MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
SHA3-384 hash: 1bc85d9607b153c7c4201433263357f5b52cf8fad752036b9f8e9dfc077f7c6ef835d568e7522a55d58a060245fb404a
SHA1 hash: afdc6f1a4c49795a9daaadc9f4586e57747d0c1b
MD5 hash: 796708f87e9e5c7a4e5673725a3e65b9
humanhash: fix-butter-pennsylvania-tennessee
File name:d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'151'622 bytes
First seen:2021-06-15 11:16:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbODpoD2hPzo5q9Pc9aqheNRNoY1tUQrEGIkyZ9rR01gDn:UPDe9Pc9aTHNozljN01gDn
Threatray 681 similar samples on MalwareBazaar
TLSH 35163341B6C4C8B2C572293656B9A7219A79BC301F3CCF9B939441ACCB746C0D736AB7
Reporter JAMESWT_WT
Tags:data.exe exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
Verdict:
Malicious activity
Analysis date:
2021-06-15 11:19:03 UTC
Tags:
autoit evasion stealer trojan rat redline phishing
Link:
https://app.any.run/tasks/07505aaf-d44f-45bb-abfb-22e3fc7d6921

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9869693-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Deleting a recently created file
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process with a hidden window
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Modifying a system file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/036f5e49-55a3-4add-858e-13755771c07c
Result
Threat name:
SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802346
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 434743 Sample: OcLtW2CNjy Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 96 198.54.126.101 NAMECHEAP-NETUS United States 2->96 98 168.61.161.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->98 100 5 other IPs or domains 2->100 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for dropped file 2->144 146 Multi AV Scanner detection for submitted file 2->146 148 13 other signatures 2->148 9 OcLtW2CNjy.exe 13 2->9         started        12 svchost.exe 2->12         started        15 iexplore.exe 2->15         started        signatures3 process4 file5 70 C:\Users\user\Desktop\pub2.exe, PE32 9->70 dropped 72 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->72 dropped 74 C:\Users\user\Desktop\KRSetp.exe, PE32 9->74 dropped 76 5 other files (1 malicious) 9->76 dropped 17 Files.exe 1 10 9->17         started        20 pzyh.exe 9->20         started        23 Folder.exe 8 9->23         started        27 5 other processes 9->27 158 Sets debug register (to hijack the execution of another thread) 12->158 160 Modifies the context of a thread in another process (thread injection) 12->160 25 iexplore.exe 15->25         started        signatures6 process7 dnsIp8 52 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 17->52 dropped 30 File.exe 3 19 17->30         started        102 208.95.112.1 TUT-ASUS United States 20->102 104 185.60.216.35 FACEBOOKUS Ireland 20->104 110 2 other IPs or domains 20->110 54 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 20->54 dropped 56 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 20->56 dropped 35 jfiag3g_gg.exe 20->35         started        37 jfiag3g_gg.exe 20->37         started        58 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 23->58 dropped 66 3 other files (none is malicious) 23->66 dropped 39 rundll32.exe 23->39         started        41 conhost.exe 23->41         started        106 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 27->106 108 88.99.66.31 HETZNER-ASDE Germany 27->108 112 3 other IPs or domains 27->112 60 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 27->60 dropped 62 C:\Users\user\AppData\Roaming\7985981.exe, PE32 27->62 dropped 64 C:\Users\user\AppData\Roaming\6163477.exe, PE32 27->64 dropped 68 3 other files (none is malicious) 27->68 dropped 150 DLL reload attack detected 27->150 152 Detected unpacking (changes PE section rights) 27->152 154 Detected unpacking (overwrites its own PE header) 27->154 156 4 other signatures 27->156 43 WerFault.exe 27->43         started        45 IDWCH1.tmp 27->45         started        47 7985981.exe 27->47         started        file9 signatures10 process11 dnsIp12 114 92.53.96.150 TIMEWEB-ASRU Russian Federation 30->114 78 C:\Users\Public\run.exe, PE32 30->78 dropped 122 Multi AV Scanner detection for dropped file 30->122 124 Binary is likely a compiled AutoIt script file 30->124 126 Drops PE files to the user root directory 30->126 49 run.exe 30->49         started        128 Antivirus detection for dropped file 35->128 130 Tries to harvest and steal browser information (history, passwords, etc) 37->130 132 Writes to foreign memory regions 39->132 134 Allocates memory in foreign processes 39->134 136 Creates a thread in another existing process (thread injection) 39->136 116 40.88.32.150 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->116 138 Tries to evade analysis by execution special instruction which cause usermode exception 43->138 118 198.54.116.159 NAMECHEAP-NETUS United States 45->118 80 C:\Users\user\...\(878888888(85)GSFG1G.exe, PE32 45->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 45->82 dropped 84 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 45->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->86 dropped 120 172.67.192.171 CLOUDFLARENETUS United States 47->120 88 C:\ProgramData\52\vcruntime140.dll, PE32 47->88 dropped 90 C:\ProgramData\52\sqlite3.dll, PE32 47->90 dropped 92 C:\ProgramData\52\softokn3.dll, PE32 47->92 dropped 94 4 other files (none is malicious) 47->94 dropped file13 signatures14 process15 signatures16 140 Multi AV Scanner detection for dropped file 49->140
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 07:37:42 UTC
File Type:
PE (Exe)
Extracted files:
218
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cr56xk62rehh7ajdnckmt4yy3cu3ludk3lupto64unyrx47duxa._file
Verdict:
malicious
Similar samples:
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
RedLineStealer
445d39df326616cbfd206707370348697ee1ad8ffb5ce1edc330afe9bf49266e
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
6c8b67843326b740d17af91ba222e513fb29c45b6decab158009e71f94a8e62a
RedLineStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RedLineStealer
76695f6c444b5dc5e8f8104ece90e45aa711df868faa0f0d88b730a8da54fc09
RedLineStealer
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
RedLineStealer
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
RedLineStealer
d909fb86f7a7f515ec2fcc1bc25f7309164934e35ca4535be73b1ef5ff3fab7d
RedLineStealer
db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874
RedLineStealer
+ 671 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:tofsee family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210615-2w3tdqymlj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
7c5c5d47ac9b6a5f55386341bdad25c0f4a32c25a9548535ce1757aeb3df12d7
MD5 hash:
3cb83e9dbb8ffce9227da20df929fe8e
SHA1 hash:
9c186ece085fe8564f9162f1afe281f8931a2866
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
ad7b9965a5342380f90a5207605ca6d4f566337c8d5154924b79fa418e7401c5
MD5 hash:
8bffedfaa819d5d1e8abf3c8a2fa89a0
SHA1 hash:
c140e5a926d151bcd8e85898b79fbc06f266ac16
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
d4b6f42bfeed5f55241226d77784e11c9ebd1c7fe20216e31d27028050900bdd
MD5 hash:
c02bcc72407cc22e068557cae0d52d62
SHA1 hash:
a5331a16450f3c901953ddcdaa57981e9731af4e
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
241fbb217d56fc8a4f15be77883a4afd2442dc90b9d7c4b780e75f74324b3951
MD5 hash:
a5b5b2b2ee10a05ac99f69f7797ccf5b
SHA1 hash:
0c888887bf94cccde588b21567f6fdd75685928c
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
9798bbcbf18911c7465a6057aa163d3e1badafab27d2ac90138b5096b516ae5c
MD5 hash:
e60e3f87e7b4a46041c1cdb5ba429830
SHA1 hash:
0a9789352449598d2643b4f1dc803f4e4fe021ec
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
fd39b0eae2703c5ac73e9936ebc398673ee17f4548d262338f86260627509b27
MD5 hash:
2ba64d39cade25dedef7df25840fd10d
SHA1 hash:
11ade383bf4689e47367cd08cbd83af60da5d5fe
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
cf0d629603755cbb1190d62122e301e470fcf88dc796cfd7e1f5680d46fe54e4
MD5 hash:
5c2f0768d9a9b62b8defaca47a67eafe
SHA1 hash:
1e0da98625a88dacaa4b7eaa17f2d294c5d428f7
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
29ff48ae619fe44094f15445e6b32469779229e64590ed4a20b53779988a421c
MD5 hash:
642bbd7cd3b781b1b8e104e5a3fd22aa
SHA1 hash:
1d8cf3910b5b40755d1b351b7bb6aa6bc8c5eb9c
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
1edef94a42db64224fcede7078e94dda8459090469dfd17f9f680bdddcf3c93d
MD5 hash:
c151dce8315cb6333179b7c706153ca8
SHA1 hash:
1a84b3bedaa827a7db729f869fc0c0a26f314afe
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
93197ddf89d6a5afc852d10d37023d94f23c8b92ad075b6eebc20cee80b577d9
MD5 hash:
cc9565d248a4b99ccc35ec1ed9b9de83
SHA1 hash:
b5a13e7d79ea52ce12a91a299fc59a3149776637
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
c8097d6efadb512ae015b6e797c58d1548e0fadb8c94b048006e0d1ffb16be0c
MD5 hash:
0000e70a83dba8956426d6e01dc4c6e1
SHA1 hash:
6f1c11e0a095c86e7fb1fcd10949fba430c59057
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
SH256 hash:
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
MD5 hash:
796708f87e9e5c7a4e5673725a3e65b9
SHA1 hash:
afdc6f1a4c49795a9daaadc9f4586e57747d0c1b
Link:
https://www.unpac.me/results/1bbde532-8b95-4d2a-84c9-2109159ce14d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/pollo290987/status/1404358946819878912?s=20

Comments