MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba
SHA3-384 hash: c7216aec0fdc028c8c32d1342dfb1d2d47cc8105a7e17d587acdfedc5bc055cd61e702b539e7051a71a94f828ff9f8c1
SHA1 hash: 4536c7daf4fb4418feb114be4b8c66ca7ada7ada
MD5 hash: ba706bbdcfde2af92453141ca04f5a2a
humanhash: mockingbird-kitten-island-washington
File name:ba706bbdcfde2af92453141ca04f5a2a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'657'864 bytes
First seen:2022-02-10 08:10:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xWwp8LztT67LGwNf1o8Ji6voa/ZZ1RndUiVjwSCm+OW3T7QOAE:xFpaztT6HNf1LJMmZ1RndXwSQHoE
Threatray 5'521 similar samples on MalwareBazaar
TLSH T1577633B572F100B7F811DFB47A0C6F21B6BCF108AB14946B375966CA9EEC1206A56CDC
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.255.57.154:11841

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.255.57.154:11841 https://threatfox.abuse.ch/ioc/384526/

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240408/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6204c89a36f99219183671c5/reports/478fbb6f-9c1d-4978-abae-5de1e1f78cc5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7335e972-2c76-427a-a04a-1fa38736f9e4
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937439
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569917 Sample: 2kkethlyxG.exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 44 195.189.227.68 OMNILANCEhttpomnilancecomUA Ukraine 2->44 46 ip-api.com 208.95.112.1, 49756, 80 TUT-ASUS United States 2->46 48 17 other IPs or domains 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 18 other signatures 2->56 9 2kkethlyxG.exe 21 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\setup_install.exe, PE32 9->34 dropped 36 C:\...\61ff871d2148f_Sun08b95111f9ee.exe, PE32 9->36 dropped 38 C:\Users\...\61ff871cc2f5e_Sun08c2cfbb004.exe, PE32 9->38 dropped 40 16 other files (11 malicious) 9->40 dropped 12 setup_install.exe 1 9->12         started        process6 signatures7 70 Disables Windows Defender (via service or powershell) 12->70 15 cmd.exe 1 12->15         started        17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        22 3 other processes 12->22 process8 signatures9 24 61ff870b61810_Sun08a85eb1a.exe 3 15->24         started        27 61ff870ed5994_Sun08d691f0787.exe 2 17->27         started        58 Disables Windows Defender (via service or powershell) 19->58 30 powershell.exe 26 19->30         started        32 61ff870a9db69_Sun0849acc17.exe 1 22->32         started        process10 file11 60 Antivirus detection for dropped file 24->60 62 Multi AV Scanner detection for dropped file 24->62 64 Machine Learning detection for dropped file 24->64 68 2 other signatures 24->68 42 C:\Users\...\61ff870ed5994_Sun08d691f0787.tmp, PE32 27->42 dropped 66 Obfuscated command line found 27->66 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 07:56:00 UTC
File Type:
PE (Exe)
Extracted files:
538
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhujfex5wbo2dk7s7z23go7czoesmekhprbxhutun3n27kkr3w5a._file
Verdict:
malicious
Similar samples:
0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27
RedLineStealer
2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256
RedLineStealer
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
RedLineStealer
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
RedLineStealer
cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948
RedLineStealer
+ 5'511 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:media450 agilenet aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220210-j29znagfdq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://www.tpyyf.com/
92.255.57.154:11841
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
