MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff
SHA3-384 hash: 5aba43bc53b7d1520ceeb6376b4ab4039b7bacae55c2f533e270fc06a2b75c400dc4a3f501dc87783dcd9c96f3b7d554
SHA1 hash: ce894616690b3ef910f91adf7b042d1e22b667c3
MD5 hash: e78b2c816422fee77dffcf5024fa7fd9
humanhash: island-twelve-lactose-colorado
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'216'897 bytes
First seen:2021-11-10 14:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JlMthQdp7ugZrEfDoYX5TFWgGOUG2NdvrhHULWMOs9tuZvZf1V6otZKp/GbkQ5I1:JlMthQb7ugrEsYpAgNYdvrOLWPigVZ9M
Threatray 688 similar samples on MalwareBazaar
TLSH T10C5633D8493880F3F599BF704F7F807F137B5354152A8E668801B41748BD97AEEB2A16
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-11-10 14:39:20 UTC
Tags:
trojan rat redline evasion stealer vidar loader opendir
Link:
https://app.any.run/tasks/87dc7ce2-0ce1-4e46-9b45-f7441e0a8164

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204757/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618bd8d6175442ca93aac684/reports/3d4d7980-f766-41ee-8c21-8e95a74d2c42/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42583005-46f0-4a07-96fb-3f103e51ac85
Result
Threat name:
Cookie Stealer RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886794
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 519268 Sample: setup_x86_x64_install.exe Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 69 45.142.182.152 XSSERVERNL Germany 2->69 71 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 2->71 73 16 other IPs or domains 2->73 91 Multi AV Scanner detection for domain / URL 2->91 93 Antivirus detection for dropped file 2->93 95 Antivirus / Scanner detection for submitted sample 2->95 97 17 other signatures 2->97 10 setup_x86_x64_install.exe 10 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->45 dropped 13 setup_installer.exe 22 10->13         started        process6 file7 47 C:\Users\user\AppData\...\setup_install.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\...\Wed09e9a0b120.exe, PE32 13->49 dropped 51 C:\Users\user\...\Wed09dbf2856fa40.exe, PE32 13->51 dropped 53 17 other files (11 malicious) 13->53 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 87 Adds a directory exclusion to Windows Defender 16->87 89 Disables Windows Defender (via service or powershell) 16->89 19 cmd.exe 1 16->19         started        21 cmd.exe 16->21         started        23 cmd.exe 1 16->23         started        25 6 other processes 16->25 process10 signatures11 28 Wed090c3c636e93d7.exe 19->28         started        33 Wed099979c8bb4.exe 21->33         started        35 Wed09442d2248fe319.exe 2 23->35         started        99 Adds a directory exclusion to Windows Defender 25->99 101 Disables Windows Defender (via service or powershell) 25->101 37 Wed0909e3e649d.exe 25->37         started        39 powershell.exe 26 25->39         started        41 powershell.exe 12 25->41         started        43 Wed09496c9d649.exe 2 25->43         started        process12 dnsIp13 75 8.8.8.8 GOOGLEUS United States 28->75 77 172.67.176.199 CLOUDFLARENETUS United States 28->77 79 192.168.2.1 unknown unknown 28->79 55 C:\Users\user\AppData\...\aaa_v016[1].exe, PE32+ 28->55 dropped 57 C:\Users\user\AppData\...\aaa_v016[1].dll, DOS 28->57 dropped 103 Detected unpacking (creates a PE file in dynamic memory) 28->103 105 Hijacks the control flow in another process 28->105 107 Contains functionality to inject code into remote processes 28->107 121 5 other signatures 28->121 81 212.192.241.15 RAPMSB-ASRU Russian Federation 33->81 83 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 33->83 85 3 other IPs or domains 33->85 59 C:\Users\user\AppData\...\Service[1].bmp, PE32 33->59 dropped 61 C:\Users\user\...61iceProcessX64[1].bmp, PE32+ 33->61 dropped 63 C:\Users\...\niUO4FQqPdZ4yfta60Oi6mB0.exe, PE32 33->63 dropped 67 5 other files (none is malicious) 33->67 dropped 109 Antivirus detection for dropped file 33->109 111 Tries to harvest and steal browser information (history, passwords, etc) 33->111 113 Disable Windows Defender real time protection (registry) 33->113 115 Machine Learning detection for dropped file 35->115 117 Sample uses process hollowing technique 35->117 65 C:\Users\user\AppData\...\Wed0909e3e649d.tmp, PE32 37->65 dropped 119 Obfuscated command line found 37->119 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff/
Threat name:
Win32.Trojan.SmallDownloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 14:36:07 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sjwgtjmkuowfe7c3h2eiyijslxazbazcsliidjgoi4ufd3bct7q._file
Verdict:
unknown
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
RedLineStealer
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
RedLineStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
RedLineStealer
+ 678 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:media0911 botnet:user112 aspackv2 backdoor infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211110-rykvcsedbp/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.hhgenice.top/
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
135.181.129.119:4805
91.121.67.60:23325
Unpacked files
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
287ecd65d215aeccac06c56bd089a1a04367e53b2956dc28f022faaffa38d6ba
MD5 hash:
e11d120e724076dfd7afb8e2e909eb8c
SHA1 hash:
176baad83630549172b71843049963e75479af24
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SH256 hash:
4b5f35a8e69d6fdc6bc69dea86caa2ced5d74bcc22067d33c5fbacca237ca8d8
MD5 hash:
63c934c37102c8cf670aa84d18f33591
SHA1 hash:
93036bfc13d361d2ea61798574a9910abded640b
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
4f256b00935af7d32b96ca43adf499fec775e3c8926f64e7f89d5713e32870dd
MD5 hash:
c04944c30ac3abfd8499dcecd30b6caf
SHA1 hash:
f7ab3afa370ca2f417d4e8618457b7d0d7acb007
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
e43de1119506a5dea247db59af1f1f919145e73deba1ec5e8280c2cb5132fbab
MD5 hash:
48531f879a6314b3357a0d2d27184d0c
SHA1 hash:
d43f4318b75f959c3130e515cfd0d6c695a85784
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
e779a03fc82e93bcefd1aed96b719aef493d902d9ad59ff60a6b9ee032e0a82a
MD5 hash:
2920bd2df9145b5ae46174ece359e56d
SHA1 hash:
d037caec992378432f480e5f7f4df749ffa00890
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
544e67e044dafbf651dc08606d63ab2718024c986ab7e0e403246a1e3f32eb87
MD5 hash:
c084fd0820b600f3617d8d91e03fc88b
SHA1 hash:
ba1bdcd94e02b887d0911e5604ce0c8d13c026af
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
77d393187d64b3d1d927523df25a3548dce1d7267bdba4595eb12044311ccaf9
MD5 hash:
4b48a34ce40240198fb2628c07a967cf
SHA1 hash:
b9c8bdd045842677915119996f519e6b37359a30
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
28f03315f154309efa8f65aaa8ea0f099310105d62c10ce31ca7577651905078
MD5 hash:
22f1ad66ca6758438cbea6305211e7a7
SHA1 hash:
a27c725d065cbd0f086a71da99349804f7af1a4c
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
b7608cb47466544ddb3c8675d24989cf5b050a8b243f2582901a4540e9342dba
MD5 hash:
cb19480070521c01e94c7f71342df866
SHA1 hash:
962ccf2d6c77915c2d6b7263f4b04a28d1f1f714
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
5856aed8372c4d7bdc6abc7c2290dde3fad0644b45077bdfe51fe40ac6ca6232
MD5 hash:
bddafbd99a8abb13855d0534d3475afa
SHA1 hash:
86cacfe5d5d10422bac1eeea735f2213c41a5225
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
2100cd453e76f2a29553aa31afb4b0dfa610f0e5dfd8d7cf665851cdfcc5e464
MD5 hash:
83c61eb0ca20af68a51f15d60ef9be68
SHA1 hash:
5b046faf31e5be5758d1f4a4b866a1dfd03768cf
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
0790caed6e557d2a56e3c9a0e1c30970d434e2616f5cbfa801306f0f44c37531
MD5 hash:
3d49d96838346bd08d71f81ce86e8d97
SHA1 hash:
397d29922b93071d80dee90bc06f5ce28fe06e3f
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
972dc71d6c7e8df95cef10a7f90217a263a2ca7bbcacc37cb5ff3f62b7637f46
MD5 hash:
5f97ce93d8d98cbadc3027577418b5ef
SHA1 hash:
333d35e00c948163c0f8fb8149b99002a4e6c12f
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
4ace54ff1dc5584ebb5bc7e9c2198de08ce8a3a1a12cbfbb692183b2eb4932f1
MD5 hash:
f9ef0b7aa305dd53103a29f209c6a71e
SHA1 hash:
e148c737d21b0c6d5ca5c35f3f0910f046584311
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
6e28c5be27b13813b6113a5c2dab1616cea8de2c96737862ebe43fa9d933a9fe
MD5 hash:
1aac055fe085c5ca9021c14e313572bc
SHA1 hash:
998288b707bc3c6c2214867bbecf0d0d8f59846a
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
1c4e25cee158d2af90af4fd067bbdb9ee9e7ecc5a0a2be251c1a438846f360ea
MD5 hash:
ef9ff29a6b077213fbe88aaaba489360
SHA1 hash:
e89d9fd9e12437d6c4eddbf2aa89ee701f23c901
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
590876f570fff007058b6d31e5d2bb86b117a3b25687e509bfdd3339554c7195
MD5 hash:
f3bbb5bb8642ca0133bcf00487d3623d
SHA1 hash:
e7b98daedc35dd368cb0c4e12324afd182c8c9e3
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
b04df3db6693a0169bdd7bab95188f8b3b699aa57c0c9669bad9e492b267ad23
MD5 hash:
5ac03cdae892b8e48eecea960c4173fd
SHA1 hash:
8fe5735b6272926c02e4110fa05eee6d28ce12b7
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
0962aaed97b02220e8f239fbc202b14c577f3fabc638735361421894ca1e5a14
MD5 hash:
91b491d07148e1d5d00d74ce7716013e
SHA1 hash:
1d84b38882405ecc18b556e8805b23c87912b4b8
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
SH256 hash:
dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff
MD5 hash:
e78b2c816422fee77dffcf5024fa7fd9
SHA1 hash:
ce894616690b3ef910f91adf7b042d1e22b667c3
Link:
https://www.unpac.me/results/9d40e845-523b-4f95-bfdf-126c3c318276/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204757/

Comments