MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d44d77232a9e6e684f1ece4c9c05b3dcb63d4296cfd29b0951b0100caedfb0d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 3 YARA 8 File information Comments

SHA256 hash:	d44d77232a9e6e684f1ece4c9c05b3dcb63d4296cfd29b0951b0100caedfb0d6
SHA3-384 hash:	fac6783c3bdc405b3bdb7164c5267e127eb1da6b0de25e4bd6cbadb1d8d639ef1ce63bd8944eaa5b15f419420c9490da
SHA1 hash:	6bf5da0d2e6402e02791da994f814291849308a8
MD5 hash:	dcb58f4f12e3945fbaadff7655a8f613
humanhash:	magazine-charlie-spaghetti-vegan
File name:	D44D77232A9E6E684F1ECE4C9C05B3DCB63D4296CFD29.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'664'525 bytes
First seen:	2021-10-05 13:56:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	49152:xcB6PkZVi7iKiF8cUvFyPjvzCxtghRt12QWGoVZoBjz/o0MeJEwJ84vLRaBtIl90:xkri7ixZUvFyPftRbGhXB0NmCvLUBsKR
Threatray	592 similar samples on MalwareBazaar
TLSH	T138C533417FE684FFD696153069843FB4F4B9C39C072458CB3798970A8F398D2911AEBA
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://194.180.174.80/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.80/	https://threatfox.abuse.ch/ioc/230436/
77.232.39.148:5879	https://threatfox.abuse.ch/ioc/230483/
188.227.87.46:51843	https://threatfox.abuse.ch/ioc/230567/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/195095/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Packed.SmokeLoader-9873637-1

Win.Malware.Jaik-9878603-0

Win.Packed.SmokeLoader-9880484-1

Win.Packed.SmokeLoader-9880490-1

Win.Packed.SmokeLoader-9880492-1

Win.Malware.Zenlod-9882704-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys overlay packed upatre

Link:

https://www.filescan.io/uploads/615c59b0b95458900cdc781d/reports/054568fc-e236-441e-900b-6bb78196020a/overview

Malware family:

Chapak

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73279cc3-2e2d-4df4-8b72-e50eadf7f2b1

Result

Threat name:

RedLine SmokeLoader Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864848

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Disable Windows Defender real time protection (registry)

DLL reload attack detected

Found C&C like URL pattern

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Renames NTDLL to bypass HIPS

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d44d77232a9e6e684f1ece4c9c05b3dcb63d4296cfd29b0951b0100caedfb0d6/

Threat name:

Win32.Spyware.Hynamer

Status:

Malicious

First seen:

2021-07-15 17:48:15 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2rgxoizktzxgqty6zzgjybnt3s3d2quwz7jjwckrwaiazlw7wdla._file

Verdict:

malicious

RedLineStealer

1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb

RedLineStealer

2aafe51ed875d14265117e71337eaf72d2d22f8055ad43356062efbde0eb6f4a

RedLineStealer

2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656

RedLineStealer

47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc

RedLineStealer

52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7

RedLineStealer

5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a

RedLineStealer

72339997aa5cf9d313e2c7a44b8649d343a057cd45a6b190036bbed489cd828a

RedLineStealer

76089e8324bd822d80061ba57f1c5b0a473e9e5f80e05953d0e6de9e77b501e4

RedLineStealer

a4b51bd72dffd28ad3841217ffec9e43d21ee3c6f889be3ab760a4d24e7d58bc

RedLineStealer

+ 582 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:arkei family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:first build aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan

Link:

https://tria.ge/reports/211005-q892kaacbk/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Arkei Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Nirsoft

Vidar Stealer

Arkei

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

https://sslamlssa1.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
asyndenera.xyz:15667

Unpacked files

SH256 hash:

402654e6eef6841a5b9d79fffbebc2f7d5bbbd80c9988bc475a40e00c20be013

MD5 hash:

1131468f2de537877614e10ef8fd5208

SHA1 hash:

f4d81d4f86e26f7b7be1d414d9d75d4d6c3c87b9

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

55e9a570f195e846308180eaecae9a6155685f8fdfdc2fd06a04dd2d27a5b3cc

MD5 hash:

e7a51852abb1e460c985402a78cda9a4

SHA1 hash:

8d942e23a478f8618dfa512b27ec02b1f72639bf

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

ae33e6803ea079f2d5384e441a7970b3836088d0dff618c3dadca17f73727c87

MD5 hash:

539991cf3212a7886de777aa7363683e

SHA1 hash:

73ad1d82d636ecf58aee979ad78901e794a864b6

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707

MD5 hash:

cfcd04cb50a5d48b368c76a353a8b58a

SHA1 hash:

7d76e8474b4b70d4f8e62653361c7b451a8f2fd2

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

Parent samples :

0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SH256 hash:

89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67

MD5 hash:

55bf2bbdd87ec3ac709c6a247f4a28b4

SHA1 hash:

6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

Parent samples :

5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7

SH256 hash:

2f8340f99e1b8e56d7d3e8168930f21dcc6c0d789d6f924351ea4774e3ca852d

MD5 hash:

240d4b617c6ccb8ca69d4f761598c5e4

SHA1 hash:

5a66d19b40c18e1e9ec95cabc3724245fbcecd99

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d

MD5 hash:

559948db5816ae7ab26eb2eb533887ed

SHA1 hash:

e60442c6fb35239d298b01b0f4558264c01b2e7f

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

MD5 hash:

1c7be730bdc4833afb7117d48c3fd513

SHA1 hash:

dc7e38cfe2ae4a117922306aead5a7544af646b8

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f

MD5 hash:

f5ba66ed9cc96376d02e02bbfc59f460

SHA1 hash:

9d6393ea4739724156dd0cfacc5cb8db2e52f32c

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9

MD5 hash:

ec149486075982428b9d394c1a5375fd

SHA1 hash:

63c94ed4abc8aff9001293045bc4d8ce549a47b8

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

Parent samples :

e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11

SH256 hash:

a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f

MD5 hash:

1c6c5449a374e1d3acecbf374dfcbb03

SHA1 hash:

3af9b2a06e52c6eaa666b3b28df942097f16b078

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435

MD5 hash:

ae7c477ce9bd98d13ccff5fc4a0d190e

SHA1 hash:

249ff902f66c3d0cee6656802b14a9c34807bc8f

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd

MD5 hash:

dbc3e1e93fe6f9e1806448cd19e703f7

SHA1 hash:

061119a118197ca93f69045abd657aa3627fc2c5

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

a1f1c0987507f3a891831a834efed390e9cdd36f518a01ce5de106d20c6e4f79

MD5 hash:

42f2d5f708a24f2b778b7717e0b8d790

SHA1 hash:

ef8e100f80bbf89f382bc3720449435cdfe6cda1

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

SH256 hash:

d44d77232a9e6e684f1ece4c9c05b3dcb63d4296cfd29b0951b0100caedfb0d6

MD5 hash:

dcb58f4f12e3945fbaadff7655a8f613

SHA1 hash:

6bf5da0d2e6402e02791da994f814291849308a8

Link:

https://www.unpac.me/results/26531d91-ecd7-40b9-ab8a-6122fdbd368d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d44d77232a9e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d44d77232a9e6e684f1ece4c9c05b3dcb63d4296cfd29b0951b0100caedfb0d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_MALWARE_Win_DLInjector03 Create hunting rule
Author:	ditekSHen
Description:	Detects unknown loader / injector

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	RedOctoberPluginCollectInfo Create hunting rule

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195095/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample