MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c82ff1c17b5eb5ce967d7a8f76a95b61559eb9c48effd65e29823a8b754fab16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c82ff1c17b5eb5ce967d7a8f76a95b61559eb9c48effd65e29823a8b754fab16
SHA3-384 hash: 8c783c0aa7c42b87644b62f71ced66ce1236f97483866b473b8d956505766bc97229fa275646a3454b098bf4be7f0aa6
SHA1 hash: 16f74a5f45676cd592b08f0af248aa0ebcc64150
MD5 hash: a808390df77d6ac51216b5ce4f4f4adc
humanhash: michigan-xray-freddie-nitrogen
File name:a808390df77d6ac51216b5ce4f4f4adc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'971'438 bytes
First seen:2021-12-04 08:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:PbA37xFg3PFtPTDztmIEdsdfOgimmWWEz8pQLdX4KMAeQR72t4yKdDPCmdeML1wg:PbF3PrTDpZXhF6QLdX0QNCDmDleM5wk7
Threatray 259 similar samples on MalwareBazaar
TLSH T170D52342AFD154B2E7722E31193A16619D7DBC204FD4DE9F63844A98EA30DC0F631BA7
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.241.19.213:46284

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/
http://ads-postback.biz/check.php https://threatfox.abuse.ch/ioc/259050/

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a808390df77d6ac51216b5ce4f4f4adc.exe
Verdict:
Malicious activity
Analysis date:
2021-12-04 08:29:54 UTC
Tags:
evasion trojan rat redline stealer
Link:
https://app.any.run/tasks/1190b8b7-d2b9-4e6e-a48d-97e2d367c6b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector05
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211259/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% subdirectories
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Searching for the browser window
Creating a process with a hidden window
Changing a file
Creating a file in the Windows subdirectories
Moving a recently created file
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Blocking the User Account Control
Setting a single autorun event
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/773/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerbu clipbanker greyware mokes overlay packed
Link:
https://www.filescan.io/uploads/61ab26584d8e6f3a5e0f21a3/reports/d3571ae7-b530-43ed-95a0-0d8f360be04f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20e40264-53e8-4b99-a5f8-a9f0eff0a9f6
Result
Threat name:
Backstage Stealer RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901362
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Performs DNS TXT record lookups
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Microsoft Workflow Compiler
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533836 Sample: cC6A9znVtH.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 86 51.79.188.112, 49836, 49868, 7110 OVHFR Canada 2->86 88 193.56.146.64, 65441 LVLT-10753US unknown 2->88 90 15 other IPs or domains 2->90 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 22 other signatures 2->114 9 cC6A9znVtH.exe 1 27 2->9         started        12 svchost.exe 2->12         started        signatures3 process4 file5 40 C:\Users\user\Desktop\SoCleanSetup4234.exe, PE32 9->40 dropped 42 C:\Users\user\Desktop\Install.exe, PE32 9->42 dropped 44 C:\Users\user\Desktop\Folder.exe, PE32 9->44 dropped 46 4 other files (1 malicious) 9->46 dropped 14 lzzinstall.exe 24 9->14         started        17 SoCleanSetup4234.exe 15 10 9->17         started        21 chrome.exe 13 224 9->21         started        23 5 other processes 9->23 process6 dnsIp7 54 C:\Users\user\AppData\Local\...\lzzinst.exe, PE32 14->54 dropped 25 lzzinst.exe 14->25         started        72 new-androidapps.me 172.67.173.151, 443, 49777, 49790 CLOUDFLARENETUS United States 17->72 56 C:\Users\user\AppData\...\5FUtEHtHNrUjS.exe, PE32 17->56 dropped 58 C:\Users\user\AppData\...\0aB9OqDTm2z.exe, PE32 17->58 dropped 60 C:\Users\user\AppData\Roaming\wkDu0xg.exe, MS-DOS 17->60 dropped 70 3 other files (1 malicious) 17->70 dropped 102 Detected unpacking (changes PE section rights) 17->102 74 192.168.2.4, 443, 49257, 49285 unknown unknown 21->74 76 192.168.2.23 unknown unknown 21->76 78 239.255.255.250 unknown Reserved 21->78 62 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 21->62 dropped 64 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 21->64 dropped 66 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 21->66 dropped 29 chrome.exe 21->29         started        80 212.192.241.62, 49736, 80 RAPMSB-ASRU Russian Federation 23->80 82 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 23->82 84 4 other IPs or domains 23->84 68 C:\Users\user\AppData\Local\...\Pabss.exe, PE32 23->68 dropped 104 Tries to harvest and steal browser information (history, passwords, etc) 23->104 106 Creates processes via WMI 23->106 32 Folder.exe 3 23->32         started        34 conhost.exe 23->34         started        36 conhost.exe 23->36         started        file8 signatures9 process10 dnsIp11 48 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 25->48 dropped 50 9fb04855636c44bf84...5fef0bf8.tmp (copy), PE32 25->50 dropped 116 Multi AV Scanner detection for dropped file 25->116 118 Creates an autostart registry key pointing to binary in C:\Windows 25->118 120 Adds a directory exclusion to Windows Defender 25->120 122 Drops PE files with benign system names 25->122 92 clients.l.google.com 142.250.203.110, 443, 49738, 64080 GOOGLEUS United States 29->92 94 googlehosted.l.googleusercontent.com 142.250.203.97, 443, 49767 GOOGLEUS United States 29->94 100 5 other IPs or domains 29->100 52 C:\Users\user\AppData\Local\...\Cookies, SQLite 29->52 dropped 96 56.jpgamehome.com 172.67.219.219, 443, 49731, 49733 CLOUDFLARENETUS United States 32->96 98 192.168.2.1 unknown unknown 32->98 38 conhost.exe 32->38         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c82ff1c17b5eb5ce967d7a8f76a95b61559eb9c48effd65e29823a8b754fab16/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 16:58:53 UTC
File Type:
PE (Exe)
Extracted files:
123
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zax7dql3l2245ft5pkhxnkk3mfkz5ooer375mxrjqi5iw5kpvmla._file
Verdict:
malicious
Similar samples:
0990a2572d8b275f4adb305f3673f72ba4baafa1f85c7132a2306531517ebca8
RedLineStealer
21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566
RedLineStealer
27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18
RedLineStealer
501db6290affecf31a95c2fb5e1b93e047aa3a1cc93657891fd90c0f7bb16830
RedLineStealer
81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e
RedLineStealer
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
RedLineStealer
ead42d92845d16daa02f3486b09d662cf57d9942dfda0641edd6633a3f2e7a47
RedLineStealer
+ 249 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:faker evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211204-kceynaafhm/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
UAC bypass
Windows security bypass
suricata: ET MALWARE Suspicious Download Setup_ exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
51.79.188.112:7110
http://www.ecgbg.com/
Unpacked files
SH256 hash:
0701a6a38b6408214521063cb70ab8db08fa8e557c27d4a7150f753a601d0dce
MD5 hash:
41e179ca84a95482dac62e41e8b17667
SHA1 hash:
dd73d2f926588da9bbce3efb850dab7925d36caf
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
709af1660b092ced668385c7d8c06f578e7416ac1d696d97e5683d4ed553e380
MD5 hash:
c6e99890b121c1281debc6ef7e6323ef
SHA1 hash:
a55e968508a2dd53f8296f90572a6d2efc39a5cb
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
149225b718accad03540049581e6b8b5be64f980db58d768976034a89f7cc96b
MD5 hash:
509945e4801ee57c9fc30ed47ed9f04d
SHA1 hash:
6d801a849a1585653e353f25a00876ff378afcc6
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
f5b9292b626f110a2e77bc34953c21a91cfbb82e8686b5a3a3b7f6d2e5d62b11
MD5 hash:
991b0505d8a1d82291f0c548fdf2db5a
SHA1 hash:
9b674cec1fbd86db72bbcc45cd8d41d5c47026c9
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
d1b61d1d21912c51a359d7a4b500add11ab64411e0a841a740e81c8e4069a8ae
MD5 hash:
4f7ce2a0af12fa43b839a6a78fa37409
SHA1 hash:
9215df18c486f7350877fe2fcd558c7d1a6a6180
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
8e015ad9bbe92f6576cad5f1ae51f7c400314fe124be0f84c8ea7bbd6375c815
MD5 hash:
d86cedfde8c264e2798440b279c29997
SHA1 hash:
7e829efaac4e837cd3da640c7b8afecebc079800
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
0b71f47d397ca22a605713b6ac81d03f237daf759884609110a5e705e334b126
MD5 hash:
5942c460e42cfcdfdbe7429cc941a63c
SHA1 hash:
e5c9777e95ebadab262763d2f8473a0ebcda96a2
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
dadd36cd77db9fd47180dd925786adb5e6ffe373668e44bb71ab94d0ab8c1fe5
MD5 hash:
8769a2e85da0c1231c79f2ba75ad7780
SHA1 hash:
f487ef9273abe727fb55fc9147be68c7d4fe37ed
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
a9216e4eed0187451ac1fbe1ac7e21d33c85cc35c63007a2f774297c9ef36054
MD5 hash:
74173c0149afef32f2028c601098aed4
SHA1 hash:
00e83ab110082c0041395f5d394f9105ec81ea29
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
0558d1be3ddc6f7df97cc8ac9c489c9db9bad8605f9158bd1b9d71d282c331e8
MD5 hash:
5463a44330247da71da8fb7acf726394
SHA1 hash:
91d47124406f33116c288d5c70bfd130754ae6e2
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
f659cb27777658e7e063271ef623ee3155d84eafdfcc80f6c3c91cc5b9e5e7ac
MD5 hash:
9e53752f7386f2f4b6f158e22b8e660b
SHA1 hash:
a1e82a6e2a1b10bd94edd22d49cc83213ed1db13
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
SH256 hash:
c82ff1c17b5eb5ce967d7a8f76a95b61559eb9c48effd65e29823a8b754fab16
MD5 hash:
a808390df77d6ac51216b5ce4f4f4adc
SHA1 hash:
16f74a5f45676cd592b08f0af248aa0ebcc64150
Link:
https://www.unpac.me/results/c5f2b559-b956-40d8-9afe-a8aebc49378b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c82ff1c17b5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c82ff1c17b5eb5ce967d7a8f76a95b61559eb9c48effd65e29823a8b754fab16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211259/

Comments