MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
SHA3-384 hash: 90031ca48e285cf971049c8665e4d0bdcb648ebdfc422f96a6453a9cfdc3344b80963b2f786c1f5543b2d208b5257734
SHA1 hash: 48c482b54ba17aaa436e348d62b2ddba6855a729
MD5 hash: 1ff08be8f9a879188c1b75815f9fdbef
humanhash: diet-chicken-sink-bacon
File name:CBE35192C04F83D4D3B179A8C229047ADE740AAC3785E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'814'900 bytes
First seen:2022-06-29 22:56:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBNPkZVi7iKiF8cUvFyPrj1v06CCt5hiVusOG1UuTfm2QaCHyCwEwJ84vLRaBtS:xlri7ixZUvFyPH7JifOSUuTfmtHCvLUq
TLSH T11BD533927ED280FBD7422834494C3FB8B1FEC79C2B205D8B3754DB1D0B399A19535A6A
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
87.251.76.137:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.251.76.137:81 https://threatfox.abuse.ch/ioc/736433/
193.124.22.7:35632 https://threatfox.abuse.ch/ioc/738081/

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52B7284B1615A30F3E8E6049F2D3501EFE88334FB837C.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 06:17:39 UTC
Tags:
evasion trojan stealer
Link:
https://app.any.run/tasks/c3b5b130-7d30-4a74-b48f-5d9146160d82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284418/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22961/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
azorult barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62bcd8bf6ad95faf97de6a53/reports/0be843de-3071-499a-82c5-d2f3d01bdd9c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f09d93d-fa25-4ed8-814a-ee4fe8a026cb
Result
Threat name:
Djvu, Nitol, Nymaim, PrivateLoader, RedL
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022246
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Nitol
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 654742 Sample: CBE35192C04F83D4D3B179A8C22... Startdate: 30/06/2022 Architecture: WINDOWS Score: 100 143 yapiwj07.top 2->143 145 t.me 2->145 147 6 other IPs or domains 2->147 203 Snort IDS alert for network traffic 2->203 205 Multi AV Scanner detection for domain / URL 2->205 207 Malicious sample detected (through community Yara rule) 2->207 209 24 other signatures 2->209 11 CBE35192C04F83D4D3B179A8C229047ADE740AAC3785E.exe 16 2->11         started        14 rundll32.exe 2->14         started        16 svchost.exe 2->16         started        19 7 other processes 2->19 signatures3 process4 file5 111 C:\Users\user\AppData\...\setup_install.exe, PE32 11->111 dropped 113 C:\Users\user\AppData\Local\...\arnatic_4.txt, PE32 11->113 dropped 115 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->115 dropped 117 11 other files (none is malicious) 11->117 dropped 21 setup_install.exe 1 11->21         started        26 rundll32.exe 14->26         started        169 System process connects to network (likely due to code injection or exploit) 16->169 171 Changes security center settings (notifications, updates, antivirus, firewall) 19->171 signatures6 process7 dnsIp8 149 motiwa.xyz 99.83.154.118, 49746, 80 AMAZON-02US United States 21->149 151 127.0.0.1 unknown unknown 21->151 153 192.168.2.1 unknown unknown 21->153 103 C:\Users\user\...\arnatic_6.exe (copy), PE32 21->103 dropped 105 C:\Users\user\...\arnatic_5.exe (copy), PE32 21->105 dropped 107 C:\Users\user\...\arnatic_4.exe (copy), PE32 21->107 dropped 109 5 other files (2 malicious) 21->109 dropped 211 Detected unpacking (changes PE section rights) 21->211 213 Performs DNS queries to domains with low reputation 21->213 28 cmd.exe 1 21->28         started        30 cmd.exe 1 21->30         started        32 cmd.exe 1 21->32         started        43 6 other processes 21->43 215 Writes to foreign memory regions 26->215 217 Allocates memory in foreign processes 26->217 219 Creates a thread in another existing process (thread injection) 26->219 34 svchost.exe 26->34 injected 37 svchost.exe 26->37 injected 39 svchost.exe 26->39 injected 41 svchost.exe 26->41 injected file9 signatures10 process11 signatures12 45 arnatic_5.exe 28->45         started        50 arnatic_2.exe 1 30->50         started        52 arnatic_6.exe 32->52         started        173 Sets debug register (to hijack the execution of another thread) 34->173 175 Modifies the context of a thread in another process (thread injection) 34->175 54 svchost.exe 34->54         started        56 arnatic_1.exe 2 43->56         started        58 arnatic_4.exe 14 2 43->58         started        60 arnatic_8.exe 43->60         started        62 2 other processes 43->62 process13 dnsIp14 155 85.202.169.116, 49753, 80 GUDAEV-ASRU Netherlands 45->155 161 15 other IPs or domains 45->161 119 C:\Users\...\pCybuCnpVwZXTafwnT9g_oI7.exe, PE32 45->119 dropped 121 C:\Users\...\hk9c9YoZ16BNTVoo9PxHiZr6.exe, PE32 45->121 dropped 123 C:\Users\...\_OwOoKdJAvTQQo_2Zr1uaKnn.exe, PE32 45->123 dropped 127 20 other files (19 malicious) 45->127 dropped 221 Drops PE files to the document folder of the user 45->221 223 May check the online IP address of the machine 45->223 225 Creates HTML files with .exe extension (expired dropper behavior) 45->225 227 Disable Windows Defender real time protection (registry) 45->227 64 hk9c9YoZ16BNTVoo9PxHiZr6.exe 45->64         started        69 8Il3oxFdo85Qs7Rq5KRLKFwn.exe 45->69         started        71 0ydI_FNUQHgYokuh0KPoN8xn.exe 45->71         started        81 3 other processes 45->81 125 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 50->125 dropped 229 DLL reload attack detected 50->229 231 Detected unpacking (changes PE section rights) 50->231 233 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 50->233 245 4 other signatures 50->245 73 explorer.exe 50->73 injected 163 2 other IPs or domains 52->163 235 Performs DNS queries to domains with low reputation 52->235 157 google.vrthcobj.com 54->157 237 Query firmware table information (likely to detect VMs) 54->237 239 Creates processes via WMI 56->239 75 arnatic_1.exe 56->75         started        165 3 other IPs or domains 58->165 241 Detected unpacking (overwrites its own PE header) 58->241 159 176.111.174.254 WILWAWPL Russian Federation 60->159 167 2 other IPs or domains 62->167 77 WerFault.exe 62->77         started        79 WerFault.exe 62->79         started        file15 243 System process connects to network (likely due to code injection or exploit) 157->243 signatures16 process17 dnsIp18 129 159.69.101.170, 49827, 80 HETZNER-ASDE Germany 64->129 131 t.me 149.154.167.99, 443, 49826 TELEGRAMRU United Kingdom 64->131 99 6 other files (none is malicious) 64->99 dropped 177 Detected unpacking (changes PE section rights) 64->177 179 Detected unpacking (creates a PE file in dynamic memory) 64->179 181 Detected unpacking (overwrites its own PE header) 64->181 201 2 other signatures 64->201 133 193.106.191.81 BOSPOR-ASRU Russian Federation 69->133 183 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->183 185 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->185 187 Tries to harvest and steal browser information (history, passwords, etc) 69->187 189 Tries to steal Crypto Currency Wallets 69->189 191 Sample uses process hollowing technique 71->191 193 Injects a PE file into a foreign processes 71->193 135 conceitosseg.com 91.195.240.117 SEDO-ASDE Germany 73->135 139 4 other IPs or domains 73->139 85 C:\Users\user\AppData\Roaming\sbfvbaw, PE32 73->85 dropped 195 System process connects to network (likely due to code injection or exploit) 73->195 197 Benign windows process drops PE files 73->197 199 Hides that the sample has been downloaded from the Internet (zone.identifier) 73->199 87 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 75->87 dropped 89 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 75->89 dropped 91 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 75->91 dropped 83 conhost.exe 75->83         started        137 45.141.237.38 SPECTRAIPSpectraIPBVNL Netherlands 81->137 141 2 other IPs or domains 81->141 93 C:\Users\user\AppData\Local\...\D3[1].file, PE32 81->93 dropped 95 C:\Users\user\AppData\...\MIXTWO[1].file, PE32 81->95 dropped 97 C:\Users\user\AppData\Roaming\...\D008r7M.exe, PE32 81->97 dropped 101 2 other files (none is malicious) 81->101 dropped file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 14:12:04 UTC
File Type:
PE (Exe)
Extracted files:
250
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zprvdewaj6b5ju5rpgumekieplphicvmg6c6dggnb7nqbqv7shsq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:glupteba family:nymaim family:redline family:vidar botnet:1448 botnet:517 botnet:933 botnet:937 botnet:cana01 botnet:mount2 aspackv2 discovery dropper evasion infostealer loader persistence ransomware spyware stealer suricata trojan upx vmprotect
Link:
https://tria.ge/reports/220629-2w8thsfde9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Vidar Stealer
Amadey
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Modifies Windows Defender Real-time Protection settings
NyMaim
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
https://sslamlssa1.tumblr.com/
ushatamaiet.xyz:80
adinoreiver.xyz:80
qulyneanica.com:80
https://t.me/ch_inagroup
https://mastodon.social/@olegf9844e
http://acacaca.org/test3/get.php
45.141.237.3
31.210.20.149
212.192.241.16
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
Unpacked files
SH256 hash:
5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80
MD5 hash:
9b8888a96bb81b13d824f42811dd73e4
SHA1 hash:
7a15193d26b0e2fb5f1894fee476aeb6987b2d5f
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04
MD5 hash:
385b2e02d14579a16a0f73d48d266191
SHA1 hash:
248abbcee3367b48a98002560f521472b78d51e4
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd
MD5 hash:
0b1df2ab5308c2e8927f9adeac08c657
SHA1 hash:
10212be3c4b01016525039786e3f28909be1b96a
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
402654e6eef6841a5b9d79fffbebc2f7d5bbbd80c9988bc475a40e00c20be013
MD5 hash:
1131468f2de537877614e10ef8fd5208
SHA1 hash:
f4d81d4f86e26f7b7be1d414d9d75d4d6c3c87b9
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
55e9a570f195e846308180eaecae9a6155685f8fdfdc2fd06a04dd2d27a5b3cc
MD5 hash:
e7a51852abb1e460c985402a78cda9a4
SHA1 hash:
8d942e23a478f8618dfa512b27ec02b1f72639bf
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
ae33e6803ea079f2d5384e441a7970b3836088d0dff618c3dadca17f73727c87
MD5 hash:
539991cf3212a7886de777aa7363683e
SHA1 hash:
73ad1d82d636ecf58aee979ad78901e794a864b6
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
009a646d7947ad7d9050657f133bc8082d0624115ee1bf65b45770603a16d873
MD5 hash:
6d1c9ca9a35c85c5b6e64c765072633b
SHA1 hash:
d4f98c3ad7c02752d0d2c1eea622f67dd86c0e61
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
6f224c710a5362f9f7a83c9f4e2333019ebc807927fbd50efbc4407c0e820540
MD5 hash:
3f3b3883dcbde2d0cf4d5a7ac731627f
SHA1 hash:
c362de5f7def6ec5987ee4f9c089f00a3792a5c0
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f
MD5 hash:
1c6c5449a374e1d3acecbf374dfcbb03
SHA1 hash:
3af9b2a06e52c6eaa666b3b28df942097f16b078
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
fa77b39f876da8e3e11593802fb182b86d222f9146960c9aa0d1436a8869f332
MD5 hash:
161ac43836b1881587475ee5107a82ea
SHA1 hash:
d9b25758444c776e6150507cfb9c0e490242eac1
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
SH256 hash:
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
MD5 hash:
1ff08be8f9a879188c1b75815f9fdbef
SHA1 hash:
48c482b54ba17aaa436e348d62b2ddba6855a729
Link:
https://www.unpac.me/results/bfcdca55-aa95-47c2-9f15-89f4f93ffd0c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbe35192c04f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284418/

Comments