe 20 14->21         started        24 rundll32.exe 17->24         started        process6 file7 74 C:\Users\user\AppData\...\setup_install.exe, PE32 21->74 dropped 76 C:\Users\user\AppData\...\Mon00f7a983c912.exe, PE32 21->76 dropped 78 C:\Users\user\AppData\...\Mon00e90248133.exe, PE32 21->78 dropped 80 15 other files (10 malicious) 21->80 dropped 27 setup_install.exe 1 21->27         started        130 Writes to foreign memory regions 24->130 132 Allocates memory in foreign processes 24->132 134 Creates a thread in another existing process (thread injection) 24->134 signatures8 process9 dnsIp10 96 127.0.0.1 unknown unknown 27->96 98 hsiens.xyz 27->98 160 Performs DNS queries to domains with low reputation 27->160 162 Adds a directory exclusion to Windows Defender 27->162 31 cmd.exe 27->31         started        33 cmd.exe 27->33         started        35 cmd.exe 1 27->35         started        37 11 other processes 27->37 signatures11 process12 signatures13 40 Mon00f7a983c912.exe 31->40         started        43 Mon006e0c9e4e.exe 33->43         started        47 Mon000eb84e5bb87a8eb.exe 7 35->47         started        128 Adds a directory exclusion to Windows Defender 37->128 49 Mon0043022f9dc5.exe 2 37->49         started        51 Mon00e90248133.exe 37->51         started        53 Mon00c91c19de7f75af.exe 37->53         started        55 7 other processes 37->55 process14 dnsIp15 136 Antivirus detection for dropped file 40->136 138 Detected unpacking (changes PE section rights) 40->138 140 Machine Learning detection for dropped file 40->140 158 4 other signatures 40->158 100 45.144.225.243 DEDIPATH-LLCUS Netherlands 43->100 102 212.193.30.29 SPD-NETTR Russian Federation 43->102 106 5 other IPs or domains 43->106 82 C:\Users\...\eFtQRm97xNZ8QJwbbeCzjifw.exe, PE32+ 43->82 dropped 84 C:\Users\user\...84iceProcessX64[1].bmp, PE32+ 43->84 dropped 142 Multi AV Scanner detection for dropped file 43->142 144 Disable Windows Defender real time protection (registry) 43->144 57 mshta.exe 47->57         started        59 Mon0043022f9dc5.exe 49->59         started        108 2 other IPs or domains 51->108 146 May check the online IP address of the machine 51->146 110 2 other IPs or domains 53->110 148 Creates HTML files with .exe extension (expired dropper behavior) 53->148 104 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 55->104 112 7 other IPs or domains 55->112 86 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 55->86 dropped 150 Tries to harvest and steal browser information (history, passwords, etc) 55->150 152 Sample uses process hollowing technique 55->152 154 Creates processes via WMI 55->154 156 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 55->156 file16 signatures17 process18 dnsIp19 62 cmd.exe 57->62         started        114 45.142.215.47 CLOUDSOLUTIONSRU Russian Federation 59->114 process20 file21 90 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 62->90 dropped 65 09xU.exE 62->65         started        68 conhost.exe 62->68         started        70 taskkill.exe 62->70         started        process22 signatures23 116 Multi AV Scanner detection for dropped file 65->116 118 Machine Learning detection for dropped file 65->118 72 mshta.exe 65->72         started        process24
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 16:10:10 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsq27kj4mxv2hk3o722getomrvs5xxx67zucxmtkdywzvkkecw6q._file
Verdict:
malicious
Similar samples:
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RedLineStealer
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
RedLineStealer
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
RedLineStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
RedLineStealer
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
RedLineStealer
+ 1'034 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:ani botnet:media8 botnet:she aspackv2 backdoor discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211119-3hqlfsehh3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
135.181.129.119:4805
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
91.121.67.60:2151
45.142.215.47:27643
Unpacked files
SH256 hash:
b3ebe2d73a6d2b289eb9076a94e1080d095cd3dfa0eb28d000ff9ea495ec286d
MD5 hash:
0bf74c3c12256fbe7ddc9ef82550c5ec
SHA1 hash:
9125023250645cbe4aaa5237b2ee2690bdb6167d
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
4d122504d709e4b3c9bf75835b9453aab45dc8fc748f2745e5ad31c6ba09cf92
MD5 hash:
f9d11f710246b5647625e117f42deb2a
SHA1 hash:
b37aa574bc9b6661bb1967d266b358caab2aa591
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
b1792b96ee1599053169c723ef3847f150fb3a6cbd7f6e49f0c7980e56f17ec0
MD5 hash:
782464a630ee6593821219958720db3e
SHA1 hash:
c46ee1af2bd512533f1cd26337e73e0ccb18f57f
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
afb4237d812f9a839e8ad5da6b955bac9d812307eca183fe14cd58f95f8d3ae4
MD5 hash:
0890f91b1f94b5e55e621672edc5d25c
SHA1 hash:
ba2a0894d7d6ed7144ee5adbbd6d93d2addf9a52
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
02dfd4871b7260274e959ee7bcab1993c79aac190ca2857717e6527abaad5c4c
MD5 hash:
0c99817864dfe7ca4d95b7b58709c8a2
SHA1 hash:
b4c3b80448c9059f4331870435f663c05b41e3b2
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
c8afcdf046c8f341ba02dc56abaa08b4b7cc0df34087c22d11236d16011eb3e6
MD5 hash:
5f2ddd37132f21311b5cc07f94952faf
SHA1 hash:
9af762055be8491978955640a56b58a9b2ad488c
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
MD5 hash:
8c9e935bccc4fac6b11920ef96927aac
SHA1 hash:
38bd94eb5a5ef481a1e7c5192d9f824b7a16d792
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
e35dece79379cdcec131c5d9011866938026a92491d487718024e8d546369614
MD5 hash:
972b3349353926321177ae9bbaaa9755
SHA1 hash:
1ff31fe503e0c3464e8854e9a8d6fa68d2b87160
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
39528ad974cabd1943a3e3ca395bc886f68625876add8fe9a61b9f700b7b649d
MD5 hash:
456275dff10bfd657a3e7ce65f3b4ca3
SHA1 hash:
00372540f2730ac08e63222c6868fb3351d62dea
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
ea16b3dfffb24edc39e278fa7c38dff28958ddfc66ccca68ac23e25ce1d6379d
MD5 hash:
41a2fa82cd8f255adb5629358edc2ea1
SHA1 hash:
cd8fe2385c5faf0c1c4d808bf98a024312e1cfdf
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
b332351cb20cf795a993e7ae632d4c7f1e45197f02cf4530fa3fe1fb65f467e3
MD5 hash:
448fe339aaa2ccc933f2779f01136da3
SHA1 hash:
5bdf755e61a0cf82791eddf9fb6699c8c2abff34
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
SH256 hash:
b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd
MD5 hash:
6cc8cc6b06447c3e62aee854db3ecab1
SHA1 hash:
4d0514a2da8278af75ef6cef61c045ef1fc75841
Link:
https://www.unpac.me/results/cb53a8ae-87ba-4c0f-966c-872271058702/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b4a1afa93c65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207704/

Comments