MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24
SHA3-384 hash: 63fe9e1093f259e237a6414e3cf753d14e9414835af3275ef857ce8448fedd208b17088755e235056e76f1c617f8fbb6
SHA1 hash: b7bd017bcea6ab84942731294f08c67f40855453
MD5 hash: a0c8da8c027e72bde129e39b1c827497
humanhash: angel-oklahoma-pasta-vermont
File name:a0c8da8c027e72bde129e39b1c827497.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'458'048 bytes
First seen:2021-09-28 03:41:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xTLUCgort0lODk+7Lc0DBTph4t1AJcBjTx+E:xPdgoxsO4+7Lc0DBb6uQB+E
Threatray 575 similar samples on MalwareBazaar
TLSH T1965633207782C9F7CA8581318D4CBBF3917CD3B90A26F7CB9B414A5E5EB5186814E91F
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://23.88.105.196/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://23.88.105.196/ https://threatfox.abuse.ch/ioc/226961/
http://185.138.164.150/ https://threatfox.abuse.ch/ioc/227268/
195.133.18.5:45269 https://threatfox.abuse.ch/ioc/227270/
185.173.39.234:36881 https://threatfox.abuse.ch/ioc/227271/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0c8da8c027e72bde129e39b1c827497.exe
Verdict:
No threats detected
Analysis date:
2021-09-28 03:44:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bd0a568-9ce9-4487-889f-5ced9dfd0c78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192288/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f266854a-a68b-4e63-bfdc-7ca52a2ebae4
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859464
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491895 Sample: 2awEYXkQvX.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 81 37.0.10.244 WKD-ASIE Netherlands 2->81 83 37.0.8.119 WKD-ASIE Netherlands 2->83 85 10 other IPs or domains 2->85 105 Antivirus detection for URL or domain 2->105 107 Antivirus detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 15 other signatures 2->111 9 2awEYXkQvX.exe 22 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 59 C:\Users\user\AppData\...\setup_install.exe, PE32 9->59 dropped 61 C:\Users\user\...\Thu17fed9893d024018.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\Thu17fb58cba00.exe, PE32 9->63 dropped 65 17 other files (10 malicious) 9->65 dropped 19 setup_install.exe 1 9->19         started        115 Changes security center settings (notifications, updates, antivirus, firewall) 12->115 signatures6 process7 dnsIp8 87 104.21.87.76 CLOUDFLARENETUS United States 19->87 89 127.0.0.1 unknown unknown 19->89 113 Adds a directory exclusion to Windows Defender 19->113 23 cmd.exe 1 19->23         started        25 cmd.exe 1 19->25         started        27 cmd.exe 19->27         started        29 6 other processes 19->29 signatures9 process10 signatures11 32 Thu173277f112babf2e.exe 74 23->32         started        37 Thu170a7d1bf77fab4.exe 25->37         started        39 Thu173814785e.exe 27->39         started        117 Adds a directory exclusion to Windows Defender 29->117 41 Thu17fb58cba00.exe 29->41         started        43 Thu17629fbaf453eaeb.exe 6 29->43         started        45 Thu17893289b62.exe 29->45         started        47 powershell.exe 26 29->47         started        process12 dnsIp13 67 88.99.75.82 HETZNER-ASDE Germany 32->67 69 23.88.105.196 ENZUINC-US United States 32->69 71 192.168.2.1 unknown unknown 32->71 49 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 32->49 dropped 51 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 32->51 dropped 53 C:\Users\user\AppData\...\freebl3[1].dll, PE32 32->53 dropped 57 9 other files (none is malicious) 32->57 dropped 91 Detected unpacking (changes PE section rights) 32->91 93 Detected unpacking (overwrites its own PE header) 32->93 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->95 103 2 other signatures 32->103 97 Antivirus detection for dropped file 37->97 99 Machine Learning detection for dropped file 37->99 101 Injects a PE file into a foreign processes 37->101 73 162.159.134.233 CLOUDFLARENETUS United States 41->73 55 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 41->55 dropped 75 88.99.66.31 HETZNER-ASDE Germany 43->75 77 8.8.8.8 GOOGLEUS United States 43->77 79 144.202.76.47 AS-CHOOPAUS United States 43->79 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 08:56:15 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fi2skogtvvqlojsnpnoez46qkgnrqgg4j575gdgs5xhsq3dbysa._file
Verdict:
malicious
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RedLineStealer
093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c
RedLineStealer
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
RedLineStealer
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
RedLineStealer
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
RedLineStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RedLineStealer
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
RedLineStealer
+ 565 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:ani botnet:janera botnet:matthew2009 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210928-d9cq8saea4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
