MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 4 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4
SHA3-384 hash: 5f26c47bc58a15177c282845fed43ae8aa31d8737cfd5dce9744ec37ef7456ab99c461cc320f70f44701fc3580ec1741
SHA1 hash: 7672d32df39901c605987f877494f977aab62be3
MD5 hash: 9c7f6d97e7dc008682f6761744de856a
humanhash: moon-blue-wolfram-lamp
File name:9C7F6D97E7DC008682F6761744DE856A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'555'976 bytes
First seen:2021-08-13 07:56:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xbCvLUBsgdN9yCAyppAGxBjWwjdo9dJmcX9kEVowd:xgLUCgdN06pZ2wjdVql6e
Threatray 308 similar samples on MalwareBazaar
TLSH T18326331437D284F3DA51B034CB841B7BA5BEC32D1B26C5DF376093165F66692E82FA0A
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://ggc-partners.info/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/decision.php https://threatfox.abuse.ch/ioc/184302/
185.53.46.25:18856 https://threatfox.abuse.ch/ioc/184311/
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/
http://45.67.231.40/ https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178893/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da6419bf-b3a7-47e3-b458-b70aec9ff7d9
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832216
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464647 Sample: KmbMxuUOvr.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 68 208.95.112.1 TUT-ASUS United States 2->68 70 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->70 72 5 other IPs or domains 2->72 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 11 other signatures 2->100 10 KmbMxuUOvr.exe 8 2->10         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\setup_install.exe, PE32 10->44 dropped 46 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 10->46 dropped 48 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 10->48 dropped 50 3 other files (none is malicious) 10->50 dropped 13 setup_install.exe 11 10->13         started        process6 dnsIp7 90 104.21.54.206 CLOUDFLARENETUS United States 13->90 92 127.0.0.1 unknown unknown 13->92 60 C:\Users\user\AppData\...\f65dc44f3b4.exe, PE32 13->60 dropped 62 C:\Users\user\AppData\...\bf2e8642ac5.exe, PE32 13->62 dropped 64 C:\Users\user\AppData\...\b5203513d7.exe, PE32 13->64 dropped 66 7 other files (5 malicious) 13->66 dropped 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 1 13->21         started        23 4 other processes 13->23 file8 process9 process10 25 aae15d524bc2.exe 4 56 17->25         started        30 f65dc44f3b4.exe 19->30         started        32 bf2e8642ac5.exe 6 21->32         started        34 5f9a813bc385231.exe 2 23->34         started        36 745d0d3ff9cc2c3.exe 14 23->36         started        dnsIp11 76 37.0.10.236 WKD-ASIE Netherlands 25->76 78 37.0.11.8 WKD-ASIE Netherlands 25->78 88 13 other IPs or domains 25->88 52 C:\Users\...\tH13wZdJ3lFp5nXKP52uUWdm.exe, PE32 25->52 dropped 54 C:\Users\...\t3iQIIlAaLLvQt_lioKOiAsv.exe, PE32 25->54 dropped 56 C:\Users\...\pnMe_4vzY30OZEJfwcnNcICg.exe, PE32 25->56 dropped 58 33 other files (32 malicious) 25->58 dropped 102 Drops PE files to the document folder of the user 25->102 104 Creates HTML files with .exe extension (expired dropper behavior) 25->104 106 Tries to harvest and steal browser information (history, passwords, etc) 25->106 108 Disable Windows Defender real time protection (registry) 25->108 110 Machine Learning detection for dropped file 30->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->112 114 Checks if the current machine is a virtual machine (disk enumeration) 30->114 80 88.99.66.31 HETZNER-ASDE Germany 32->80 82 144.202.76.47 AS-CHOOPAUS United States 32->82 116 Antivirus detection for dropped file 32->116 118 Creates processes via WMI 34->118 38 5f9a813bc385231.exe 3 34->38         started        84 74.114.154.22 AUTOMATTICUS Canada 36->84 86 176.123.2.239 ALEXHOSTMD Moldova Republic of 36->86 file12 signatures13 process14 dnsIp15 74 104.21.70.98 CLOUDFLARENETUS United States 38->74 42 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->42 dropped file16
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4/
Threat name:
Win32.Spyware.Socelars
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 17:03:36 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xx3spmvmbnbksvoeorf7o5umxop2m4lhgipe7nldt3svfhglz6sa._file
Verdict:
unknown
Similar samples:
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
RedLineStealer
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
RedLineStealer
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
RedLineStealer
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
RedLineStealer
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
RedLineStealer
c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
RedLineStealer
+ 298 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:706 botnet:7new botnet:916 aspackv2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210813-r4qzkgxs2x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
xmrig
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff
MD5 hash:
fcd4dda266868b9fe615a1f46767a9be
SHA1 hash:
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378
MD5 hash:
af56f5ab7528e0b768f5ea3adcb1be45
SHA1 hash:
eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
MD5 hash:
2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 hash:
2049fdbbe5b72ff06a7746b57582c9faa6186146
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
b17c325b33fcf1e2689b31e50f4cb45fddad68d663c0fee76feee55e887aee98
MD5 hash:
9acdc8c62d100db63a6b19f376888ca9
SHA1 hash:
6f4d25444e4130a73aaa666d575ea4e734938b43
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
7bb457875e5436b2e6703aaa702b789e7c1af90d568c140383eadc457058ab97
MD5 hash:
acd57be332ae7c9c41a42d72b1b4993b
SHA1 hash:
1b5e9513d05e575c179601a4800e2803719f743b
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
c3a457d4a0e748212783e46367db84f9772cce3c4fff145a22828c8a65c1ef4b
MD5 hash:
614c2d185b8dd89e350a91f5c3ac8bf8
SHA1 hash:
afeae9b4fec25afc5f3bfc21fbc5b5fe4d68513e
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
70df7f91664495824df62db7ae7c2f9ea4d48a9cd2b8a93ba593ef98f6c90f2c
MD5 hash:
4d7962edef14636563233ae53609b63a
SHA1 hash:
3db526b8f7cf93fcb4e3fa7aa253c22a9cdff14c
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
SH256 hash:
bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4
MD5 hash:
9c7f6d97e7dc008682f6761744de856a
SHA1 hash:
7672d32df39901c605987f877494f977aab62be3
Link:
https://www.unpac.me/results/1d7f65ba-09b3-434e-acbd-5c98d0ca561d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bdf727b2ac0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178893/

Comments