MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 2 YARA File information Comments

SHA256 hash:	befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
SHA3-384 hash:	6c9182fa3094a039c89131f40fefaeb4a28c2e51588e07d674c544c75ac04c84a6388c909450c2a11a69a0bd33372fb7
SHA1 hash:	29ef8b5405f75c09e495e0937e3d9d8b8dbdf4ae
MD5 hash:	9aab74021fae67b0ec355bbc9138b1c4
humanhash:	potato-one-moon-paris
File name:	9AAB74021FAE67B0EC355BBC9138B1C4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'859'612 bytes
First seen:	2021-08-11 21:50:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:yfKP0VfhaPhaEFHHiRCp4cCH6iUdIbLnTrgAQzuGIOqiC1c2MeS:yfm0Vf8PhaEFniRCp06i+qgksBC1c2xS
Threatray	294 similar samples on MalwareBazaar
TLSH	T15E263332BBC76077D93679B4AD319501DB40BDD29384ABEA1BD0478323A519C8E8E277
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://74.119.195.135/	https://threatfox.abuse.ch/ioc/171652/
45.14.49.128:16334	https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CookieStealer

Link:

https://www.capesandbox.com/analysis/178402/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Sending a UDP request

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Deleting a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bsymem

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23867031-97bc-4d64-bc69-20b2d8397258

Result

Threat name:

RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831281

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

Disable Windows Defender real time protection (registry)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-08-11 00:01:00 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x36sgkvy3k3cyaikbklobzrkd72wcueyo76yvt5bkb67chqjflwa._file

Verdict:

unknown

RedLineStealer

51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3

RedLineStealer

5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc

RedLineStealer

854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a

RedLineStealer

9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9

RedLineStealer

aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e

RedLineStealer

c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c

RedLineStealer

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

RedLineStealer

+ 284 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:7new botnet:916 botnet:937 aspackv2 backdoor infostealer persistence stealer suricata themida trojan vmprotect

Link:

https://tria.ge/reports/210811-zng878ax6n/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Vidar Stealer

Process spawned unexpected child process

Raccoon

Raccoon Stealer Payload

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80

Dropper Extraction:

http://91.241.19.52/Api/GetFile2

Unpacked files

SH256 hash:

6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13

MD5 hash:

9806f3f87bcb267281009a6fc5c420fa

SHA1 hash:

1e36820c67183d74e9c1f94cfa63863e520b0598

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

Parent samples :

549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234

SH256 hash:

ddbe26b2ac611988d9035c782fa4f8ef01ed7b8fb4995cab60f7ec4a933657a3

MD5 hash:

f058187cd33c10725678e55e672b0bb1

SHA1 hash:

f2644114ba4f8a2aeb5769ac9c0413b0b59cde6b

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

61494bca647b46aa9c7cfe3530385a7d6f9dc2287c9b0b4fd61dfa701ba7a4ad

MD5 hash:

df2208cc1e06995916314451713aa5b0

SHA1 hash:

ae2d9d9cdbe24556f5359b13767533bbe9c046d1

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

dd5c306519cc94125348f67bd6a533e9ec5fe06a0be2404e7f7175dd150cdeaa

MD5 hash:

12c4e83713e044a173a2a56d0689cc4c

SHA1 hash:

a72587ad2fd0c93a469edb802cfc753bc00f1fff

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b

MD5 hash:

e2213d70937e476e7a778f1712912131

SHA1 hash:

f8f09b6965c83c361210a1b11c8039b7ca9a30b9

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

MD5 hash:

0965da18bfbf19bafb1c414882e19081

SHA1 hash:

e4556bac206f74d3a3d3f637e594507c30707240

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7

MD5 hash:

46e9d76672b9d24ba14ea963574cc6a2

SHA1 hash:

caf88d470dc1241aca2b159b26953194a8d59cca

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

MD5 hash:

c0d18a829910babf695b4fdaea21a047

SHA1 hash:

236a19746fe1a1063ebe077c8a0553566f92ef0f

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

0a655e9cb37e8cc23417b544bf24caf32b4a1cf84b5704e2802d6e833eb5f968

MD5 hash:

e01933ca2d660692b5eaadcf24df1d1e

SHA1 hash:

ed7ee002a8fe5dae6d99df81e2cc649f3c345624

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

f1bfec04fde84138871dec9fc8f798bd8f33f3b06bb9ef13d9e36e47cb6958f0

MD5 hash:

26b8cc9ca07e9504708529decb859f55

SHA1 hash:

e7c568f8c2718ad56d488e6a02458a61ebb37c9c

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

MD5 hash:

7aaf005f77eea53dc227734db8d7090b

SHA1 hash:

b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

4d9bbd0f1ec135e9f84a9e8aee547a8337c3fcdaabad4ee55700620cc09ad6e0

MD5 hash:

1abcc1be425b60148d24079f4cafe80a

SHA1 hash:

0d33d6d98cd8344c10bed669af854567b218b1ed

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9

MD5 hash:

4955a27a03f35933fdbd801f425b6c58

SHA1 hash:

97f3b8f33fd1a49cf9db5a246d996047beef3c12

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

Parent samples :

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f

SH256 hash:

f874a78b4fb9ab598e2ac95d7f5a41b1dfba9e24d2a57a8fb5f10e5ea62b935a

MD5 hash:

01e5373cbb739dd246b4fea03c5f36e4

SHA1 hash:

89b5c2b2d14c2bd482fe862e62780594fdf21e8a

Detections:

win_socelars_auto

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

4bebd4be3034c39c56d2c9124347260e66443315284519e2369d792b2d5209a6

MD5 hash:

a4414c9df45450df71686f9acbccad9c

SHA1 hash:

695aa4a28196544e9df6257ab2f450cd5846f85a

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

SH256 hash:

befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec

MD5 hash:

9aab74021fae67b0ec355bbc9138b1c4

SHA1 hash:

29ef8b5405f75c09e495e0937e3d9d8b8dbdf4ae

Link:

https://www.unpac.me/results/0d0fb175-de24-4d1f-9c09-3c5cda84ffe5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/befd232ab8da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178402/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample