MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
SHA3-384 hash: a8ff3103be7c78cee689cd56d699789d7dadf1156f797441ee1e9a72ab9b30fa037d642f1dcf4c262fb35a05609b9a47
SHA1 hash: 34e36e640492423d55b80bd5ac3ddb77b6b9e87c
MD5 hash: 94f06bfbb349287c89ccc92ac575123f
humanhash: magazine-leopard-queen-xray
File name:34e36e640492423d55b80bd5ac3ddb77b6b9e87c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:646'144 bytes
First seen:2021-10-03 23:40:20 UTC
Last seen:2021-10-04 00:48:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e66d8d528d67d716d50d46578794396 (1 x DiamondFox, 1 x RedLineStealer)
ssdeep 12288:yDt6vSvIGmVujfMGTFXTktmgGak6H3lP3XJik0YhBhr60p:yDMVnGhIt876j0KDr60p
TLSH T19BD4493155A4F866F4A50CB8A1A6E3B798286F798AD78493F2B1773F86313C07C24537
File icon (PE):PE icon
dhash icon 31f8ce8282c0e001 (3 x DiamondFox, 3 x AgentTesla, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.2.93.217:59309

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.2.93.217:59309 https://threatfox.abuse.ch/ioc/230020/

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 01:24:49 UTC
Tags:
trojan evasion stealer
Link:
https://app.any.run/tasks/9cc74980-4323-4ed8-a9ca-02e3a8d365b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194393/
Detection(s):
SecuriteInfo.com.Trojan.DiamondFox.19.23395.32532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware packed
Link:
https://www.filescan.io/uploads/615c2f6298a6280f39324ff6/reports/c777986f-f6f9-474b-820e-1a0883db52fc/overview
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76d9519c-1d09-4844-af12-69bb123386a6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863553
Signature
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 01:40:21 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bolhjzuvku5bef6ed525xpya2nifh5hrrcn3a3yui2qyfiq4h6a._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:937 botnet:�u"jhi�g �˴��syp���@��nk6"a�b�g�=�(� agilenet backdoor evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211003-3pesjafff6/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
195.2.93.217:59309
Unpacked files
SH256 hash:
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
MD5 hash:
94f06bfbb349287c89ccc92ac575123f
SHA1 hash:
34e36e640492423d55b80bd5ac3ddb77b6b9e87c
Link:
https://www.unpac.me/results/769b0bb2-a5c8-4563-8e67-0118790988de/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d05cb3a734aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194393/

Comments