MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb7d321954760de22ccbf59ece43d94e503350b18203df4e3fffd3833fda1c2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb7d321954760de22ccbf59ece43d94e503350b18203df4e3fffd3833fda1c2c
SHA3-384 hash: 11ab7aa8481724d65e1c67241d6d983487f983f55214034e91ba7bac33f72ea1a664991fa555a076e512ed06bc26063a
SHA1 hash: 2241076986bde4949b7afdaf0e6e8b9fe325cb64
MD5 hash: 5918f9797058d07d2c34cccc2e3fe161
humanhash: friend-music-montana-finch
File name:CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'364'087 bytes
First seen:2021-11-09 06:20:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:ycHNuZtCApDAO99aQ3r2Y/7Tr/ci39bBR:yccrCAdAM3P4gv
Threatray 1'190 similar samples on MalwareBazaar
TLSH T18356334CEA918DD7FE02083AD86E961583E223E81464BB927D7814DBD335E34F059EB7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.182/ https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204365/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901385-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys glupteba overlay packed redline virus
Link:
https://www.filescan.io/uploads/618a1352175442ca93a8aaa3/reports/7e449b99-23ca-46c2-b639-d002d2614e46/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cbe68f5-db73-4378-b942-01a27d02fd50
Result
Threat name:
Backstage Stealer FormBook RedLine Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885748
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518218 Sample: CB7D321954760DE22CCBF59ECE4... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 66 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->66 68 88.99.66.31 HETZNER-ASDE Germany 2->68 70 149.28.253.196 AS-CHOOPAUS United States 2->70 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 Antivirus detection for dropped file 2->92 94 19 other signatures 2->94 10 CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 21 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Wed05ebb119feb9723.exe, PE32 13->50 dropped 52 C:\Users\user\...\Wed05d7421b6110b2.exe, PE32 13->52 dropped 54 16 other files (11 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 64 127.0.0.1 unknown unknown 16->64 86 Adds a directory exclusion to Windows Defender 16->86 20 cmd.exe 1 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 1 16->24         started        26 8 other processes 16->26 signatures10 process11 signatures12 29 Wed05491db21f.exe 4 76 20->29         started        34 Wed0517d5c7bc9c.exe 22->34         started        36 Wed051be5a0f105714.exe 24->36         started        96 Adds a directory exclusion to Windows Defender 26->96 38 Wed05d7421b6110b2.exe 26->38         started        40 Wed05ebb119feb9723.exe 12 26->40         started        42 Wed051f2cef8dafc9c1c.exe 26->42         started        44 3 other processes 26->44 process13 dnsIp14 72 45.142.182.152 XSSERVERNL Germany 29->72 74 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 29->74 82 14 other IPs or domains 29->82 56 C:\Users\...\cww64VvKOlTntuY2d4rtuTiI.exe, PE32 29->56 dropped 58 C:\Users\...\JhfGcTaMvmqVF7SIpwrWH4sd.exe, PE32 29->58 dropped 60 C:\Users\user\AppData\...\wetsetup0802[1].exe, PE32 29->60 dropped 62 32 other files (10 malicious) 29->62 dropped 98 Antivirus detection for dropped file 29->98 100 Creates HTML files with .exe extension (expired dropper behavior) 29->100 102 Disable Windows Defender real time protection (registry) 29->102 104 Multi AV Scanner detection for dropped file 34->104 106 Machine Learning detection for dropped file 34->106 108 Injects a PE file into a foreign processes 34->108 76 74.114.154.22 AUTOMATTICUS Canada 40->76 78 162.159.130.233 CLOUDFLARENETUS United States 42->78 80 208.95.112.1 TUT-ASUS United States 44->80 84 2 other IPs or domains 44->84 110 Tries to harvest and steal browser information (history, passwords, etc) 44->110 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb7d321954760de22ccbf59ece43d94e503350b18203df4e3fffd3833fda1c2c/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 12:40:59 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn6tegkuoyg6elgl6wpm4q6zjzidgufrqib56tr777jygp62dqwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
RedLineStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
RedLineStealer
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
RedLineStealer
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
