MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
SHA3-384 hash: 592ac6ef37e35e6372140cbb1f721c02ed275b374540ac252c05098c4d83a2a84712189904ce907fff5cf4fbf8583c41
SHA1 hash: cdfa4732308a0c0f6343c0d34ab27ec43c17877d
MD5 hash: 119501b9e0c53984d4af54644d7a7b47
humanhash: butter-oven-oven-hot
File name:BE2A74BC76E5429010CE7741E58AECC253A33E1DBD713.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'788'628 bytes
First seen:2022-02-16 22:06:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xACvLUBsgXreAEsdeIAi/SD4Cg8FMtsnEFH7f+++zzdJfmw9VtNlHOFNj:x9LUCgXreosqqD3g8FMtIef+++XD/Plo
Threatray 1'435 similar samples on MalwareBazaar
TLSH T1AE2633213BE2C5FAD6D11676AE4457B170F5C3880B3101E76B394B1C5E2D9DBE12AF22
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.114.68:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.114.68:80 https://threatfox.abuse.ch/ioc/388272/
65.108.101.231:14648 https://threatfox.abuse.ch/ioc/388273/

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242077/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901325-1
Create hunting rule

Win.Malware.Socelars-9901376-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620d758ea2660f3bb9ea0934/reports/c534cd1f-9de5-4f6a-9d7b-0203f94cf4af/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecd9ad27-eea3-461b-af9f-d829e4e4d8d9
Result
Threat name:
CryptOne RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941225
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptOne packer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573703 Sample: BE2A74BC76E5429010CE7741E58... Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 105 staticimg.youtuuee.com 2->105 107 cdn.discordapp.com 2->107 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for URL or domain 2->135 137 Antivirus detection for dropped file 2->137 139 21 other signatures 2->139 15 BE2A74BC76E5429010CE7741E58AECC253A33E1DBD713.exe 21 2->15         started        signatures3 process4 file5 97 C:\Users\user\AppData\...\setup_install.exe, PE32 15->97 dropped 99 C:\Users\user\...\Sat18f5410f0ca93d9.exe, PE32 15->99 dropped 101 C:\Users\user\...\Sat18e6af7dc437574.exe, PE32 15->101 dropped 103 16 other files (11 malicious) 15->103 dropped 18 setup_install.exe 1 15->18         started        process6 signatures7 131 Adds a directory exclusion to Windows Defender 18->131 21 cmd.exe 1 18->21         started        23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        27 6 other processes 18->27 process8 signatures9 30 Sat18a9bdb566040c.exe 21->30         started        33 Sat1819e93c397d13f9.exe 2 23->33         started        36 Sat18d6ee560b3d992.exe 25->36         started        143 Submitted sample is a known malware sample 27->143 145 Adds a directory exclusion to Windows Defender 27->145 39 Sat188f1247825719a84.exe 27->39         started        41 Sat18e19f824d8719329.exe 12 27->41         started        43 Sat18d57aef957b.exe 27->43         started        45 powershell.exe 25 27->45         started        process10 dnsIp11 147 Antivirus detection for dropped file 30->147 149 Multi AV Scanner detection for dropped file 30->149 47 mshta.exe 30->47         started        49 control.exe 30->49         started        51 conhost.exe 30->51         started        59 2 other processes 30->59 85 C:\Users\user\...\Sat1819e93c397d13f9.tmp, PE32 33->85 dropped 151 Obfuscated command line found 33->151 153 Machine Learning detection for dropped file 33->153 53 Sat1819e93c397d13f9.tmp 33->53         started        109 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 36->109 111 staticimg.youtuuee.com 36->111 155 May check the online IP address of the machine 36->155 157 Tries to harvest and steal browser information (history, passwords, etc) 36->157 117 2 other IPs or domains 39->117 113 mas.to 88.99.75.82, 443, 49747 HETZNER-ASDE Germany 41->113 119 2 other IPs or domains 41->119 57 WerFault.exe 41->57         started        115 cdn.discordapp.com 162.159.130.233, 443, 49743, 49748 CLOUDFLARENETUS United States 43->115 121 2 other IPs or domains 43->121 file12 signatures13 process14 dnsIp15 61 cmd.exe 47->61         started        64 rundll32.exe 49->64         started        123 staticimg.youtuuee.com 53->123 125 safialinks.com 53->125 127 best-link-app.com 53->127 87 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 53->87 dropped 89 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 53->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->91 dropped file16 process17 file18 93 C:\Users\user\AppData\...\SkVPVS3t6Y8W.EXe, PE32 61->93 dropped 67 SkVPVS3t6Y8W.EXe 61->67         started        70 conhost.exe 61->70         started        72 taskkill.exe 61->72         started        129 Contains functionality to detect sleep reduction / modifications 64->129 signatures19 process20 signatures21 141 Antivirus detection for dropped file 67->141 74 mshta.exe 67->74         started        76 mshta.exe 67->76         started        process22 process23 78 cmd.exe 74->78         started        81 cmd.exe 76->81         started        file24 95 C:\Users\user\AppData\Local\Temp\FUEJ5.QM, PE32 78->95 dropped 83 conhost.exe 81->83         started        process25
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502/
Threat name:
Win32.PUA.Installer
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 13:51:00 UTC
File Type:
PE (Exe)
Extracted files:
185
AV detection:
29 of 43 (67.44%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyvhjpdw4vbjaegoo5a6lcxmyjj2gpq5xvyt3c3pakrakrkgsuba._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
06db093414f42d7669e57d31a8d563c71018e8d75c886244b77a6a9bc86b6fdb
RedLineStealer
0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
RedLineStealer
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
RedLineStealer
33330133ac2e1b2dfcbc12b66276a6a61f4c4572ad4de8675f8afdabfcbb3d43
RedLineStealer
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
RedLineStealer
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
RedLineStealer
7d11586c00eeb3c5a62f8924e862f4926e5c0632b1eb9e95008d91a5f689b1eb
RedLineStealer
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
RedLineStealer
+ 1'425 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:706 botnet:jamesoldd aspackv2 evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220216-11mleaeggn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
185.138.164.159:23668
65.108.20.195:6774
https://mas.to/@killern0
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
2d6972efd78e2bdade5b20d8d177eba31c857bb92a4b398c1962e404e64fb366
MD5 hash:
211aef42a9ac56796e675c149b69f6fa
SHA1 hash:
e3ecad2364eb3eb92cbebe7fff2f32059052019e
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
cbf3eb5c4802bca3de9c0587f98e434d8c322483444f947a2f1067b2b7cac960
MD5 hash:
91b85ae5de976cf6cead4bc27a736bad
SHA1 hash:
e1628b046b0f75bffee36f2c2996233c2fe3c440
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
7df0b5b088a31bdc67ec27021db2d5989d6fc94b687a8c9ca2e99d37d48bcf7c
MD5 hash:
73b349cee038050c112cb9baade84a05
SHA1 hash:
6efb55d022314386d28dd1d3fa03d475f0ddf3fc
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
94fae713a65b2cb54e84400e7c5c22f4e193e0a1dbfbd8a0ea2bd60cf13d92e9
MD5 hash:
944328ba7cc84493fb508f4515ac9d4f
SHA1 hash:
5e34628d9ba5a6ab672dcc081c2a7eb9ef020c65
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
81c9ce3f22c269fa7b7301c17b3fade82ae24b90e856cf5b86c4ef5e8f7b983d
MD5 hash:
38908fefa78485ecce5ce95e15edaa37
SHA1 hash:
2743ba85bd28ad89d0de48bfc0073ea21f0d4dce
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
71b66f97103d3d513fff4e45e10bbf0d15351488b343d57c3d4417524634cf79
MD5 hash:
0a309e5f127e3814b9b46463940974d4
SHA1 hash:
0a3543477d94df69d51268316d7b0b506aad9e59
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
1778a6b25f9ac7d1bf1782d1196ac5254ed46e70033a38f391d02939d5b733da
MD5 hash:
3b32aabc7aad3bbfd7226cc614743f48
SHA1 hash:
ea748309ac48558506ddf93b45369b41f641126e
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
6362539c9fcc2cd9ee802a4f246c0b5f90c3275e055ecfc14b8a9a2b7d180a53
MD5 hash:
248ee7a5495716e855fe9989174454a7
SHA1 hash:
a9070253c04466462ee165b06a20a90e783b92cb
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814
MD5 hash:
17df2b7340cf3291107bfd454d0ca856
SHA1 hash:
00458e02751bb0e2cc268730a0cac2689249b1a7
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
b1920edd533a39e340a58a6e720a38b6fd703d91ec097b9f2b1a69ce9d7fbbf8
MD5 hash:
8b78a03d45ea20b55ad506929729ec1d
SHA1 hash:
c0c2b7ce1f68b41d1d72f07939387dabf9ffc597
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
82a8537eb90b29e6b1840b2fa476694742e3885e245a150a77d4c016382b1606
MD5 hash:
fa63185d634676f4f77012796044dfd1
SHA1 hash:
eeac66c1892de25330f6cabf0052b2ee36b699bb
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
24ac1195c21166104a41b067828681c094b971035eeaf2743f347db5b934e2cd
MD5 hash:
9e5163ee8db13a787acf952cfa0929f2
SHA1 hash:
aec9f581d36cd79dcac4a2289f554089ed728dec
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
48cd085279644bc786b4e0a0c3d2fad4d366c3535058d09f9bdc4be9c05c113e
MD5 hash:
22e10c493ab764f3fbb94c27a069a27c
SHA1 hash:
3ebf7cbe2d126e2ecb0dcc232515944cf42647ca
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
SH256 hash:
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
MD5 hash:
119501b9e0c53984d4af54644d7a7b47
SHA1 hash:
cdfa4732308a0c0f6343c0d34ab27ec43c17877d
Link:
https://www.unpac.me/results/94eddeaa-3ca0-4622-b622-40d5da282504/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/be2a74bc76e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242077/

Comments