MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd
SHA3-384 hash: 6e047292a33ef8fa56f82ff918ebefba154b52a0c80a8197a10a99e90967d5f913d81d0ea8280c5303c4f14c2b90b8b7
SHA1 hash: fc32bafb572a0e923bcac631707e8e686334bb2b
MD5 hash: a4a5700115e303b71739a4f76382ce52
humanhash: stairway-oxygen-connecticut-august
File name:a4a5700115e303b71739a4f76382ce52.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'800'164 bytes
First seen:2021-06-08 07:09:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itaocoSzMfJbTIiDOVcYtdkzwhqG77RO7krrAUk6:loSiJbTIiDOVcYtdCwNoQA96
Threatray 909 similar samples on MalwareBazaar
TLSH 867633B773B38A76C03348B01CD95AF5F038BE406A984E4E5AF94D5CA433D569BAB143
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4a5700115e303b71739a4f76382ce52.exe
Verdict:
No threats detected
Analysis date:
2021-06-08 07:45:57 UTC
Tags:
installer
Link:
https://app.any.run/tasks/828767bb-0ded-43e2-96fd-8a5ce1dc6707

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165219/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Reading critical registry keys
Replacing files
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Running batch commands
Changing a file
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Launching a tool to kill processes
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798582
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executable to a common third party application directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430981 Sample: 16X4iz8fTb.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 105 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 2->105 107 172.67.188.69 CLOUDFLARENETUS United States 2->107 133 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->133 135 Found malware configuration 2->135 137 Antivirus detection for URL or domain 2->137 139 15 other signatures 2->139 9 16X4iz8fTb.exe 14 17 2->9         started        signatures3 process4 file5 51 C:\Program Files (x86)\...\hjjgaa.exe, PE32 9->51 dropped 53 C:\Program Files (x86)\...\guihuali-game.exe, PE32 9->53 dropped 55 C:\Program Files (x86)\...\ask.exe, PE32 9->55 dropped 57 7 other files (4 malicious) 9->57 dropped 12 guihuali-game.exe 6 9->12         started        15 lylal220.exe 2 9->15         started        17 LabPicV3.exe 9->17         started        19 6 other processes 9->19 process6 dnsIp7 59 C:\Users\user\AppData\Local\...\install.dll, PE32 12->59 dropped 61 C:\Users\user\AppData\...\adobe_caps.dll, PE32 12->61 dropped 23 rundll32.exe 12->23         started        26 conhost.exe 12->26         started        28 lylal220.tmp 15->28         started        63 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 17->63 dropped 32 LabPicV3.tmp 17->32         started        109 ppinstaller.xyz 91.232.30.182, 80 OMNILANCEhttpomnilancecomUA Ukraine 19->109 111 topnewsdesign.xyz 104.21.69.75, 443, 49715 CLOUDFLARENETUS United States 19->111 113 9 other IPs or domains 19->113 65 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 19->65 dropped 67 C:\Program Files (x86)\...\yRVGeBTYzVxq.exe, PE32 19->67 dropped 69 C:\Users\user\AppData\Roaming\8375032.exe, PE32 19->69 dropped 71 15 other files (none is malicious) 19->71 dropped 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->141 143 Tries to harvest and steal browser information (history, passwords, etc) 19->143 145 Tries to steal Crypto Currency Wallets 19->145 34 yRVGeBTYzVxq.exe 19->34         started        36 jfiag3g_gg.exe 1 19->36         started        38 Browzar.exe 19->38         started        40 jfiag3g_gg.exe 19->40         started        file8 signatures9 process10 dnsIp11 147 Writes to foreign memory regions 23->147 149 Allocates memory in foreign processes 23->149 151 Creates a thread in another existing process (thread injection) 23->151 42 svchost.exe 23->42 injected 115 limesfile.com 198.54.126.101, 49704, 49707, 80 NAMECHEAP-NETUS United States 28->115 73 C:\Users\...\___________RUb__________y.exe, PE32 28->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 28->75 dropped 77 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->77 dropped 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->79 dropped 45 ___________RUb__________y.exe 28->45         started        81 C:\Users\user\AppData\...