MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
SHA3-384 hash: bf53f2da058c5a3d696a973f71ec78410cd721fc370b53a8e921355f60fbafdced8e795c46aac04a749c3d2ec665a6d1
SHA1 hash: a8b6af2915fb93e9bc5c60e36551e09244471846
MD5 hash: a043a69dd5bc7b5e61d606f3a678d6c1
humanhash: sodium-cat-december-one
File name:A043A69DD5BC7B5E61D606F3A678D6C1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'787'485 bytes
First seen:2021-03-24 07:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbD1dI6claIxZkrwentG2P8a8hw2kvpD3sv:Uf1dvcljZJMJP8RC752
Threatray 10 similar samples on MalwareBazaar
TLSH A2063342B7D869B2D1720A325938E765253C7E212F268A9FF3D4262EDF740D0DA30B57
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://whitegarden.top/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://whitegarden.top/ https://threatfox.abuse.ch/ioc/4783/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A043A69DD5BC7B5E61D606F3A678D6C1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-24 07:36:01 UTC
Tags:
evasion trojan loader stealer autoit
Link:
https://app.any.run/tasks/06824020-3581-496f-87db-c17d8862b1f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Bulz-9840169-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a file
DNS request
Launching a process
Creating a file in the %temp% directory
Sending a custom TCP request
Reading critical registry keys
Deleting a recently created file
Running batch commands
Creating a file in the %AppData% directory
Sending an HTTP GET request
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Launching cmd.exe command interpreter
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/651894
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Regsvr32 Anomaly
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 374896 Sample: 5KqnAZiZz1.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 128 Multi AV Scanner detection for domain / URL 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 9 other signatures 2->134 10 5KqnAZiZz1.exe 1 14 2->10         started        13 iexplore.exe 2->13         started        process3 file4 84 C:\Users\user\Desktop\pzysgf.exe, PE32 10->84 dropped 86 C:\Users\user\Desktop\mmt.exe, PE32 10->86 dropped 88 C:\Users\user\Desktop\aszd.exe, PE32 10->88 dropped 90 5 other files (2 malicious) 10->90 dropped 15 mmt.exe 10->15         started        20 pzysgf.exe 10->20         started        22 md9_9sjm.exe 7 10->22         started        26 5 other processes 10->26 24 iexplore.exe 13->24         started        process5 dnsIp6 108 5.101.110.225 DIGITALOCEAN-ASNUS Netherlands 15->108 70 C:\Users\user\AppData\Local\...\setups.exe, PE32 15->70 dropped 72 C:\Users\user\AppData\...\multitimer.exe, PE32 15->72 dropped 74 C:\Users\user\...\multitimer.exe.config, XML 15->74 dropped 122 Machine Learning detection for dropped file 15->122 28 setups.exe 15->28         started        32 multitimer.exe 15->32         started        110 208.95.112.1 TUT-ASUS United States 20->110 118 2 other IPs or domains 20->118 76 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 20->78 dropped 124 Antivirus detection for dropped file 20->124 35 jfiag3g_gg.exe 20->35         started        37 jfiag3g_gg.exe 20->37         started        112 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 22->112 80 C:\Users\user\Documents\...\md9_9sjm.exe, MS-DOS 22->80 dropped 126 Drops PE files to the document folder of the user 22->126 114 192.168.2.1 unknown unknown 24->114 116 88.99.66.31 HETZNER-ASDE Germany 26->116 120 2 other IPs or domains 26->120 39 cmd.exe 26->39         started        41 WerFault.exe 23 9 26->41         started        43 explorer.exe 26->43 injected file7 signatures8 process9 dnsIp10 92 C:\Users\user\AppData\Local\...\setups.tmp, PE32 28->92 dropped 136 Antivirus detection for dropped file 28->136 138 Multi AV Scanner detection for dropped file 28->138 45 setups.tmp 28->45         started        104 104.248.226.77 DIGITALOCEAN-ASNUS United States 32->104 106 138.197.53.157 DIGITALOCEAN-ASNUS United States 32->106 140 Machine Learning detection for dropped file 32->140 142 Tries to harvest and steal browser information (history, passwords, etc) 35->142 94 C:\Users\user\AppData\Local\...\ySerjRi2.exe, PE32 39->94 dropped 144 Submitted sample is a known malware sample 39->144 49 ySerjRi2.exe 39->49         started        51 conhost.exe 39->51         started        53 taskkill.exe 39->53         started        file11 signatures12 process13 file14 96 C:\Users\user\AppData\Local\...\psvince.dll, PE32 45->96 dropped 98 C:\Users\user\AppData\...\itdownload.dll, PE32 45->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 45->100 dropped 102 2 other files (none is malicious) 45->102 dropped 146 Multi AV Scanner detection for dropped file 45->146 55 cmd.exe 49->55         started        58 cmd.exe 49->58         started        signatures15 process16 file17 82 C:\Users\user\AppData\Local\Temp\DC0GX.w, PE32 55->82 dropped 60 conhost.exe 55->60         started        62 cmd.exe 55->62         started        64 cmd.exe 55->64         started        66 regsvr32.exe 55->66         started        68 conhost.exe 58->68         started        process18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-03-21 03:29:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dmumzi4k3ag3hfbjqzgbd7cnwqbr3irp56rs35uv3yxyy7b3zxq._file
Verdict:
malicious
Similar samples:
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
RedLineStealer
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
RedLineStealer
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
RedLineStealer
4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f
RedLineStealer
52693062f8af884f53bc708c947256273d6362ba955b5b16653557f80150925c
RedLineStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RedLineStealer
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
RedLineStealer
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
RedLineStealer
c944bccd2c79cfde05f0c641c559256ff09fdff944381f9d220dfd14cb35a7a7
RedLineStealer
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
RedLineStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:raccoon family:redline family:smokeloader family:vidar botnet:2ce901d964b370c5ccda7e4d68354ba040db8218 botnet:c46f13f8aadc028907d65c627fd9163161661f6c backdoor banker discovery evasion infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210324-bxsndadpwn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
NTFS ADS
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Sets service image path in registry
UPX packed file
IcedID First Stage Loader
IcedID, BokBot
Raccoon
RedLine
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://funzel.info/upload/
http://doeros.xyz/upload/
http://vromus.com/upload/
http://hqans.com/upload/
http://vxeudy.com/upload/
http://poderoa.com/upload/
http://nezzzo.com/upload/
213podellkk.website
Unpacked files
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
8d3a67a08a02f34224b8ca9e2a7cd73c2985f8e34e8af712920e69a1782e3b88
MD5 hash:
7c605eab4a34bd4e81ec2842a289c969
SHA1 hash:
ecc6783fbb0b398a65ba15dbd2158c584c97562d
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
489e3f18474bd90f7e1afa00304828d3fdd7ef1a89bdc783061fbec05bac1fd6
MD5 hash:
f66bdf7e4547348ee82494abda599d34
SHA1 hash:
56dab92087e3f356d96c8a42cdac90c73e0ee1b6
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
6525d30654a1a8255ac9a366035d841b991648e442f3a802f919726d604e9ce4
MD5 hash:
799f15cb784fe1bd6922939d46426c20
SHA1 hash:
43cc59cf651dca1208271ab740a7820054df8ba0
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
2a56f4602424f2ef39ec10ee1a1300d3c5f39567f8dcb8c5e0db51dc194f5642
MD5 hash:
f9ed03b2ae5f3b3bf5b5735e0edf5876
SHA1 hash:
c6aba2a597c61210c458024cdc1b5a6fce4dbc89
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
6227fc3d268fa9de3afd8c8fd25971131a403d8b7d3d82a38de315bf98d0657d
MD5 hash:
f91875abf5be265530e11db100cf12df
SHA1 hash:
b10d41a84640b8fd7000f3ea136c6ce68dcbbb85
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
56d9d4adace647b1f44a3fb7b530e01cea7dbca4f8f52b022b0771324155ecae
MD5 hash:
015849bb88833f672dfd6d22f5c5a88c
SHA1 hash:
5c88e9f1d0e0025976c7d3db494e155c5e5d4d34
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
c7e6b132f585157dda631976809c211891d023838924260d146883045588f1d4
MD5 hash:
0a0a0724bb2879ec25ba35566c4cffa8
SHA1 hash:
224f2feb44d485821ac8e75fa3a4cd382ac9c7c1
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
fa43084ee1fb07f1abec3ec472b3cfae67c889bcb770da89ba297a6e923e4eab
MD5 hash:
e457d821acec2a63d5f26b24cd93b719
SHA1 hash:
f92e772e4be53bdfc90b645fd90d545464d8caa0
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
13e3814f8c88b0864b4be410d7b85bedceda1d32ae30acad913c14f14243f844
MD5 hash:
727706d0daaee6ec778cbaffbd87faf5
SHA1 hash:
0e9e5d684a4d0cb9d8cba7485efcad054807172a
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
b3f3f92a184053347007fd4a158b6a84a183be3201fb7b42db0a0f5975c3540c
MD5 hash:
ea3ca88c72ac0426c14afed3bf84a38e
SHA1 hash:
5ff91a898913296ffef5206681b4ff403c64a786
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
682df411e2a2038c359090c311f6c4ba543aaed00c37b0a81f83a8e70b9bcb78
MD5 hash:
143879334f550c5391b31e977032f57f
SHA1 hash:
9236525821b1c8396c5058f4fc530373bdabf0c5
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
3a73251ea5060c5c5e196929ad5679893447eba561fc9094f6cf31896cfc04b9
MD5 hash:
6aa41ec7e0fc36afd5e5e9370b6a202f
SHA1 hash:
a3c0a7206d5e1d7c5bdacaf4b040858798a15d3a
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
9f3d57207d87acf2fe6f978f90b44b3036870a81d83d68c744f455fe83009ce1
MD5 hash:
95509b989314e6300d8f45a819b211bd
SHA1 hash:
b9fb25413ab279f7041432844d943cfbd3b94a67
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
Parent samples :
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
SH256 hash:
a250e25310729dd7bd8f10335717a4bb39685752ba0cd4c23765d13a9b04d68b
MD5 hash:
5fdd404a50fb1b9c01666261ea9af751
SHA1 hash:
0839b99177f3b248b6a3ed4db0fb2cfbb78b7e33
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
SH256 hash:
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
MD5 hash:
a043a69dd5bc7b5e61d606f3a678d6c1
SHA1 hash:
a8b6af2915fb93e9bc5c60e36551e09244471846
Link:
https://www.unpac.me/results/c520c30b-66d5-45a1-97e0-07f140245a7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments