MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
SHA3-384 hash: 6bfab1687accf64c79886f64e42df8051cfe7bf3522cc99b56981974fc9f10baabad42c5b40e32254d92946bb0391772
SHA1 hash: ac0634851669fa7acb7a18e1525fcc5034602db5
MD5 hash: e504fa8e9d6d7787c86c873797c21587
humanhash: uncle-hamper-cola-fish
File name:BF9714F60C2B4B43CC0383B3155D9C737271916032051.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'538'235 bytes
First seen:2022-09-01 08:00:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y2Q62Cxm/pORE3t5DuflT26DHyFvCUZu50S/9/Ja2ImQKkw3iBKvrnZ7b09kyFx3:yByxQeE3AlT2OTb9/NIiJ3vjnZXKLJMQ
TLSH T13F66339B4B396373E0405E713949DAA2C2DCAFEEB4A4434917A0D20A97C1BECF51D7C9
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.107.181.110:34067

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.107.181.110:34067 https://threatfox.abuse.ch/ioc/847031/
85.239.53.245:9420 https://threatfox.abuse.ch/ioc/847138/

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BF9714F60C2B4B43CC0383B3155D9C737271916032051.exe
Verdict:
No threats detected
Analysis date:
2022-09-01 09:25:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/011a37d2-36d3-4553-8cd6-931c689f7ac2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/307118/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895020-1
Create hunting rule

Win.Packed.Socelars-9895021-1
Create hunting rule

Win.Packed.Socelars-9895022-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36275/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
arkeistealer barys overlay packed shell32.dll tiny
Link:
https://www.filescan.io/uploads/631066fe116a699e02903bc4/reports/42b86ad4-0650-4ec4-b6ac-4ef444e928dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e3d4ebd-5ee2-444b-b0ba-eb519660001d
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1062559
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 695085 Sample: BF9714F60C2B4B43CC0383B3155... Startdate: 01/09/2022 Architecture: WINDOWS Score: 100 101 people4jan.com 2->101 103 nextlytm.com 2->103 105 8 other IPs or domains 2->105 118 Multi AV Scanner detection for domain / URL 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 126 17 other signatures 2->126 11 BF9714F60C2B4B43CC0383B3155D9C737271916032051.exe 10 2->11         started        signatures3 124 Tries to resolve many domain names, but no domain seems valid 103->124 process4 file5 73 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->73 dropped 14 setup_installer.exe 19 11->14         started        process6 file7 75 C:\Users\user\AppData\...\setup_install.exe, PE32 14->75 dropped 77 C:\Users\user\AppData\...\Tue18cd991b50f.exe, PE32 14->77 dropped 79 C:\Users\user\AppData\...\Tue18b6876b9f.exe, PE32 14->79 dropped 81 14 other files (9 malicious) 14->81 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 83 127.0.0.1 unknown unknown 17->83 85 hsiens.xyz 17->85 114 Performs DNS queries to domains with low reputation 17->114 116 Adds a directory exclusion to Windows Defender 17->116 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 12 other processes 17->27 signatures10 process11 signatures12 30 Tue182098d87897ac.exe 21->30         started        33 Tue181c5256919db02.exe 23->33         started        36 Tue1816ae1a02661f2.exe 25->36         started        128 Adds a directory exclusion to Windows Defender 27->128 38 Tue188422345c.exe 27->38         started        40 Tue186414a361d41f.exe 27->40         started        42 Tue18b38424e0fba5913.exe 27->42         started        45 6 other processes 27->45 process13 dnsIp14 132 Antivirus detection for dropped file 30->132 134 Multi AV Scanner detection for dropped file 30->134 136 Machine Learning detection for dropped file 30->136 152 4 other signatures 30->152 47 explorer.exe 30->47 injected 87 ip-api.com 208.95.112.1, 49750, 80 TUT-ASUS United States 33->87 138 May check the online IP address of the machine 33->138 140 Tries to detect virtualization through RDTSC time measurements 33->140 89 software-services.bar 36->89 91 iplogger.org 36->91 95 2 other IPs or domains 36->95 142 Detected unpacking (changes PE section rights) 36->142 97 2 other IPs or domains 38->97 144 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 38->144 49 WerFault.exe 38->49         started        51 WerFault.exe 38->51         started        146 Injects a PE file into a foreign processes 40->146 53 Tue186414a361d41f.exe 40->53         started        71 C:\Users\user\...\Tue18b38424e0fba5913.tmp, PE32 42->71 dropped 148 Obfuscated command line found 42->148 55 Tue18b38424e0fba5913.tmp 42->55         started        93 a.goatgame.co 45->93 99 12 other IPs or domains 45->99 59 WerFault.exe 45->59         started        61 WerFault.exe 45->61         started        63 WerFault.exe 45->63         started        file15 150 Tries to resolve many domain names, but no domain seems valid 93->150 signatures16 process17 dnsIp18 107 best-link-app.com 55->107 110 192.168.2.1 unknown unknown 55->110 112 safialinks.com 55->112 65 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 55->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 55->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->69 dropped file19 130 Tries to resolve many domain names, but no domain seems valid 107->130 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 01:40:20 UTC
File Type:
PE (Exe)
Extracted files:
190
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6lrj5qmfnfuhtadqozrkxm4onzhdelagicr34cb73ku2nhxy5sq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani aspackv2 backdoor discovery evasion infostealer loader main spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/220901-jwj62scdg4/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger payload
Vidar Stealer
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
31.210.20.251
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
163.123.143.12
https://dimonbk83.tumblr.com/
45.142.215.47:27643
Unpacked files
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
65c4a50bdbcbbcac2b0399262cd6d659030a7ddf756a815a5c1e3b829c6542e0
MD5 hash:
3f0672f7ab1a875532351609a8a7df70
SHA1 hash:
fbc06582d4ec577e6954e9af14f5b35f75c83a26
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
9c9f94782998b5a47afa1bb1cfeba94f4d6edde9bbbec24cb51e19ee48252739
MD5 hash:
53c36cebcce6909d5300360b9c6811cc
SHA1 hash:
db41b3fb4d715d0ba7e11874dfd4baba5b3c97b2
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
9b8ce7f12b92f9c71054ea14a6dc893d8a180ef6aa29c78c28d4777486900d28
MD5 hash:
f5deb2c5f6dfe337b3eee5cfa695d92c
SHA1 hash:
cf709a678498aa8a69606e94b15d07c6bb78cd5e
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
e6ee06c6bc0014b73e3d24bd01d4713c661fafe2e321b0013d726c134e8fa6af
MD5 hash:
e20f9039ea3ab837fcc4d9bfb13558cf
SHA1 hash:
a5e4430e463caf539061c49c75bbab9c587d4500
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
a1c0d92ea83b0b390a9bbe5afb7c65b9f63cbec95c4338884b5f91d92c589c54
MD5 hash:
5bd78767cf5dbb3c63ccde7d4c28a714
SHA1 hash:
635e68e7e769e352972600034e7e3bf888725d9e
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
4c7a7b64424daf89960ff6e71600e7f4ea843b8f7dcd4cabbb88f3c56ca87adb
MD5 hash:
cd2c3a6ec84e2fa6f44015c330b3beff
SHA1 hash:
5504a814e0388f110cd2501ee203d563c1b7700a
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
7ada08f1cb01cfb85c8dba04d2142fc3f3f00f7e1437d0a867d7bbfd0a2e202e
MD5 hash:
6d72839b05dbce0b12982d0b20a276c7
SHA1 hash:
903af031be5a264db458df28c6c047c35c6507cf
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
e83a9ea57358240aa59234fc9b097535707db129d30ca2406da88d5c7d9fad32
MD5 hash:
5755ca3928168ae9cd90fc87a6619bc8
SHA1 hash:
9a12c276d0f396d9719478f8eba39049af115064
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
f6094b55ff6d942bdb670b164d080c520f0e755e5a2747ec3520df3669f4c47c
MD5 hash:
5da254be50d48793012a5060e028a666
SHA1 hash:
e71c81d12a58a03d2758e6468c3e6b1033f2958f
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
a472c6cbbe13ea68612451acf628faa0bd28fe2c476115cf99e5d49a95401415
MD5 hash:
12dbf57c74596463ae6bbe93f3c42a16
SHA1 hash:
32fdf9454e040784d544bb8f45946b52bd47c9d9
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
2c3650077e688335afa8dc765a07b9d85a61817726d93a5cec897554d7716381
MD5 hash:
9e9acb6b8c502de37fc5243cd10569be
SHA1 hash:
1a3c1be01ceddb63e7fe4ecde1dec08d1fca9ec5
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
SH256 hash:
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
MD5 hash:
e504fa8e9d6d7787c86c873797c21587
SHA1 hash:
ac0634851669fa7acb7a18e1525fcc5034602db5
Link:
https://www.unpac.me/results/086b529f-4dd2-47db-a306-908fce94b3ab/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf9714f60c2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307118/

Comments