MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948
SHA3-384 hash:	87dbd4e1026c1cdc1f5bec049746375a659b4b121addbd2a89f0a2f714ff97ca3a452ff1efef3f60cb6cf46e5a26e4bd
SHA1 hash:	3769df74bf61a78ac63f69a478b3603c3ee2791b
MD5 hash:	a63886297624a5fc3b0c2e1c049869c4
humanhash:	uranus-pasta-bravo-white
File name:	a63886297624a5fc3b0c2e1c049869c4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	7'657'165 bytes
First seen:	2022-02-09 10:41:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	196608:x3wp8LztT67LGwNf1o8Ji6voa/ZZ1RndUiVjwSCm+OW3T7V0aOAh:xgpaztT6HNf1LJMmZ1RndXwSQHWeh
Threatray	5'451 similar samples on MalwareBazaar
TLSH	T1377633F8B6F000B6F821DFB47A0C6F21B6BCB1196B14446B375566C99FFC060AA568DC
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.255.57.154:11841

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.255.57.154:11841	https://threatfox.abuse.ch/ioc/384526/

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239425/

Detection(s):

Win.Dropper.Pswtool-9857535-0

Win.Packed.Barys-9859263-0

Win.Malware.Barys-9859499-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Searching for the window

Running batch commands

Launching a process

Sending an HTTP GET request

DNS request

Using the Windows Management Instrumentation requests

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6480/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62039a80c79b424d720a9984/reports/0446e559-69e0-4f2a-9619-6c1e1ddd76a4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2869b6c-cd48-4673-9bd3-f1eaf4b05000

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936752

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948/

Threat name:

Win32.Backdoor.Aicat

Status:

Malicious

First seen:

2022-02-07 16:47:31 UTC

File Type:

PE (Exe)

Extracted files:

538

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zuzlt6woa7thxvqcyx6e5k52d4ontwhks2mdfuj6lqh2qkpjxfea._file

Verdict:

malicious

RedLineStealer

2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256

RedLineStealer

48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800

RedLineStealer

523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd

RedLineStealer

73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f

RedLineStealer

a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6

RedLineStealer

bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e

RedLineStealer

+ 5'441 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars botnet:media450 agilenet aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/220209-mrn6zsacam/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates processes with tasklist

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

UPX packed file

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://www.tpyyf.com/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
92.255.57.154:11841

Unpacked files

SH256 hash:

ad24e17c2854da31abb6fa1feb191c3082df5402a76939fabeeb735415257fae

MD5 hash:

56171f8ada2e25e9c12d41c318e19254

SHA1 hash:

15b30cc23bc4c528cd3cabf6d3ce0461542ef586

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0

MD5 hash:

da70ba6fa59896248f7c05fdcb7d581e

SHA1 hash:

174cb2b083e327a362b6ecac68fe939a40743ffb

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

855afddeb1055fa089c8d6980594dc7fb9650c7a2cc0e4b227d6e562cd5426b2

MD5 hash:

132b6ad90713f2a7ac644024dbd2aec4

SHA1 hash:

1edea8780941c2dadfe7855dc34f90b4e2bac51e

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

0e5eea0116bab4580822eb431ad8d22b80ac30927c270594b104151f33bf1739

MD5 hash:

9b2071a9c9263b03768654b6099e491a

SHA1 hash:

29eae909c2c54b75c49c5a0955d57ac055d0dd20

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

955be37392c9625f0255b954be9940d7304f6d1a286d9f068a8c4bd3faa689bd

MD5 hash:

17652977438f76866cb1fb0c66498fe8

SHA1 hash:

ae77de71238af2bbe1049f14ee84bf7ab2f074c5

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

a43160922931fe4ef2962d544cbcb777199e65356d90844eb9acb37a3cf59fcb

MD5 hash:

324dac80d2325451a3d93fa5450a9884

SHA1 hash:

9b18ba58a7c4633b4a7dc5884dfb1094230fb78d

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

d71accd2bb8cebda92d96a3d1735caeb5bba6e5eee1fb5366fa8303888903037

MD5 hash:

daf81d3ba13a7d9057048bb1020f1064

SHA1 hash:

7d644b40a7b8c05f8399ab8e67014638e81f9007

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

2848780a68b46d1f7a91df0dc200e6bf53c803cf5dafd7928f3d092bb8c718cd

MD5 hash:

fcb60398c77aecfee22e46ff342f4845

SHA1 hash:

76ca7534071927957121018e4667da41c86148cf

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

cf9a039164e7c1e819ff2c339c22b04c5817f964fe3b7a4fddfd93184ec66f5f

MD5 hash:

6e321ae3b57d835524d2a24cf76243a6

SHA1 hash:

72338edf6b69aeb1fdc0324472e48c7e8d6ab970

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1

MD5 hash:

2fe1fbe1cf3b63c2b9d04859ba27b5a7

SHA1 hash:

6d82b25f27939d2c712ca76d267437569799518a

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

3fd6d26ea882634f97354761f075e01599e0dc5a639855c1a1b55981345e8d7b

MD5 hash:

c8584c9f12c686095f8ee0e4063e7206

SHA1 hash:

56b6c41902126c8d4ef242325ed664827a2417eb

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

48f777e62baeba46a9d704058c60ccc43d92093ee9b3d2ed640567d060f93916

MD5 hash:

d5f4bcda3719dc9c85578e2273e3dadf

SHA1 hash:

2a7039153d288616d4ca137a8719cc84f582b9fa

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

8d7732e3d82b00a668fdde9100d07eb7dab5c4c7aa365e4bc4353700990c3161

MD5 hash:

289a21d7942b99f84e1648b60a2e74c7

SHA1 hash:

b5700c0264da8c1ba2ec4163d9b43cc8bc4026fc

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

46fc558bd3de9cdb64970e10bf671f5af14d600063be4e51e827d2a618c62aff

MD5 hash:

35aef83875d74c3bb438f52ccce37bc4

SHA1 hash:

d9247892756d6e424e57b6d7fd81978d2d4a1473

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

5ff2db7c702765d5288c0cfc3dd646dbc7da38ed6afab25a208b8db56f93b1ed

MD5 hash:

cd70748720f0290d5b326041742c1041

SHA1 hash:

c995fdeab56e38b3cda76ba8d38a526bcbfb90ad

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

d2ad8a85da4af707be75e25d9048a9bdb78f47dcf7ee83ede57ee08c55e75957

MD5 hash:

ac60001d37580d89bab2c17fa7cbd85d

SHA1 hash:

b5533093a338228d113ad949d6eaa4902630dfd1

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

263e0ea2db3980bc873d0f58b945f809f577ebb6c1e56303d70de23121dc158a

MD5 hash:

19213caedd4273f86c98a00824d7a85b

SHA1 hash:

42830fbab03b27918db74c8802aa8a324025db05

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

SH256 hash:

cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948

MD5 hash:

a63886297624a5fc3b0c2e1c049869c4

SHA1 hash:

3769df74bf61a78ac63f69a478b3603c3ee2791b

Link:

https://www.unpac.me/results/607ac406-7da9-4b35-987b-830a88fad5c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/239425/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample