MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb
SHA3-384 hash: cbc1649884a8f7ba742e7430a619d8cee3d7ae02e86774739f77e97a8a4f22c52a6a6e8a457ba183402d45b346dacc04
SHA1 hash: aee319eade0123403551a7a6e9fec06bd940dd2d
MD5 hash: 860c180f8e614d3314b8f058d2e91a8d
humanhash: oklahoma-cold-bakerloo-cola
File name:E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'462'024 bytes
First seen:2021-11-20 01:10:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xILUCgvyrTvJNKmq9N58VvQgjxjP2h8ZGDq5:xEdgvoTgUXZdiW
Threatray 1'729 similar samples on MalwareBazaar
TLSH T11E5633307B4341FAEEC262380EDC6FB73165D789AB2085871362993E6D6C4354A0BF79
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.232.40.51:20166

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.232.40.51:20166 https://threatfox.abuse.ch/ioc/251021/

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe
Verdict:
No threats detected
Analysis date:
2021-11-20 01:13:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed7605f0-5a73-4888-814b-8d134d1f7a2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895020-1
Create hunting rule

Win.Packed.Socelars-9895021-1
Create hunting rule

Win.Packed.Socelars-9895022-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys overlay packed
Link:
https://www.filescan.io/uploads/61984b29d0c3a45787fac16a/reports/f095ba29-d268-4af5-8bf7-705647f3697a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/792a1878-d190-4a3a-9885-98f2cfcb6c11
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892987
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525460 Sample: E1917F133B3838845A0611AE4E9... Startdate: 20/11/2021 Architecture: WINDOWS Score: 100 60 208.95.112.1 TUT-ASUS United States 2->60 62 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->62 64 2 other IPs or domains 2->64 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 14 other signatures 2->88 9 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 19 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\Tue02dc626f48.exe, PE32 9->44 dropped 46 C:\Users\user\...\Tue02b2110095fe706.exe, PE32 9->46 dropped 48 14 other files (9 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 80 127.0.0.1 unknown unknown 12->80 114 Adds a directory exclusion to Windows Defender 12->114 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 12->20         started        22 10 other processes 12->22 signatures8 process9 signatures10 25 Tue02520f255d0ba43a.exe 16->25         started        30 Tue02522f9ea0b1.exe 18->30         started        32 Tue02705f9c2b455.exe 20->32         started        90 Adds a directory exclusion to Windows Defender 22->90 34 Tue026e94a5005f8.exe 22->34         started        36 Tue026e182673.exe 22->36         started        38 Tue02b2110095fe706.exe 22->38         started        40 5 other processes 22->40 process11 dnsIp12 66 37.0.10.214 WKD-ASIE Netherlands 25->66 68 37.0.10.244 WKD-ASIE Netherlands 25->68 76 5 other IPs or domains 25->76 50 C:\Users\...\9uKoivNtvPoU5Sgq0UPo6egQ.exe, PE32+ 25->50 dropped 52 C:\Users\user\AppData\...\Setup12[1].exe, PE32 25->52 dropped 54 C:\Users\user\...54iceProcessX64[1].bmp, PE32+ 25->54 dropped 58 2 other malicious files 25->58 dropped 92 Antivirus detection for dropped file 25->92 94 Multi AV Scanner detection for dropped file 25->94 96 Machine Learning detection for dropped file 25->96 112 2 other signatures 25->112 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->98 100 Maps a DLL or memory area into another process 30->100 102 Checks if the current machine is a virtual machine (disk enumeration) 30->102 70 5.9.164.117 HETZNER-ASDE Germany 32->70 104 Detected unpacking (changes PE section rights) 32->104 106 Detected unpacking (overwrites its own PE header) 32->106 108 Injects a PE file into a foreign processes 34->108 56 C:\Users\user\...\Tue02b2110095fe706.tmp, PE32 38->56 dropped 110 Obfuscated command line found 38->110 72 5.9.162.45 HETZNER-ASDE Germany 40->72 74 8.8.8.8 GOOGLEUS United States 40->74 78 4 other IPs or domains 40->78 file13 signatures14
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 07:00:33 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gix6ez3ha4iiwqgcgxe5gwf3mkhsrq4dbse2fzz6bmmfloe3hfq._file
Verdict:
malicious
Similar samples:
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RedLineStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
RedLineStealer
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
RedLineStealer
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
RedLineStealer
+ 1'719 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani aspackv2 backdoor discovery evasion infostealer spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/211120-bjyvnsfba6/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
http://www.gianninidesign.com/
https://dimonbk83.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
b49b481d28c715d77f5b7e543d022e794512722a152613e19f7008408c4f11ce
MD5 hash:
b542578d999ab72d4fc1e2f84a5c5d4b
SHA1 hash:
739677283a2270ab7c8eecb5c9c2e946d157530a
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e198f1b8191b7d53338bc3b6587d2b901c25d2d71e978e40285d7445a1e8b6f2
MD5 hash:
9ca805e01c8c4decf77467a0c1206d98
SHA1 hash:
f813b6bbb170baa5609629fa772668000d5cc8e8
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
76dfed12190f13c429fbd4927ca86aba574101f0c34a7bb078e2f36c3f92c025
MD5 hash:
20db8d663190e8c34f8b42d54a160c2c
SHA1 hash:
eb45301ec9c5283634679482e9b5be7a83187bb5
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
925141968313f4b7d0a74b4c685817594e2ba35bd23788024d6dd1ec79624881
MD5 hash:
872aaed08d9abb9d95df2dbb57b2a919
SHA1 hash:
c93d8f09a158601558e0fe40511ae7a325a5358c
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
096bd54f8fe071e35ae7fd575c0dc031cf7ac4b5d32b96cad6f2dd41a200d85a
MD5 hash:
971852daad1cdacf2616979cb6a80bea
SHA1 hash:
a4ebc9fc95eaf82f52d23a9ff6df4ec654ea91ed
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
ac77b0eeef4d09fba26dc24fb67a9158b96c52f083e4ec58e89aa29df5a3675c
MD5 hash:
3d7be553c929902a460dd8e5057dc7be
SHA1 hash:
a043a0f5e90b5fa89d3f7a3d87d29d6cb03e5a32
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
0b9d955a655a48bf0d9f97399c7bc9925e7248f10080595f42d3a635bcc2490d
MD5 hash:
ce8301ae4397014ee444411cce29d1cd
SHA1 hash:
5e86f712bf713f4ae05af5f060cadd4c23453fdc
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
96ca4cbf9f3bafce4680fa6c9b1e5d983e08458e5986ddb6cf176673ba726fcb
MD5 hash:
04f853eb99c5a8bdba8c233e3b03a62a
SHA1 hash:
0b9acc7ac2548dac02ac82688635d4478aed870c
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
08054017dd4bcb9c21bfe7b5537e0a338695e678350c78f799bebf8bef269394
MD5 hash:
15dd0025972f61fd9bd73cbba1042e29
SHA1 hash:
9256051823a3be095abbd29fc0b9aadd54d3c9f8
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
e09a61f0fb861991f5e565add5a0a674e71f40869899ca708d29df06d0fdbeba
MD5 hash:
7b1f830cfbaf07dd355ce8136ebde02c
SHA1 hash:
c8baa08fb4e07bd1601cdf6e6c02a32534a735fd
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
78a96268604a500880ddc7dd07a9540b2f7abf2f9f0befe09e3791132406a8a4
MD5 hash:
15b191a647098b6fb574d363dc70826b
SHA1 hash:
df08f14da48003a5d01d392987a4b657f3285ecc
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
SH256 hash:
e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb
MD5 hash:
860c180f8e614d3314b8f058d2e91a8d
SHA1 hash:
aee319eade0123403551a7a6e9fec06bd940dd2d
Link:
https://www.unpac.me/results/9ad39f79-8c04-437e-888e-4b6eca60edee/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e1917f133b38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207711/

Comments