\___________23.exe, PE32 32->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 32->83 dropped 85 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 32->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->87 dropped 49 ___________23.exe 32->49         started        153 Sample uses process hollowing technique 34->153 155 Injects a PE file into a foreign processes 34->155 157 Tries to harvest and steal browser information (history, passwords, etc) 36->157 117 172.217.18.110 GOOGLEUS United States 38->117 119 172.217.22.206 GOOGLEUS United States 38->119 123 2 other IPs or domains 38->123 121 192.168.2.1 unknown unknown 40->121 file12 signatures13 process14 dnsIp15 159 System process connects to network (likely due to code injection or exploit) 42->159 161 Sets debug register (to hijack the execution of another thread) 42->161 163 Modifies the context of a thread in another process (thread injection) 42->163 125 8.241.126.249 LEVEL3US United States 45->125 127 162.0.210.44 ACPCA Canada 45->127 89 C:\Program Files (x86)\...\Wesipanelo.exe, PE32 45->89 dropped 91 C:\...\Wesipanelo.exe.config, XML 45->91 dropped 93 C:\Users\user\AppData\...\Qyfucafaece.exe, PE32 45->93 dropped 101 2 other files (none is malicious) 45->101 dropped 165 Detected unpacking (overwrites its own PE header) 45->165 167 Searches for Windows Mail specific files 45->167 129 198.54.116.159 NAMECHEAP-NETUS United States 49->129 131 162.0.220.187 ACPCA Canada 49->131 95 C:\Program Files (x86)\...\Hushabakohe.exe, PE32 49->95 dropped 97 C:\...\Hushabakohe.exe.config, XML 49->97 dropped 99 C:\Users\user\AppData\...\Vafunodoka.exe, PE32 49->99 dropped 103 2 other files (none is malicious) 49->103 dropped 169 Drops executable to a common third party application directory 49->169 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 20:46:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6z5xchjwhcgq2ciswqzp24tkgv2nddf3ymzbh3tj47vqirn4s6q._file
Verdict:
malicious
Similar samples:
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
RedLineStealer
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
RedLineStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RedLineStealer
5397b6d592556e4d65cd442190cfbcba5b3d253b0fbfcc0a16f1c6f2b48a58c4
RedLineStealer
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
RedLineStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
RedLineStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
RedLineStealer
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
RedLineStealer
+ 899 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:redline family:vidar botnet:james_two discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210608-lp2m1ksd9x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
ullerolaru.xyz:80
Unpacked files
SH256 hash:
71c33f16fca50786a739350e5dcea260cbebf341f376c0549af6d5eaaff16748
MD5 hash:
cc7a4c918ceee4df57027acbee748f1b
SHA1 hash:
41469c05db290bc81cc960153cf9bb3a704b34e3
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
e67df030a25eb8ba26df8104bb47484b598bf6ecff7ad2a423b0941b0e39c3ef
MD5 hash:
d30af14ba8112def75eb5ed07b32ec35
SHA1 hash:
06e02d92edcccbfab55cb660a9e56cfac6c08465
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
f24f9900a3224d44aa4589b351a12c62c5161e110b4fee38d797a12e0af1ec76
MD5 hash:
5eeaa757a3677fb7acb750aa81620b27
SHA1 hash:
c671c48f5c3a8b7abeb03aadb14704925e059a82
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
8aee229101b26d5c567331b1f4ad90132c731a9b996f0cafa2b8110d5113a549
MD5 hash:
2c7fe55b35b64aff3a486b6ae2a2543c
SHA1 hash:
1ca93891a24bed4ad402f3807f5eb3cf3cec9228
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
Parent samples :
d909fb86f7a7f515ec2fcc1bc25f7309164934e35ca4535be73b1ef5ff3fab7d
c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd
SH256 hash:
e14ce108daad7e8f6e137071a334d384dd4137ad0c02b6e5c407880a86e3abfe
MD5 hash:
fa0c35872e816d00ae825ce07e47cf20
SHA1 hash:
db670a04055fbd4aba45f8337de458cba468df5a
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
6819a5215f26a3825f382c090648607fc95ee055bfd254f3608feab9c41a8292
MD5 hash:
a45438d66780e2842d8c0bfbd7175928
SHA1 hash:
c9994c5812f96020857cbcc9de0632027e2a435c
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
94212cdb161ec484b9bdc5cecd42436cce784e56b4cf69e055804b439fca9c2a
MD5 hash:
a10ae0a8194cb336daca7ca9f6fceebf
SHA1 hash:
31f2e5c15dbfa03144d243d0ff2988de70003b16
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
856ce51bc0fe21b6c324f6f2b17cc81394ee701e817abd552de827feef963ec5
MD5 hash:
89a92608241ac73e6d85a9f4ceb79928
SHA1 hash:
965c0258cad12e8489f315868ab43eba8f1571c9
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
aad8a490d5eafe41b4821aebb5196c544467409abc5d1febd1a3e33accfc3b11
MD5 hash:
1aa3574b5537e93c00daef2413fc8f13
SHA1 hash:
4b22f25e382fc432ea9f6645931facfda7404cac
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
SH256 hash:
c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd
MD5 hash:
a4a5700115e303b71739a4f76382ce52
SHA1 hash:
fc32bafb572a0e923bcac631707e8e686334bb2b
Link:
https://www.unpac.me/results/b2355854-bf5d-4249-adde-f9fb80d9a05f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7b3db88e9b1c468684895a197eb9351aba68c65de19909f734f3f58222de4bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165219/

Comments