MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df
SHA3-384 hash: ae2ac1351f6a52e41571b086cb05e1ac55eab0364421c79331a49256f1d0a1267ad9bca49b22acdcba6c0dc62c95c4bc
SHA1 hash: bb38de8320bfe3aa7dabe6946b9c039184a05bb2
MD5 hash: 2dbf583e20a1714ebb7aaf9b61cd4e11
humanhash: lake-asparagus-oranges-carolina
File name:2DBF583E20A1714EBB7AAF9B61CD4E11.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'152'882 bytes
First seen:2021-06-18 19:01:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UboDpoD2hPvo5q9Hc9aqheNRN7Y1tUQrEGskyZ9Q7Ld2R01gD1:U9DC9Hc9aTHN7zpjQts01gD1
Threatray 90 similar samples on MalwareBazaar
TLSH B0163341B6C4C8B2C47229769AB9A721967DBC301F3CCF9B539444ACCA746C0D736AB7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
178.57.217.111:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.57.217.111:80 https://threatfox.abuse.ch/ioc/136590/

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2DBF583E20A1714EBB7AAF9B61CD4E11.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 19:05:02 UTC
Tags:
autoit evasion trojan rat redline phishing
Link:
https://app.any.run/tasks/127b6945-1e7f-47a9-9146-f3a46b815ac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166899/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9869693-0
Create hunting rule

