MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SHA3-384 hash: 98faad6d5aaed644292ae8f1467abbed4029c0164a0d0f460704d909966eb49885100c4b8213697206949f6d224b2283
SHA1 hash: a1311074ee2ae7b307606484ce09b8fa224d391c
MD5 hash: f94bf1734f34665a65a835cc04a4ad95
humanhash: failed-missouri-apart-sink
File name:c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'222'809 bytes
First seen:2025-05-06 02:56:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JHnih4xeZ4Vcf2QYQ/XLFjge8l/nEjyPBNlbBk:JHniexGZD/LdSnEjWbK
Threatray 1 similar samples on MalwareBazaar
TLSH T1707633B409A0C865D1FA0076A696ECEE0F538BDDC40F622376BD4851FDE8D50BE68397
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter neiki_dev
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a.7z
Verdict:
Malicious activity
Analysis date:
2025-05-06 02:42:52 UTC
Tags:
evasion adware loader browserpassview tool
Link:
https://app.any.run/tasks/688270e9-71a3-4d99-8d38-3a8689ae8d2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

SecuriteInfo.com.Trojan.Loader.1575.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681977ae8474cc94a4e44a0e
Tags:
vmdetect autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Searching for analyzing tools
DNS request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
blackhole installer microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68197a86c7418694c8a5df9a/reports/efae82f2-d260-43d1-97d3-b92d472a4a8d/overview
Verdict:
Malicious
Labled as:
Dropper.Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db149beb-cd8a-4fc1-b71d-2ea782fc49f2
Result
Threat name:
Nymaim, PureLog Stealer, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1681769
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Drops PE files with a suspicious file extension
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1681769 Sample: a5ZIRCTerc.exe Startdate: 06/05/2025 Architecture: WINDOWS Score: 100 127 hornygl.xyz 2->127 129 zenitsu.s3.pl-waw.scw.cloud 2->129 131 14 other IPs or domains 2->131 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Malicious sample detected (through community Yara rule) 2->151 155 20 other signatures 2->155 13 a5ZIRCTerc.exe 10 2->13         started        16 rundll32.exe 2->16         started        signatures3 153 Performs DNS queries to domains with low reputation 127->153 process4 file5 119 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->119 dropped 18 setup_installer.exe 22 13->18         started        process6 file7 89 C:\Users\user\AppData\...\setup_install.exe, PE32 18->89 dropped 91 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->91 dropped 93 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->93 dropped 95 17 other malicious files 18->95 dropped 157 Multi AV Scanner detection for dropped file 18->157 159 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->159 22 setup_install.exe 1 18->22         started        signatures8 process9 dnsIp10 133 127.0.0.1 unknown unknown 22->133 191 Multi AV Scanner detection for dropped file 22->191 193 Modifies Windows Defender protection settings 22->193 195 Disables Windows Defender (via service or powershell) 22->195 26 cmd.exe 1 22->26         started        28 cmd.exe 1 22->28         started        30 cmd.exe 1 22->30         started        32 14 other processes 22->32 signatures11 process12 signatures13 35 61f665277addf_Sun10a8a309b91.exe 26->35         started        38 61f6652e754de_Sun109ac46a.exe 28->38         started        40 61f66529e6cd2_Sun105c44b0.exe 30->40         started        141 Drops PE files with a suspicious file extension 32->141 143 Modifies Windows Defender protection settings 32->143 145 Disables Windows Defender (via service or powershell) 32->145 43 61f665303c295_Sun1059d492746c.exe 32->43         started        45 61f66539e050d_Sun103349fe7f.exe 32->45         started        47 61f6652f39632_Sun10026c4ad66e.exe 32->47         started        49 9 other processes 32->49 process14 dnsIp15 161 Antivirus detection for dropped file 35->161 163 Multi AV Scanner detection for dropped file 35->163 165 Detected unpacking (changes PE section rights) 35->165 181 2 other signatures 35->181 52 61f665277addf_Sun10a8a309b91.exe 35->52         started        167 Detected unpacking (creates a PE file in dynamic memory) 38->167 169 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->169 171 Tries to evade debugger and weak emulator (self modifying code) 38->171 173 Hides threads from debuggers 38->173 111 C:\Users\...\61f66529e6cd2_Sun105c44b0.tmp, PE32 40->111 dropped 55 61f66529e6cd2_Sun105c44b0.tmp 40->55         started        113 C:\...\61f665303c295_Sun1059d492746c.tmp, PE32 43->113 dropped 58 61f665303c295_Sun1059d492746c.tmp 43->58         started        175 Detected unpacking (overwrites its own PE header) 45->175 177 Injects a PE file into a foreign processes 47->177 61 61f6652f39632_Sun10026c4ad66e.exe 47->61         started        121 www.listincode.com 38.6.176.121, 443, 49698 COGENT-174US United States 49->121 123 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 49->123 125 iplogger.org 104.26.2.46, 443, 49699, 49700 CLOUDFLARENETUS United States 49->125 115 C:\Users\user\AppData\Local\Temp\dCX7KY.cpl, PE32 49->115 dropped 117 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 49->117 dropped 179 Loading BitLocker PowerShell Module 49->179 63 cmd.exe 49->63         started        65 61f6653a993c0_Sun10a84012.exe 49->65         started        67 WerFault.exe 49->67         started        69 WerFault.exe 49->69         started        file16 signatures17 process18 dnsIp19 183 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->183 185 Maps a DLL or memory area into another process 52->185 187 Checks if the current machine is a virtual machine (disk enumeration) 52->187 189 Creates a thread in another existing process (thread injection) 52->189 97 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 55->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->99 dropped 71 61f66529e6cd2_Sun105c44b0.exe 55->71         started        135 s3.pl-waw.scw.cloud 151.115.10.3, 49702, 80 OnlineSASFR United Kingdom 58->135 137 151.115.10.4, 49704, 80 OnlineSASFR United Kingdom 58->137 101 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 58->101 dropped 103 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 58->103 dropped 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->105 dropped 74 WerFault.exe 61->74         started        76 cmd.exe 63->76         started        78 conhost.exe 63->78         started        139 v.xyzgamev.com 34.132.102.6, 443, 49703, 49712 ATGS-MMD-ASUS United States 65->139 file20 signatures21 process22 file23 107 C:\Users\...\61f66529e6cd2_Sun105c44b0.tmp, PE32 71->107 dropped 80 61f66529e6cd2_Sun105c44b0.tmp 71->80         started        109 C:\Users\user\AppData\Local\...\Sul.exe.pif, PE32 76->109 dropped 83 tasklist.exe 76->83         started        process24 file25 85 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 80->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 80->87 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a/
Threat name:
Win32.Spyware.Redline
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 07:53:44 UTC
File Type:
PE (Exe)
Extracted files:
438
AV detection:
31 of 36 (86.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeo6yhgvxfyhssa4o3k5lf654z5wbqyb5kia5k35xglxnvjlizna._file
Verdict:
malicious
Label(s):
shortloader
Create hunting rule
redlinestealer
Create hunting rule
shellcode_loader_002
Create hunting rule
smokeloader
Create hunting rule
nirsoft
Create hunting rule
gcleaner
Create hunting rule
socelars
Create hunting rule
pseudomanuscrypt
Create hunting rule
fabookie
Create hunting rule
chebka
Create hunting rule
unc_loader_005
Create hunting rule
formatloader
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:gcleaner family:nullmixer family:onlylogger family:redline family:smokeloader family:socelars botnet:media272257 botnet:pub3 aspackv2 backdoor discovery dropper execution infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/250506-dfmz4sgp61/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detected Nirsoft tools
NirSoft WebBrowserPassView
OnlyLogger payload
Detect Fabookie payload
Fabookie
Fabookie family
GCleaner
Gcleaner family
NullMixer
Nullmixer family
OnlyLogger
Onlylogger family
RedLine
RedLine payload
Redline family
SmokeLoader
Smokeloader family
Socelars
Socelars family
Socelars payload
Malware Config
C2 Extraction:
http://www.anquyebt.com/
http://hornygl.xyz/
92.255.57.115:11841
appwebstat.biz
ads-memory.biz
Verdict:
Malicious
Tags:
Win.Packed.Barys-9859531-0 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/7654d188-fc41-4c9c-9be0-125ce3a328c5
Unpacked files
SH256 hash:
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
MD5 hash:
f94bf1734f34665a65a835cc04a4ad95
SHA1 hash:
a1311074ee2ae7b307606484ce09b8fa224d391c
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
fd63dd8311488f5506721974f51a387ab0572c3e2cbfa8bb5be5ff49502fdaa3
MD5 hash:
dcf6c0f497585d83cd94275979633c2d
SHA1 hash:
e3a225fef7dd39fdcd2c9ed3aa533032e0a78614
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
09785c3a883b4b43913a21d5a8bafe5b312700d9b029cb42afd2d46e7f17d36d
MD5 hash:
660ea0eded96b512a85063edc6dc9b25
SHA1 hash:
bca781a111587c14617dcc8fb06117379a872ef1
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
e1e77f475c87984cded80afa4b5d3e2079e931bf3110e0205cf519db8ceaa35d
MD5 hash:
573c4b3da97e3e027a409f13d3f1561c
