MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 be2d4d2297c029aade113b2255b0f404c3de2830b307f77c3f7f9e678e988857. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 14
| SHA256 hash: | be2d4d2297c029aade113b2255b0f404c3de2830b307f77c3f7f9e678e988857 |
|---|---|
| SHA3-384 hash: | 94c6827461f6e1362d6fad9fa5230bd10c3a2a9f4c4a50a55774a6106644032a4e061480f15c2f3f52435777e2065ced |
| SHA1 hash: | 68bbf39ed4a20bcee68b48c83319d12200393b9f |
| MD5 hash: | afdfd33ee10a1b36cf7cec18f90216d0 |
| humanhash: | cola-seventeen-edward-kentucky |
| File name: | BE2D4D2297C029AADE113B2255B0F404C3DE2830B307F.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 5'382'248 bytes |
| First seen: | 2021-11-13 19:21:33 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 98304:y3c0zrX0Bkt/HClTd4QChOK29oRwjN/xYYxWdpPlx3E5lRUxq6U4ETXRxLc:y3vzQOt/ilTd4QTK29HR/xVW3lx0tUA8 |
| Threatray | 374 similar samples on MalwareBazaar |
| TLSH | T18446331724201E2BDE7C1B33AB3592093A00786B91B4DA4F4F3CBB57FDD59E1199C62A |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://185.163.47.175/ | https://threatfox.abuse.ch/ioc/247972/ |
| 81.91.178.86:21746 | https://threatfox.abuse.ch/ioc/247978/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
DNS request
Searching for analyzing tools
Moving a recently created file
Sending an HTTP GET request
Reading critical registry keys
Deleting a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
overlay packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Backstage Stealer RedLine Socelars Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.SmallDownloader
Status:
Malicious
First seen:
2021-09-21 00:32:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 364 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
https://petrenko96.tumblr.com/
65.108.20.195:6774
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
https://petrenko96.tumblr.com/
65.108.20.195:6774
Unpacked files
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
SH256 hash:
fe1e06081e083a619e5d3b41207c638c76f53dca501f5df87dec6f5381b8478a
MD5 hash:
3de1e71edcacc61637c3ac896879ed28
SHA1 hash:
f81038be3942b6221381036858bd17330de2133b
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
SH256 hash:
c8d2872471e045acfb4085b3010d29a48a8d555b142e40e750f2a8eff5d4de52
MD5 hash:
d8d6c4921444c4142d341ec6a6fa25f5
SHA1 hash:
d05b58434ac574ad7f97ea57072e790a62fff183
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
SH256 hash:
2d6db21bc473e3bda7c2b782ff4edee826578a4efefe438dc2e5d62145a63736
MD5 hash:
4b25e24533c704f7a8c8e0a1ca4aba18
SHA1 hash:
997715e68c4a5dc68d00213a36bf84802934443b
SH256 hash:
ec599b0b771a292902f3c42ce378c62abe78f524a4a0e9224c5c985691dcc40a
MD5 hash:
062d3693875aef480647447a99242b0d
SHA1 hash:
8c4a3888bf313fdac328058ae95250f81bc9bd80
SH256 hash:
f27d4813f02ffc9d0b120a5cf55fc847a0c3a364092c776a15e4894b946091d1
MD5 hash:
8696fea79b3ef0518c637758aba9abac
SHA1 hash:
83504503165ea2226e325a22f33327ef432fc588
SH256 hash:
bfcec33dec1d8e2289b5cd2c9ba575b9afbc313ccc6c7870254ed916f53c7cf1
MD5 hash:
09ddadc12942f17fe197a995fd6ccb1d
SHA1 hash:
73d51ea908020a6808c789dda877f11c8acbf47f
SH256 hash:
3f05e96bf710e5e3074449cff848125ba46b43fb0858b45c98facf9dde921ff8
MD5 hash:
f75f5b2be490c8dd9a5ea2458e872a9e
SHA1 hash:
69d223724644ce428d7c6b1590b6c54b42813a1e
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
SH256 hash:
e7411d40e19984423cba68998694a01222a65ab89f128e80bd23eae280bb6b2b
MD5 hash:
1f9f44deed049b005dfe811163cd753d
SHA1 hash:
4058ec451c380e36c401c7847f33f12f2ee68a5c
SH256 hash:
a2c6e9e6267acc55e6846a2d236463243e9f157704f5c44c8a928b982ea52b4a
MD5 hash:
c48e12a65e4674030816ba8f492d3bd7
SHA1 hash:
0486607bac999e3c3849544b808aee677afc168a
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
SH256 hash:
596f8804421fced3d46b825a5e6aa14471164436766eae297b15174ccc0e2702
MD5 hash:
5468162a5940c259b5ba9ab770b5a93e
SHA1 hash:
570ab1cdeac85388192eff878500e37649947e73
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
SH256 hash:
8d8d5a5b1e6748f7bfa12ce1f85399470fd5486fbcd8ddc29a71a5222cdd53b9
MD5 hash:
31610c9e34bb07a4f6bbce30975de3a9
SHA1 hash:
b35979846d7bf18db38a13c90943780fc0539b61
SH256 hash:
7b66907b8d7edbd9f26226f304a918164987fda5d577c7b905cafccdbe0f3925
MD5 hash:
6fbc1dbddd3156c2e4e665aeb4ee9206
SHA1 hash:
3a65df0c3557bcf9dce649cfa061ecd67baccfd4
SH256 hash:
017a6b86d41385e48f863de0e5afd6a5dc3c469f45fb59e60f227a6a76f4dcf8
MD5 hash:
95020ec64d95728c29032e85b49ecfb8
SHA1 hash:
a081fc57a18a8a5cccc1a7834e8bcfa5ebb9a919
Detections:
win_socelars_auto
SH256 hash:
699b4d0f52428d89c121bd6c47f039d0cf427b0b95d933be681e69e97dda831e
MD5 hash:
5f5013c0e7d970c17764358b28e838d4
SHA1 hash:
f476cdcb6b01f0d033f6b2205bb62bf8d2d8b8c5
SH256 hash:
8dc1ebb7ce9decfaac1069c035a907c0f1fd8c81caeb6edef2b5cedd9e9dad3a
MD5 hash:
62750dadf5388d90a28d6390efefe366
SHA1 hash:
a4589c8a64264101f47bd0b0ea81e0b31bfff164
SH256 hash:
be2d4d2297c029aade113b2255b0f404c3de2830b307f77c3f7f9e678e988857
MD5 hash:
afdfd33ee10a1b36cf7cec18f90216d0
SHA1 hash:
68bbf39ed4a20bcee68b48c83319d12200393b9f
Malware family:
SmokeLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.