RedLineStealer
+ 1'180 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar family:xloader botnet:706 botnet:matthew2009 botnet:nanani campaign:s0iw aspackv2 backdoor evasion infostealer loader rat stealer suricata themida trojan
Link:
https://tria.ge/reports/211109-g4ce3abfhn/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Xloader Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Xloader
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://stacenko668.tumblr.com/
213.166.69.181:64650
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
45.142.215.47:27643
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
ac03feba8f446c849d1463631708eaad1ef7750e2a0d41dbae3a38876bf89f71
MD5 hash:
785d9a1fe141a31ee13875c04df1b419
SHA1 hash:
483a2104dd1a0af42eec6e068960fa4ff330b6c0
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
1778a6b25f9ac7d1bf1782d1196ac5254ed46e70033a38f391d02939d5b733da
MD5 hash:
3b32aabc7aad3bbfd7226cc614743f48
SHA1 hash:
ea748309ac48558506ddf93b45369b41f641126e
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
56fd7bd4c5c3d803a1c028d1a3abead0c5c6fa5b54ae21f24058c019da9fd71e
MD5 hash:
bd63f4997ffcccdb954de6fce173522b
SHA1 hash:
1e9d3a921ea29845e7e8ea1046c996790ccb329b
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
9b006a3bcf64d865403abeb2674d11b2f5758f963853e6f6e6db2d62c07120d6
MD5 hash:
ed4cccc23dd4d5a09671dd5e2beeeb79
SHA1 hash:
4af9bd40f266546923c29fcfd746981b43c39207
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
4e9258835b12f19bc7b05b809d07a2a15ee79d323a414303d905743a67a4a84c
MD5 hash:
58c5a169047dc66fdd171f8b624f4812
SHA1 hash:
ff6a36208e4172cdb7c60e2a7f89be7ca764d9ed
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
a417f24f08c12fa90b8546c28ea33765ff506dc822c2db5a2f973b647f1e48cb
MD5 hash:
36652c67cd629de5afcd389b393341b9
SHA1 hash:
ec921bd20cc26b16cae3160fedb1991f6e6abc5b
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
68223fa16261faf405282fee551520b480eb4132f769b73c9fa707adf00539f6
MD5 hash:
05378594f7196c773e7f8d8670907c43
SHA1 hash:
c829048f7221f3641434b1386490a320dc6d3b4b
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
d96e0c345b512dd87065db339596eeb7efdbef24f6129cd14ceeec2cbc98e823
MD5 hash:
1e25b2f81701f354909e08e7554fd275
SHA1 hash:
a9e342ead06346ed082e9be94aec6914309331dd
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
adcb84ba075d674a14a3e2065b453c544b41767f7612127e096ba3d0c14e8fb7
MD5 hash:
de8694c262a11c34aad62f35b588fd19
SHA1 hash:
a1b549721dfdefe1c0901d5a3ca949fdf3be96ff
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
739bcf0d5ce229fe549e1d8488efa943e2a5bc9b41553584432016ec4f31aad0
MD5 hash:
20eff4bb472ba47413a1c16b206d19bd
SHA1 hash:
37aaaa192c84aee65095e2bc04c2dddae4c7ad21
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
15dd9667f33c8979b9775d9e15f405b6844959c1a7fec34d3377dc51ce0e58c0
MD5 hash:
ec73d7de788ad7ed996ab0e75ed1cade
SHA1 hash:
5b01a1de6d0a6d76677233a215390f7592e84194
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
1de61f4de2bab4fc5fd8db93dcdb5e27693a2640a4ed811f153c79a3c1f87e48
MD5 hash:
2fefe1c440831ad598cbbe6f0a9f35d4
SHA1 hash:
115e1e4d1bdd5d53b4945ac5ae53bab38a0e409e
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
6fa46bb7931ba5b9a0932f39b996888f249854aaa95d37d82a3323e46c0240ae
MD5 hash:
01867f9cb7432fe7bf1350746023068b
SHA1 hash:
f1e169937d46ea4527022919b6dae40527422b95
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
514a17406df38426043f3a8039e9f722def58bbdc1a3ab43a48172f129c30fa5
MD5 hash:
28d42a3878d4e28c1676a615722851b8
SHA1 hash:
eb41775cdeb4de3ef0996ad8f9f7a343328329bd
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
81ca3cc01c063cb5f2a37bc213dee1d0c31f432a8f687ab20159477b073fac46
MD5 hash:
2b08bc75db20d86b05f212604c2f1e5c
SHA1 hash:
55d1f6348bb531ca75fea50cc4952fa4a1383937
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
SH256 hash:
cb7d321954760de22ccbf59ece43d94e503350b18203df4e3fffd3833fda1c2c
MD5 hash:
5918f9797058d07d2c34cccc2e3fe161
SHA1 hash:
2241076986bde4949b7afdaf0e6e8b9fe325cb64
Link:
https://www.unpac.me/results/a72bb9ed-0133-47b0-bd19-e99f606aa56f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cb7d32195476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb7d321954760de22ccbf59ece43d94e503350b18203df4e3fffd3833fda1c2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204365/

Comments