SHA1 hash:
41c91e17ae24678af1c0f7f9b06dc318caa643ed
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
ca5e3834d9a381048ee0354f4b2dae511670328b85cac362f6fe79266fb9af7e
MD5 hash:
4123468a73f6c00f7da6b0bc53bd2003
SHA1 hash:
f247ea91cd737c10e11ddfb3de84f587e48bf1ec
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
56a220a7ddf91f2fca8b5fe5d798b69018b25ade1e4daf29401e87813597c453
MD5 hash:
6c4bca19adc04747c9b8754bdf7360eb
SHA1 hash:
06832130a164cb708b410362f8129c8f1a157f58
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
b05eee945db6fd4d997f3590c7efc6853599538e6f71629d6619357c5c386ea6
MD5 hash:
267bf1552c8fb516bd4d732f59c790d4
SHA1 hash:
d16d405ef4e775d2901512f73d2b60e314b756bf
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
b529262bf423b8b246e492dd85f375c8a504c4207f2e86ef3633d9e177c3e810
MD5 hash:
3193f429fcf6ad7846f7c3f2e71715a0
SHA1 hash:
54f1138102df7e0268760486138f6ff7eb0c2821
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
MD5 hash:
9aec524b616618b0d3d00b27b6f51da1
SHA1 hash:
64264300801a353db324d11738ffed876550e1d3
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
8f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
MD5 hash:
5b14369c347439becacaa0883c07f17b
SHA1 hash:
126b0012934a2bf5aab025d931feb3b4315a2d9a
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
b69a81971bd4800d1737ef67ef47e5b6793723c1fd4b75dfbdddf8b28bd93dd5
MD5 hash:
12dbc75b071077042c097afd59b2137f
SHA1 hash:
3f8314a4e37b0aa99bd154d950d6e4d6cd803f31
Detections:
win_nullmixer_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
a7b8343ceb4c9a48b65f806e1136eaa57c0c323a70c3790659367d8a67b059b4
MD5 hash:
6e51f5ed63e401dca4d61155ba52b7ff
SHA1 hash:
022adcf838d1865291d18e0a34f8fabf0a3bd83f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
MD5 hash:
ce54b9287c3e4b5733035d0be085d989
SHA1 hash:
07a17e423bf89d9b056562d822a8f651aeb33c96
Detections:
MALWARE_Win_DLInjector04
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
b4fca44143a4be02afb8f73c2e289ef84569a10b3a735cd5080b3f41d2a49208
MD5 hash:
c59d9aee5868a400b5549a14e0474a83
SHA1 hash:
0b478ca75522d4185a92318169526b2d86c39174
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
3b6a6d606fd22cd8a2029161388e43dde1d38523ea8e65f4df8609455f1b37e3
MD5 hash:
fbe8c33081b21e2667d00dca1a4913b0
SHA1 hash:
1316dd84fd888c49f136e3bc0fb37f5178b1dbf8
Detections:
MALWARE_Win_DLInjector04
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
269609f5bc28ea255c6c4ce576c68f2cc3f87b8cb01e185b25e73402454234ad
MD5 hash:
5950b36ae0f305440c6fdada09ae76f2
SHA1 hash:
5268b7cfdae0b5d6be19f4e4a1ed0aaf0cc11bc0
Detections:
Socelars
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
e8e2ccdc3a025f56216ecd0f1688097a78f562cc4ac052063d1b6a1e9ca47c59
MD5 hash:
5eee94d10d8ac4a2f2f41d645112e3bb
SHA1 hash:
d937d21f97a7a748670250b3690e9e8802444402
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
269e09d1459545ab573f7cc6c480150ec7710048019df38ac0262563fc954595
MD5 hash:
f2c44a78923d8fa654f0934fc565c0d1
SHA1 hash:
e6efcd2a58de95fdcab5416ad782babb07e585af
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc
MD5 hash:
64638fe3e9d9acbcfe027bac3d0a7fab
SHA1 hash:
ff0d35497c4d6676a01a57db299df9847b382126
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Detections:
win_gcleaner_auto
Create hunting rule
GCleaner
Create hunting rule
SUSP_XORed_Mozilla
Create hunting rule
MALWARE_Win_OnlyLogger
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
56bc47d13a1d7ac385634f70075ca750b5e6455bef63152eb6ccf4276b9cefa5
MD5 hash:
86e406c290b0e202bbd56c69d9930e12
SHA1 hash:
228b209f2e930be14605dd8ad54c618643367ad1
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
SH256 hash:
320cceaa3cd86addb0894acb36225f7cb2a417c21b1de8c457813a8cfb3540d2
MD5 hash:
4afdece0406ace2d8ba0f70a16aa1290
SHA1 hash:
f6a574a767919d04f884bb4d03d4650b0198edce
Detections:
redline
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/7b3f0ac5-1ee0-4db1-949b-821ddb731e29/
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c91dec1cd5b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ASPackv212AlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:ASProtectV2XDLLAlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:RedLine_Stealer_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Detecting unpacked Redline
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_4df4bcb6
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f07b3cb4
Create hunting rule
Author:Elastic Security
Rule name:win_nullmixer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.nullmixer.
Rule name:win_redline_stealer_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

(this sample)

  
Link
https://tip.neiki.dev/file/c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments