MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
SHA3-384 hash: a4d3ffa82e7ddaf3c497b76769dfe2184b056ae094e60bc139b306e54f8299f870701f0ee468038305576f7ea5a93603
SHA1 hash: 1468ccf6396f93cdae03b81aed87ea2211b9a4fa
MD5 hash: a4ed242cae44c8b0bf982ba536e7f4a4
humanhash: beer-eighteen-alpha-maryland
File name:a4ed242cae44c8b0bf982ba536e7f4a4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'471'343 bytes
First seen:2021-10-04 09:20:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J1Dvlv8ATz3d3v0UF7MT22iN9BwU1fzu74IalBu7gurBW:JP0ATLdzK22iN9Rte41U7ggW
Threatray 583 similar samples on MalwareBazaar
TLSH T136263326B270503DE9A4CC79A8E94FBD6BF8942552FF871B03256A05913D3C29A703F7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.2.93.217:59309

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.2.93.217:59309 https://threatfox.abuse.ch/ioc/230020/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 00:51:59 UTC
Tags:
trojan evasion rat redline socelars
Link:
https://app.any.run/tasks/a891bdab-b1d3-425a-bf62-f82ce966a797

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194501/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615c0f1298a6280f39324d09/reports/04333826-8b50-409e-927c-8e2ae6904ac0/overview
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bfb5968-2333-46ff-9056-76ccbf293f35
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864252
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates processes via WMI
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496683 Sample: SM2er1GRUI.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 68 37.0.8.119 WKD-ASIE Netherlands 2->68 70 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 2->70 72 13 other IPs or domains 2->72 90 Antivirus detection for dropped file 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 15 other signatures 2->96 10 SM2er1GRUI.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 20 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Fri22bbc66c2a1d88ca.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Fri2299c3f912d.exe, PE32 13->52 dropped 54 15 other files (9 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 64 104.21.87.76 CLOUDFLARENETUS United States 16->64 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Fri226cff092ae.exe 20->29         started        34 Fri2271b04a0f.exe 22->34         started        36 Fri225e887fa84d58e.exe 1 24->36         started        98 Adds a directory exclusion to Windows Defender 26->98 38 Fri2299c3f912d.exe 6 26->38         started        40 Fri221ad3d21c.exe 26->40         started        42 Fri225e7ac14f.exe 3 26->42         started        44 2 other processes 26->44 process13 dnsIp14 74 104.21.42.252 CLOUDFLARENETUS United States 29->74 56 C:\Users\user\AppData\Roaming\8392302.scr, PE32 29->56 dropped 58 C:\Users\user\AppData\Roaming\4500341.scr, PE32 29->58 dropped 100 Multi AV Scanner detection for dropped file 29->100 102 Drops PE files with a suspicious file extension 29->102 84 2 other IPs or domains 34->84 60 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 34->60 dropped 104 Creates processes via WMI 34->104 76 208.95.112.1 TUT-ASUS United States 36->76 86 3 other IPs or domains 36->86 106 Tries to harvest and steal browser information (history, passwords, etc) 36->106 78 88.99.66.31 HETZNER-ASDE Germany 38->78 80 144.202.76.47 AS-CHOOPAUS United States 38->80 108 Antivirus detection for dropped file 38->108 110 Machine Learning detection for dropped file 38->110 82 5.135.171.85 OVHFR France 40->82 112 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 40->112 62 C:\Users\user\...\Fri22bbc66c2a1d88ca.tmp, PE32 44->62 dropped file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 11:58:26 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybo4yhhvaqplcibucmw7jlqqlrvlzsxelymkcgyqf5wygqhwrzwa._file
Verdict:
unknown
Similar samples:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
RedLineStealer
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
RedLineStealer
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
RedLineStealer
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
RedLineStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RedLineStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
RedLineStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RedLineStealer
+ 573 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:1015 botnet:921 botnet:933 botnet:ani botnet:jamesoldd aspackv2 backdoor evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211004-lbcbtagae8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
65.108.20.195:6774
45.142.215.47:27643
https://mas.to/@bardak1ho
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
04892bc6cbbd05a0a0d68a58df6777dbbea6c8d2d33c1ffba4a68e99b55ed146
MD5 hash:
34bb21d7c8c9709c2b8c143476aac202
SHA1 hash:
d8815a73e876ae01d7bdbcd9e6a5553b6998a8ec
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
c605bd6e7216f02ecef9f58c3caf9e92069f42fbbfea272bc1edad1e9c735752
MD5 hash:
2a8fefac2ee2c87579a5cc016a2743f0
SHA1 hash:
c213cc3d9baba7159dbd1a78e6815dd2f3b62208
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
f3ff5bd6d7da4de9d3cc6d7bc4c8552b04bec6cddd8fdae1d494cc67025effb7
MD5 hash:
b52c4a1fee93b940632b1c25cdeda214
SHA1 hash:
78fe07f1d8e7130bb5372541e24dd0ab8a1bf78c
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
655979cb929aec2baa28806f523bd9f8311092cbdf22c04122f5bf91beb3adc3
MD5 hash:
c68dcf1b3ac869a354526de6b0312296
SHA1 hash:
78a559d04afcd6e985e69f3a6c4ca038864a3629
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
5e0e68e706bae10caa68edc625ad9ada909a277660583e8fbe5681a98170066c
MD5 hash:
eef74b250b8faefb76f5e5d2f2477fb7
SHA1 hash:
45efe669d04dd90979c747b5ec0c6bfab5e1f05a
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
3555ec202177ba47e74480143b131cb9ea280303754b1be720bdc708d38b1e1c
MD5 hash:
244310ea7e744e0a4c6b69b8a83b3534
SHA1 hash:
0aaab6b7ec1c0cb93b0eb0109c9156634388125a
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
9dcf478e78a1ab8f8ea35f853bce86c198e1f2e08e4121079e3b6f13055455c3
MD5 hash:
0272d1265e6a0ebe9dc2af58b9005b7f
SHA1 hash:
98efa29fdc8a73acde9064348761d87ccedf8cfc
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
0ce286d9cd69e86dcb11d807235a31e519411858ad6ab7d9e77adbe9bb51739a
MD5 hash:
a3c779d693bca4cfec5e550c7005b44d
SHA1 hash:
1d64bcf1c8cd4b5efce502137f5f80e48e4911a9
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
2b1dd9f628c961a9109c85e8c038be1a482a12a91d8014fbc872ec1679766f3b
MD5 hash:
8b951ae8dcac6b98a363f9fa13a8161f
SHA1 hash:
4d223601a5aa9d2cb2daa14e91384474814414a6
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
377280f340b5044b38460aea57ff8c1e8c759e859fc8728c340870e5b30786db
MD5 hash:
a42aa10a21ad5abf3385c169a93851fb
SHA1 hash:
6e551d734c3525c281be34923936e2ee08ea12f3
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
ba62c59dcb929c4082a9d597830adf2d14767506ca6efdaa6f80cda2bf424180
MD5 hash:
e38b28717671512a430e1f58477b4e53
SHA1 hash:
bafaa1d2144e8b28ce44b0d52eb5499071f7abc7
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
SH256 hash:
c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
MD5 hash:
a4ed242cae44c8b0bf982ba536e7f4a4
SHA1 hash:
1468ccf6396f93cdae03b81aed87ea2211b9a4fa
Link:
https://www.unpac.me/results/adc42498-98f9-4246-b955-23bf9d00c544/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c05dcc1cf504/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194501/

Comments