855afddeb1055fa089c8d6980594dc7fb9650c7a2cc0e4b227d6e562cd5426b2
MD5 hash:
132b6ad90713f2a7ac644024dbd2aec4
SHA1 hash:
1edea8780941c2dadfe7855dc34f90b4e2bac51e
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
0e5eea0116bab4580822eb431ad8d22b80ac30927c270594b104151f33bf1739
MD5 hash:
9b2071a9c9263b03768654b6099e491a
SHA1 hash:
29eae909c2c54b75c49c5a0955d57ac055d0dd20
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
955be37392c9625f0255b954be9940d7304f6d1a286d9f068a8c4bd3faa689bd
MD5 hash:
17652977438f76866cb1fb0c66498fe8
SHA1 hash:
ae77de71238af2bbe1049f14ee84bf7ab2f074c5
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
079d3e7f0c6ba5b5de3bde11557f62fc5c39c3356e9c7f46c5d6f1fe7bdc93fc
MD5 hash:
e0b43c5b1f03945763c8577a5a72a0c3
SHA1 hash:
8852086db180cb233442f8c84550614e90eb5da7
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
d71accd2bb8cebda92d96a3d1735caeb5bba6e5eee1fb5366fa8303888903037
MD5 hash:
daf81d3ba13a7d9057048bb1020f1064
SHA1 hash:
7d644b40a7b8c05f8399ab8e67014638e81f9007
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
2848780a68b46d1f7a91df0dc200e6bf53c803cf5dafd7928f3d092bb8c718cd
MD5 hash:
fcb60398c77aecfee22e46ff342f4845
SHA1 hash:
76ca7534071927957121018e4667da41c86148cf
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
cf9a039164e7c1e819ff2c339c22b04c5817f964fe3b7a4fddfd93184ec66f5f
MD5 hash:
6e321ae3b57d835524d2a24cf76243a6
SHA1 hash:
72338edf6b69aeb1fdc0324472e48c7e8d6ab970
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1
MD5 hash:
2fe1fbe1cf3b63c2b9d04859ba27b5a7
SHA1 hash:
6d82b25f27939d2c712ca76d267437569799518a
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
44d791e7badbcffd2638516481b74b8cdfafb0698f98e43509188d60ae61a701
MD5 hash:
2e53a5ad1d9deb7ef83234b08d2cd787
SHA1 hash:
5a6ecfbb3799d1502fdec90b0afcba55f8b53b61
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
d679d92a93430bd1765ae367d10da6ff00986c905b08fad10ed66b337ba1bcae
MD5 hash:
fe728bb8c9a99a90f84fdd51ca6d4d39
SHA1 hash:
7e14440bc5dcba1f796e759a248fbca99abf9ac9
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
a31e255b7d23da776ad3252f00bc9b304eae1a9b7b88e11be90dd1616af8245c
MD5 hash:
99c704c83d168d64d842a220c6a99cf4
SHA1 hash:
f8657fe16e4bee422461023d8342401326db41a8
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
4ee90a345ca65c39806aebeb24affa6e258763ea493c2b171730d49fa3d7f287
MD5 hash:
18db95c4763af39a92f77d81daa89bbe
SHA1 hash:
6c1ddad153374a12130f35c3f7c59cda277c0108
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
7f3704129e1705dc4aa3fe9aefe576de4a857b292bbce434ad8ddda11d931324
MD5 hash:
1be5556419dbca7b878f093955e1791d
SHA1 hash:
b2f533cab6398ddf375c0b57bd60dc2993ff631e
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
f2dff1527f5be311b21b47883544621e5ae898672f43b63eaec253b5d49d0d12
MD5 hash:
20bb6a1447d84f45d2524f404899929c
SHA1 hash:
7242b66e49c05fda86545a51607fbadd9aed4516
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
9c0508b8fadfa0906dde0c65efa90f76e08b75c19b17c26b3a51edc31c340be6
MD5 hash:
b96d2bd3035c042eec6ae7c4113519f6
SHA1 hash:
8931f57bd5c910a3ba5281b41f2ff09e1d71c143
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
569c7517d42078ece4e449652b254845deb7025580eaa2e306df70a2cfa704e8
MD5 hash:
33ad200bb778f31005130e20bdaca616
SHA1 hash:
b8bbdef31d1825090f6a5c92fbcd7ef52b2b6a27
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
SH256 hash:
c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba
MD5 hash:
ba706bbdcfde2af92453141ca04f5a2a
SHA1 hash:
4536c7daf4fb4418feb114be4b8c66ca7ada7ada
Link:
https://www.unpac.me/results/eb547b9a-103c-4705-8e97-515643839cf1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240408/

Comments