Win.Malware.Nymeria-9871971-0
Create hunting rule

Win.Malware.Nymeria-9872012-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb4af1e8-a418-4ab7-9af3-5be7910c284b
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804517
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436928 Sample: QtiaeiQvuH.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 141 Malicious sample detected (through community Yara rule) 2->141 143 Antivirus detection for URL or domain 2->143 145 Antivirus detection for dropped file 2->145 147 16 other signatures 2->147 8 QtiaeiQvuH.exe 1 14 2->8         started        11 svchost.exe 2->11         started        14 iexplore.exe 2->14         started        16 2 other processes 2->16 process3 file4 97 C:\Users\user\Desktop\pub2.exe, PE32 8->97 dropped 99 C:\Users\user\Desktop\jg3_3uag.exe, PE32 8->99 dropped 101 C:\Users\user\Desktop\KRSetp.exe, PE32 8->101 dropped 103 5 other files (1 malicious) 8->103 dropped 18 KRSetp.exe 15 10 8->18         started        23 IDWCH1.exe 8->23         started        25 Folder.exe 8 8->25         started        31 5 other processes 8->31 185 Sets debug register (to hijack the execution of another thread) 11->185 187 Modifies the context of a thread in another process (thread injection) 11->187 27 svchost.exe 11->27         started        29 iexplore.exe 14->29         started        signatures5 process6 dnsIp7 113 104.21.69.75 CLOUDFLARENETUS United States 18->113 79 C:\Users\user\AppData\Roaming\4658026.exe, PE32 18->79 dropped 81 C:\Users\user\AppData\Roaming\1683801.exe, PE32 18->81 dropped 83 C:\Users\user\AppData\Roaming\1262771.exe, PE32 18->83 dropped 91 3 other files (none is malicious) 18->91 dropped 171 Detected unpacking (changes PE section rights) 18->171 173 Detected unpacking (overwrites its own PE header) 18->173 33 1262771.exe 18->33         started        37 1683801.exe 18->37         started        40 4658026.exe 18->40         started        50 3 other processes 18->50 85 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 23->85 dropped 42 IDWCH1.tmp 23->42         started        93 4 other files (none is malicious) 25->93 dropped 44 rundll32.exe 25->44         started        46 conhost.exe 25->46         started        115 198.13.62.186 AS-CHOOPAUS United States 27->115 175 Query firmware table information (likely to detect VMs) 27->175 117 192.168.2.1 unknown unknown 29->117 119 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 31->119 121 208.95.112.1 TUT-ASUS United States 31->121 123 5 other IPs or domains 31->123 87 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 31->87 dropped 89 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 31->89 dropped 95 3 other files (2 malicious) 31->95 dropped 177 DLL reload attack detected 31->177 179 Drops PE files to the document folder of the user 31->179 181 Renames NTDLL to bypass HIPS 31->181 183 Checks if the current machine is a virtual machine (disk enumeration) 31->183 48 File.exe 13 31->48         started        52 5 other processes 31->52 file8 signatures9 process10 dnsIp11 69 C:\Users\user\AppData\...\WinHoster.exe, PE32 33->69 dropped 149 Detected unpacking (changes PE section rights) 33->149 151 Detected unpacking (overwrites its own PE header) 33->151 153 Creates multiple autostart registry keys 33->153 54 WinHoster.exe 33->54         started        125 104.21.46.30 CLOUDFLARENETUS United States 37->125 155 Injects a PE file into a foreign processes 40->155 56 conhost.exe 40->56         started        58 4658026.exe 40->58         started        127 198.54.116.159 NAMECHEAP-NETUS United States 42->127 71 C:\Users\user\...\(878888888(85)GSFG1G.exe, PE32 42->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 42->73 dropped 75 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->75 dropped 77 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->77 dropped 60 (878888888(85)GSFG1G.exe 42->60         started        157 Contains functionality to infect the boot sector 44->157 159 Contains functionality to inject threads in other processes 44->159 161 Contains functionality to inject code into remote processes 44->161 169 5 other signatures 44->169 129 92.53.96.150 TIMEWEB-ASRU Russian Federation 48->129 163 Multi AV Scanner detection for dropped file 48->163 65 WerFault.exe 50->65         started        67 WerFault.exe 50->67         started        131 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->131 165 Tries to harvest and steal browser information (history, passwords, etc) 52->165 167 Tries to evade analysis by execution special instruction which cause usermode exception 52->167 file12 signatures13 process14 dnsIp15 133 5.196.8.173 OVHFR France 60->133 135 198.54.126.101 NAMECHEAP-NETUS United States 60->135 139 3 other IPs or domains 60->139 105 C:\Users\user\AppData\...\Jupucebawa.exe, PE32 60->105 dropped 107 C:\Users\user\AppData\...\Savaevahala.exe, PE32 60->107 dropped 109 C:\Program Files (x86)\...\Xijyjihaele.exe, PE32 60->109 dropped 111 3 other malicious files 60->111 dropped 189 Antivirus detection for dropped file 60->189 191 Detected unpacking (overwrites its own PE header) 60->191 193 Machine Learning detection for dropped file 60->193 195 2 other signatures 60->195 137 104.43.193.48 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 65->137 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 19:05:00 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t5re5tiotppytlktxnizwfksvx5vrbvfwduybhzqkdugjdvcdpq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
6ff9c8970fd7f82d4e1f448f9d9c32a7f8888eebc3a4a1a0c7c3f1d35965562a
RedLineStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RedLineStealer
76695f6c444b5dc5e8f8104ece90e45aa711df868faa0f0d88b730a8da54fc09
RedLineStealer
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
RedLineStealer
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
RedLineStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RedLineStealer
db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874
RedLineStealer
f8aa33b99bb248f640363d937986e465239346a7f25f8e8579b92b5c975f38a9
RedLineStealer
+ 80 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210618-8czarg5lvs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
7c5c5d47ac9b6a5f55386341bdad25c0f4a32c25a9548535ce1757aeb3df12d7
MD5 hash:
3cb83e9dbb8ffce9227da20df929fe8e
SHA1 hash:
9c186ece085fe8564f9162f1afe281f8931a2866
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
90e89520cf09bdffb11591611a1ca2b426d336b0adcd31e03a805411e38dc938
MD5 hash:
842ff01ac97042b0c1a41f5bc10639d2
SHA1 hash:
845ea53a740b2096587df5dd835f192f737810ea
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
ad7b9965a5342380f90a5207605ca6d4f566337c8d5154924b79fa418e7401c5
MD5 hash:
8bffedfaa819d5d1e8abf3c8a2fa89a0
SHA1 hash:
c140e5a926d151bcd8e85898b79fbc06f266ac16
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
d4b6f42bfeed5f55241226d77784e11c9ebd1c7fe20216e31d27028050900bdd
MD5 hash:
c02bcc72407cc22e068557cae0d52d62
SHA1 hash:
a5331a16450f3c901953ddcdaa57981e9731af4e
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
241fbb217d56fc8a4f15be77883a4afd2442dc90b9d7c4b780e75f74324b3951
MD5 hash:
a5b5b2b2ee10a05ac99f69f7797ccf5b
SHA1 hash:
0c888887bf94cccde588b21567f6fdd75685928c
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
9798bbcbf18911c7465a6057aa163d3e1badafab27d2ac90138b5096b516ae5c
MD5 hash:
e60e3f87e7b4a46041c1cdb5ba429830
SHA1 hash:
0a9789352449598d2643b4f1dc803f4e4fe021ec
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
14673ac9879c68d86372f7ac58d88206e57e4df030bdd035c0d8682cb9213a41
MD5 hash:
7624a144d0e2e613fb926139c9ef075d
SHA1 hash:
99e18fcaf6ef42bb8759dc39ce0661854e1ffc86
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
3c5748b3274a1f7fe73e45737a358f63bc7b380e00b05a9f8e0a1439e5f73b79
MD5 hash:
a1380115e3c2bacdf64f3362e49ae060
SHA1 hash:
c1b275ba10c45b2c7eb7c17cd8f631dd67d9b78c
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
df0400d842676367faf56514673c13d281315c21a756f7d9c67d3927d8d54bdb
MD5 hash:
b6c088ed3dc53da945d06597e7efc6ad
SHA1 hash:
cfcf9baf28d20a8c29dc4584c10aaf68c1d8a1f5
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
93197ddf89d6a5afc852d10d37023d94f23c8b92ad075b6eebc20cee80b577d9
MD5 hash:
cc9565d248a4b99ccc35ec1ed9b9de83
SHA1 hash:
b5a13e7d79ea52ce12a91a299fc59a3149776637
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
SH256 hash:
69fe38757045a35ac1746169be09d5f70691d9495ab90cf7e2178c22d40ef120
MD5 hash:
ed1651e7a1a3e21e9ac3e472adc9fffb
SHA1 hash:
6f938b2c6b1aac0016a6a3b7a283a9d23a73dd5d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
Parent samples :
6c8b67843326b740d17af91ba222e513fb29c45b6decab158009e71f94a8e62a
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df
SH256 hash:
d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df
MD5 hash:
2dbf583e20a1714ebb7aaf9b61cd4e11
SHA1 hash:
bb38de8320bfe3aa7dabe6946b9c039184a05bb2
Link:
https://www.unpac.me/results/eb937c50-76e4-49d1-a471-ab5300823174/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166899/

Comments