65.108.20.195:6774
45.142.215.47:27643
213.166.69.181:64650
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
Dropper Extraction:
http://shellloader.top/welcome
Unpacked files
SH256 hash:
66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814
MD5 hash:
17df2b7340cf3291107bfd454d0ca856
SHA1 hash:
00458e02751bb0e2cc268730a0cac2689249b1a7
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
1778a6b25f9ac7d1bf1782d1196ac5254ed46e70033a38f391d02939d5b733da
MD5 hash:
3b32aabc7aad3bbfd7226cc614743f48
SHA1 hash:
ea748309ac48558506ddf93b45369b41f641126e
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
15dd9667f33c8979b9775d9e15f405b6844959c1a7fec34d3377dc51ce0e58c0
MD5 hash:
ec73d7de788ad7ed996ab0e75ed1cade
SHA1 hash:
5b01a1de6d0a6d76677233a215390f7592e84194
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
b1920edd533a39e340a58a6e720a38b6fd703d91ec097b9f2b1a69ce9d7fbbf8
MD5 hash:
8b78a03d45ea20b55ad506929729ec1d
SHA1 hash:
c0c2b7ce1f68b41d1d72f07939387dabf9ffc597
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
a88fac67a0842f37dc7cdaf3d105fe9cc0905e1f0119239fed1fce7dbb3fd620
MD5 hash:
77b6b011f197b222b988cab08c17f9ce
SHA1 hash:
f1a4c5bc855cfdd49af699b45e6365c499875b68
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
9feeb134e12f470ef8b69f06d7404b151bf1157a8450435d20edcc5e07b220d6
MD5 hash:
78ed6671d12723032508bd59b5f27850
SHA1 hash:
ed60502ee831d02a1ae0359c71dd933d744583ac
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
4244ad0cef7b2f6b89b0adbb73333b671b3060276b8d8da602a356c68212a3bb
MD5 hash:
e305eb71a450429754b58fe16c18de27
SHA1 hash:
d4af4bd967510adc0a697088d0bd9afad3eab19e
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
68223fa16261faf405282fee551520b480eb4132f769b73c9fa707adf00539f6
MD5 hash:
05378594f7196c773e7f8d8670907c43
SHA1 hash:
c829048f7221f3641434b1386490a320dc6d3b4b
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
1f53063f8609771086536eb80135e92c0d5c4f2dbadc7c5cf8a09a4ad3f2f691
MD5 hash:
94dd20a1568582b67786e9763df16325
SHA1 hash:
b95557c7710c4cb61ee06011118f1cf8ef53e659
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
0cfc8b00aab7cdbd35ef547af5aa2b1131146f613ffb19e49f9cd0eb1101ed57
MD5 hash:
f2d95c865fb0880c47d8fcc7d052d9c6
SHA1 hash:
979a7aa55f2e417ef7349d775ddcee1c9dbf0591
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
7af2ac36a06aa2e1bba2fc52a08c19492db72603f04bff65d3c9a5db33f70e25
MD5 hash:
8423e2b0b304abf8b7a652e7eb874bfc
SHA1 hash:
972e5ebd9cfe7f561f0aa5fc63dc918d1c1b2d52
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
0b095ca8d316510531d42a9db803c937e765bcd856fa2bed6255823fed9be6d5
MD5 hash:
da38d896606d4af49d524159859d658a
SHA1 hash:
954bbdcd83ef6c074df2d35c296a0c084f123cdf
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
7060227f53b56a031747bff22bf3846e4a70bb59af5854e7056d69e4f1a79233
MD5 hash:
5d2025188971a8b98c7122289a2d2ad5
SHA1 hash:
573b589c10b33a556a6a63d792853e0e8d9c4933
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
e7db51de1ea83ea73f1ae8d6806fa7da3c9f30cacb5e5d6cb7b8729cca996ce9
MD5 hash:
6d7d948c9bb2a51eb7fea77310ae26d2
SHA1 hash:
edda83a4f2ce305433fdb148b12d3643d6d8c699
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
f3431472c513de342309a17f59a6077f52d534c7bf0a4c99bb7da1d2a993b602
MD5 hash:
87d7fd7e6259ff53bd7a2b2892d4e786
SHA1 hash:
ca25bbbdcef3c4f888bcd10b2e811d1d418bc490
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
6c05dfe8f17d9df784b99f24c719fa342b169e05ce3628a7a86a19b9e4117e87
MD5 hash:
f10476b5f25c36a0864a9f2ffb3b87cb
SHA1 hash:
6b512b22b3f4258c1167e9ea9eb5aa4885162064
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
11d913f266d16a6f521b9781121a9f9bf48b6d5865e59d9473141af3aed030f9
MD5 hash:
62fac50b2e6dcfe606cc6698a69c2e17
SHA1 hash:
2e18944f69c75fe9ace2785d4994d2f94be659bd
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
9c76a1f10ff8e8b4e6677662e2cb29a0c7becc3a5a836a4b2582498f2ee5a531
MD5 hash:
5cd8cdb777971a712858a96788e73141
SHA1 hash:
c711ebb6cefea34626cec4aa665d01517a395b6d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
7e3be934ccc03b276f10734f3cd1900f43a4c4f376bf558e0703c01386c23d9d
MD5 hash:
dfd8194246d831a0d0c6f34adbfef884
SHA1 hash:
8b1860448785aef7380ffb95997598eb52a6c9ef
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
a75cd2216cbfe0a9d536933bc8c73f7a7331ed6bce475f57ec36f10e782b0c4c
MD5 hash:
522c1315007fd7b0594c156e9350d5a2
SHA1 hash:
ac4a252be6e428c177390d7309e4af93a0920eda
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
5caee2b700095889d053532bfcafa5a92fcede5daea90b7fd27eabcddace94dc
MD5 hash:
f49a886499e8a652c5c103a375614d16
SHA1 hash:
095d5dc13f3be74d1537c8b89d9e699a28544f90
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
SH256 hash:
e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24
MD5 hash:
a0c8da8c027e72bde129e39b1c827497
SHA1 hash:
b7bd017bcea6ab84942731294f08c67f40855453
Link:
https://www.unpac.me/results/0ef0e6a8-babf-4936-9c5f-af4da872883c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192288/

Comments