MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1
SHA3-384 hash:	bf5ce8f49479b1205adfe0a00b764ecd2681c0e639c6a2fac7288fff9a0dfffcd44a71fa2757a8bbd5b5e6d1f17c9642
SHA1 hash:	10a4437551e846d5f7df9fe1ef7cc6c59d767421
MD5 hash:	db2432e8e08e1b6fd784c26b3a753115
humanhash:	mango-island-hydrogen-pasta
File name:	db2432e8e08e1b6fd784c26b3a753115.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	224'256 bytes
First seen:	2022-07-14 14:40:33 UTC
Last seen:	2022-07-14 22:01:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	55a2b5a2ae91031aec8b458899df3011 (3 x RedLineStealer)
ssdeep	3072:w0koBX5RSi1FUab5uNcpm3g0I9SAMlfhTqgsxkgaBChcpZa9uD6Vdyhk:NNNFUYU3gFodfKigafwVf
TLSH	T16324CF11B3D1D8B5E5122E300464D7A12B37FC125630950BEBA4EB6F1E7B7D0DABA31A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea68c9ccc (15 x RedLineStealer, 13 x Smoke Loader, 5 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.143.137.67:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.143.137.67:80	https://threatfox.abuse.ch/ioc/837288/

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-07-06 23:33:13 UTC

Tags:

evasion trojan socelars stealer loader rat redline ransomware stop opendir adfly setup clickhere

Link:

https://app.any.run/tasks/00fef74f-a433-49e9-9c3e-cb7520efa7fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/289128/

Detection(s):

Win.Malware.Azorult-9949206-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/62d02b0083ba16fee5c3ca13/reports/339b2682-7061-405d-804f-62a595a69678/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine, SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1031510

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-09 12:50:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ww3g5perrnca3pqef6q2zfmo4s6gug5sesnhpvu5exjmt3kpnxaq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@kabanakusok discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220714-r2eshshaaj/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.144:14096

Unpacked files

SH256 hash:

ab100d1bc6b628f48de1adab04b59da226d65c4ba4d5af7173b4921cc9f2d446

MD5 hash:

59a3d7b09f551a490dd88749e8f31eb8

SHA1 hash:

9fdf35795532e1d709d574516d344ee99fbe7757

Detections:

win_smokeloader_a2

Link:

https://www.unpac.me/results/3c309f6a-7f56-4ba7-bdfd-274a2e18d07f/

Parent samples :

d1fa5637f95fbec5ba4e621bb526ed7eff4dc538eb419081402291bce997c497
dd44d033ae2e30cc21bd17c221031441e5b6a29b86f21b3eee82ee3bfad51278
b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1
d19fbca31d4ebcdb686078457718e17a8954615d40f707aeb974694a8b10e655

SH256 hash:

b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1

MD5 hash:

db2432e8e08e1b6fd784c26b3a753115

SHA1 hash:

10a4437551e846d5f7df9fe1ef7cc6c59d767421

Link:

https://www.unpac.me/results/3c309f6a-7f56-4ba7-bdfd-274a2e18d07f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5b66ebc918b440dbe042fa1ac958ee4bc6a1bb2249a77d69d25d2c9ed4f6dc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/289128/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample