MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
SHA3-384 hash: 34c553b4f3e3d0cbe63e955e1deadb1b24c21f022edf918fd481d2339dcd3fd3f8bc80532b0ff29c5421467d9e75f39f
SHA1 hash: 05eea6a2a013a26aa9ca335eb251555a9817fed4
MD5 hash: d6c4b18be0a99d5f8ae5c23449bb5ad8
humanhash: california-football-timing-johnny
File name:CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'468'201 bytes
First seen:2022-08-06 16:05:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ycj2hkl87NM9C15e2oGHbe6c/0MSxTHKfqCW87cWCxvYVjBE:ycC51LoGHa6c5YTqMwnCCE
TLSH T1974633098BA6187BF6681676FB67102F7357E3270E164BE76B0D7001F4A728ACC77258
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.36.177.7:39556

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.36.177.7:39556 https://threatfox.abuse.ch/ioc/841642/
65.108.231.254:29517 https://threatfox.abuse.ch/ioc/841643/

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe
Verdict:
No threats detected
Analysis date:
2022-08-06 16:06:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fb7eb3e-7bf0-4423-97cc-cb05614db6bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/296881/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901325-1
Create hunting rule

Win.Malware.Socelars-9901376-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28246/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62ee916d6336465f2a1adc15/reports/80daac4d-153f-43b1-a81f-6f1141aabe6f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8c87921-15b0-4bf7-989f-e09db9b80f9e
Result
Threat name:
Nymaim, RedLine, Socelars, Vidar, onlyLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047307
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679801 Sample: CB7D7FE72BDC9B5C0DA00A175AD... Startdate: 06/08/2022 Architecture: WINDOWS Score: 100 109 safialinks.com 2->109 133 Snort IDS alert for network traffic 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus detection for URL or domain 2->137 139 22 other signatures 2->139 13 CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe 10 2->13         started        16 rundll32.exe 2->16         started        18 WmiPrvSE.exe 2->18         started        signatures3 process4 file5 101 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->101 dropped 20 setup_installer.exe 22 13->20         started        23 rundll32.exe 16->23         started        process6 file7 79 C:\Users\user\AppData\...\setup_install.exe, PE32 20->79 dropped 81 C:\Users\user\...\Tue07ef9e317e0f6ae.exe, PE32 20->81 dropped 83 C:\Users\user\AppData\...\Tue07e35cf558.exe, PE32 20->83 dropped 85 17 other files (12 malicious) 20->85 dropped 26 setup_install.exe 1 20->26         started        145 Writes to foreign memory regions 23->145 147 Allocates memory in foreign processes 23->147 149 Creates a thread in another existing process (thread injection) 23->149 30 svchost.exe 23->30 injected signatures8 process9 dnsIp10 125 127.0.0.1 unknown unknown 26->125 127 hsiens.xyz 26->127 153 Performs DNS queries to domains with low reputation 26->153 155 Adds a directory exclusion to Windows Defender 26->155 32 cmd.exe 26->32         started        34 cmd.exe 26->34         started        36 cmd.exe 26->36         started        38 14 other processes 26->38 157 Sets debug register (to hijack the execution of another thread) 30->157 159 Modifies the context of a thread in another process (thread injection) 30->159 signatures11 process12 signatures13 41 Tue07006d6b7c.exe 32->41         started        46 Tue07e35cf558.exe 34->46         started        48 Tue070aab9bc86b572.exe 36->48         started        143 Adds a directory exclusion to Windows Defender 38->143 50 Tue07a633a94f9.exe 38->50         started        52 Tue0741bc096fd881d2.exe 38->52         started        54 Tue07267c17f2f5.exe 38->54         started        56 10 other processes 38->56 process14 dnsIp15 111 212.193.30.115 SPD-NETTR Russian Federation 41->111 119 10 other IPs or domains 41->119 89 C:\Users\user\AppData\...\Service[1].exe, PE32 41->89 dropped 91 C:\Users\user\...\zaebalidelete2_2.bmp.exe, PE32 41->91 dropped 93 C:\Users\user\Pictures\...\wam.bmp.exe, PE32+ 41->93 dropped 99 11 other files (none is malicious) 41->99 dropped 161 Antivirus detection for dropped file 41->161 163 Multi AV Scanner detection for dropped file 41->163 165 Tries to harvest and steal browser information (history, passwords, etc) 41->165 167 Disable Windows Defender real time protection (registry) 41->167 58 Conhost.exe 41->58         started        95 C:\Users\user\AppData\...\Tue07e35cf558.tmp, PE32 46->95 dropped 169 Obfuscated command line found 46->169 171 Machine Learning detection for dropped file 46->171 60 Tue07e35cf558.tmp 46->60         started        183 2 other signatures 48->183 64 explorer.exe 48->64 injected 113 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 50->113 115 staticimg.youtuuee.com 50->115 173 May check the online IP address of the machine 50->173 175 Contains functionality to steal Chrome passwords or cookies 50->175 117 www.listincode.com 103.224.212.220, 443, 49759 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 52->117 121 3 other IPs or domains 52->121 66 mshta.exe 54->66         started        123 10 other IPs or domains 56->123 97 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 56->97 dropped 177 Detected unpacking (changes PE section rights) 56->177 179 Detected unpacking (overwrites its own PE header) 56->179 181 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->181 185 3 other signatures 56->185 file16 signatures17 process18 dnsIp19 129 safialinks.com 60->129 131 best-link-app.com 60->131 103 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 60->103 dropped 105 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 60->105 dropped 107 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 60->107 dropped 68 Conhost.exe 60->68         started        71 cmd.exe 66->71         started        file20 process21 file22 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 68->141 87 C:\Users\user\AppData\...\SkVPVS3t6Y8W.EXe, PE32 71->87 dropped 74 SkVPVS3t6Y8W.EXe 71->74         started        77 conhost.exe 71->77         started        signatures23 process24 signatures25 151 Antivirus detection for dropped file 74->151
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 03:41:00 UTC
File Type:
PE (Exe)
Extracted files:
158
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn6x7zzl3snvydnabilvvvbvia3uoo3r7cu725r5pggijrcem7aa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:onlylogger family:privateloader family:raccoon family:redline family:socelars family:vidar botnet:109c5b577d4bc7aa7c26c1a8a3b55988 botnet:706 botnet:@hfcdvjjdsxvb botnet:@stealfate botnet:druwe botnet:media26 aspackv2 discovery evasion infostealer loader main persistence rat spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220806-tj3gzagdgl/
Behaviour
Enumerates processes with tasklist
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Looks for VMWare Tools registry key
VMProtect packed file
Looks for VirtualBox Guest Additions in registry
OnlyLogger payload
Vidar Stealer
DcRat
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
Socelars
Socelars payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://45.133.1.182/proxies.txt
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://mas.to/@bardak1ho
91.121.67.60:62102
194.36.177.7:39556
185.106.92.8:38644
135.125.40.64:15456
62.204.41.144:14096
http://46.249.58.152/
65.108.27.131:45256
Unpacked files
SH256 hash:
4413ed75935b9f14dfc0552c995965ab9a56a3017e4cef97ce95fd97000c5dbf
MD5 hash:
82f42e8233a78f81d3f67cc5861b5278
SHA1 hash:
f34aae9ee8fbf32747a3c6b3849b281ad07f75fe
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
0261a5efd7937ddde71e959c1040aa57f84e62f3546370a2541c28782b652d2d
MD5 hash:
0dcea35b0b4e273fd2cc5a647ec287ed
SHA1 hash:
4ddb9256fa7b48c7b2724499d324126206565093
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
3fd064dfa5e9ef6016845046f35b05f1b619411f469ff7e60c49772162879419
MD5 hash:
2d484c4f2224af41c813a1769a103c7f
SHA1 hash:
53a2609394d73797578ce78e06e4d4857d1082e4
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
Parent samples :
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
SH256 hash:
66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814
MD5 hash:
17df2b7340cf3291107bfd454d0ca856
SHA1 hash:
00458e02751bb0e2cc268730a0cac2689249b1a7
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
ce2fb413c1967c8ac8fe054d912d7476d6361a7d57db42a6740a7fc85998d9fc
MD5 hash:
ae3f1c6f86768467210446678b8e0a11
SHA1 hash:
7d3275ff05b8ad2b9b141b48f22a8a0e9c53eb29
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
d33a66d2fa2eaa7c4b0eb5e6be32fb9f50ef75f6a6ff270283b8ba341318522d
MD5 hash:
def584ee9c568e8b1cc4c1583161056e
SHA1 hash:
ce95965a23572a8b4401fca12e6e6fc690197d9c
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
d7172829b5d80ec447ac943d999b251c715489ae55ddc5ce982810569637267d
MD5 hash:
295488882cece566b887c9b44ceec1b7
SHA1 hash:
a61f15fb42cc7964c6557ce3f5bc8f88fc01a7c8
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
9a528cb1e010c11ed92aa9810e0021aee1b7c11e85db13e8b6bf97928c6cac5b
MD5 hash:
5678604b22617049dc686b524d3b583f
SHA1 hash:
98e0fc4a00542239f649459ccf8f6de22cb5e43e
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
d54903edd3348d7679c83bb5bce23e17be436149362a4fd8f5c8769592653e44
MD5 hash:
309f343eafe28e24e2efe6e99296022c
SHA1 hash:
89801a8969215fd7d5b07758124f219e33f7310a
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
25b6cb6543b180ddbfadf99669b3fd2fa5c161eda6a429f1302336c4af46579e
MD5 hash:
f7835f28fcdb0265b88b6a972920cf30
SHA1 hash:
73db2c230e7e8acb375b04649da9d0495f25d734
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
61b729cba675532dd002ce61b17a71e7c25463ca99ae7d5ac25604434e737f96
MD5 hash:
1be8caa3f1c04c9966f28106cf5e4172
SHA1 hash:
64341120c14c3d7c8c6060e9c77db1f0a54e5a72
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
04dbe4f2abf01a7d9b3810578c8dc08ac12bc426d1a7feda372c0aa1fc783e38
MD5 hash:
552599c0b113d687622a5b55e3502da9
SHA1 hash:
5e3f2a55325416306b43b84c18b408a311029a2b
Detections:
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
472186b4b04ce451bfbc2f05095e8bbb9647e03a416182a45c0e6c261f4441e0
MD5 hash:
546a7a6f3635ef2ef039db79cc43d9bf
SHA1 hash:
bac10d0d1835bf7ce60fb3d73f573657ee8b585d
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
407ca6f8c20862eb4e7981afcaba6bd7b18d9db8fad3f4c38bd805b8a5addc22
MD5 hash:
c0ca3c2fd7bc232e0aa00cb778cc38b9
SHA1 hash:
250a0b179b00d6cce7e295f01d2fff7f5a20478b
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
dde41eba390d52e009a15d0f00bd667dabf967d9756bdfb95328ca4dc4b3dd87
MD5 hash:
c8396c5b3731c76993a7f88c873a5a03
SHA1 hash:
650c951d18015ff25496dce16081b99cc00a0f23
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
53dfb9dd442603e241cc38499c1276d1ce0ae298b56318eeddfcf34cfb9d863b
MD5 hash:
b28c5805a5ca9d249659f8356a70344b
SHA1 hash:
8fd719b9077e2a92d7fe5efa22bacf8784acfd4e
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
SH256 hash:
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
MD5 hash:
d6c4b18be0a99d5f8ae5c23449bb5ad8
SHA1 hash:
05eea6a2a013a26aa9ca335eb251555a9817fed4
Link:
https://www.unpac.me/results/3f89dfbc-6da8-4174-b09b-fc739ab9fca9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb7d7fe72bdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296881/

Comments