MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d
SHA3-384 hash: 2f38f0083c4810f519204c90b5f809c9cb6c61bbac5ffb859692cb54b8ec56ed708f3f0d9aa907a58b0f6f847cab0d36
SHA1 hash: e76d6136b813c665f051c859924a53a2a7f9f8f6
MD5 hash: a9dd8b265393fa06ae5841cb38421101
humanhash: violet-cat-wolfram-cup
File name:a9dd8b265393fa06ae5841cb38421101.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'425'120 bytes
First seen:2022-03-28 08:45:34 UTC
Last seen:2022-03-29 06:28:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:x90cRX8ae5PdabSo9/BUAZQtVKq3f8pJ6wlmsoOrj2hoatIja:xacRXteXauc/OigKgfoJ6TwSWHa
Threatray 7'334 similar samples on MalwareBazaar
TLSH T1E59633313BD0D0BBEE213834DE40BF6879F4D35C4A15626F1B90D5DBAABC9A5200E6D6
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
23.254.133.7:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.254.133.7:443 https://threatfox.abuse.ch/ioc/456191/

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258520/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Launching a process
Creating a window
Searching for analyzing tools
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11791/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624175d0a19c6494129e51de/reports/3062d6fb-47f4-4225-b23e-d3f3cc4b2d2e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b38a694-5e39-4483-99cd-ac739f8bbfea
Result
Threat name:
SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965643
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected onlyLogger
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 598125 Sample: 7C4A7EN74j.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 74 45.147.229.175 COMBAHTONcombahtonGmbHDE Germany 2->74 76 186.182.55.44 TechtelLMDSComunicacionesInteractivasSAAR Argentina 2->76 78 14 other IPs or domains 2->78 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 14 other signatures 2->100 11 7C4A7EN74j.exe 20 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_install.exe, PE32 11->48 dropped 50 C:\...\6238438033cd3_Mon094f17379367.exe, PE32 11->50 dropped 52 C:\...\6238437fe661d_Mon0907e8e2f013.exe, PE32 11->52 dropped 54 15 other files (7 malicious) 11->54 dropped 14 setup_install.exe 1 11->14         started        process6 signatures7 132 Adds a directory exclusion to Windows Defender 14->132 17 cmd.exe 1 14->17         started        19 cmd.exe 14->19         started        21 cmd.exe 1 14->21         started        23 11 other processes 14->23 process8 signatures9 26 62384348778fb_Mon0989f984609.exe 17->26         started        29 6238437fe661d_Mon0907e8e2f013.exe 19->29         started        33 623843423a25b_Mon09bd7dc86737.exe 1 21->33         started        102 Adds a directory exclusion to Windows Defender 23->102 104 Disables Windows Defender (via service or powershell) 23->104 35 62384375c6c9a_Mon0947c3399.exe 23->35         started        37 623843775d62c_Mon0969b495.exe 23->37         started        39 6238437f43f4f_Mon095983f4cccc.exe 23->39         started        41 6 other processes 23->41 process10 dnsIp11 106 Detected unpacking (changes PE section rights) 26->106 108 Machine Learning detection for dropped file 26->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->110 128 3 other signatures 26->128 80 zonasertaneja.com.br 50.116.86.44, 49787, 49788, 49789 UNIFIEDLAYER-AS-1US United States 29->80 82 blackhk1.beget.tech 5.101.153.227, 49785, 80 BEGET-ASRU Russian Federation 29->82 56 C:\Users\user\AppData\Local\Tempbehaviorgraph68A2.exe, PE32 29->56 dropped 58 C:\Users\user\AppData\Local\Temp\CK5FL.exe, PE32 29->58 dropped 70 2 other files (none is malicious) 29->70 dropped 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->112 114 Tries to evade debugger and weak emulator (self modifying code) 29->114 116 Hides threads from debuggers 29->116 118 Disables Windows Defender (via service or powershell) 33->118 43 cmd.exe 33->43         started        84 192.236.154.47 HOSTWINDSUS United States 35->84 86 46.173.223.95 GPI-ASRU Russian Federation 35->86 88 appwebstat.biz 45.129.96.142, 49792, 49793, 80 GMHOST-EE Estonia 35->88 60 C:\Users\user\AppData\Local\...\rolle4[1].exe, PE32 35->60 dropped 72 3 other files (1 malicious) 35->72 dropped 120 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 35->120 90 ip-api.com 208.95.112.1, 49780, 80 TUT-ASUS United States 37->90 122 Antivirus detection for dropped file 37->122 124 May check the online IP address of the machine 37->124 62 C:\...\6238437f43f4f_Mon095983f4cccc.tmp, PE32 39->62 dropped 126 Obfuscated command line found 39->126 92 get-fun-24.com 188.114.97.7, 49790, 49794, 80 CLOUDFLARENETUS European Union 41->92 64 C:\Users\...\6238434615ce5_Mon09c84a2e.tmp, PE32 41->64 dropped 66 C:\Users\user\AppData\Local\...\ITQQksKQ.lV, PE32 41->66 dropped 68 49efc381-c5c4-415d...79cb554e4946683.exe, PE32 41->68 dropped file12 signatures13 process14 signatures15 130 Disables Windows Defender (via service or powershell) 43->130 46 powershell.exe 43->46         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d/
Threat name:
Win32.Backdoor.Manuscrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 01:20:49 UTC
File Type:
PE (Exe)
Extracted files:
301
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5p7behzi6dg6eu3eai4namajy6otsktl6ww73onp6uexq5if7cgq._file
Verdict:
malicious
Similar samples:
0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c
RedLineStealer
022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98
RedLineStealer
4618fb57958c19496e668916d769cb40e6bb0a0af0fbb1ff73ee89e701f3fe9b
RedLineStealer
4eebc9db13bf3a2bbae7f56ecdb4be388610bff9cdb4931f9d776762597286a6
RedLineStealer
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
RedLineStealer
8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
RedLineStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RedLineStealer
+ 7'324 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:smokeloader family:socelars aspackv2 backdoor discovery loader persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220328-kpavgahbg2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d
MD5 hash:
31ebd93c9fb74de0bf3c9eac412f72fb
SHA1 hash:
b7c4e5e258b4b7a3742c23315c7a204d73bf72d4
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
ac4ea5a6f01a0761ece824c47f775ca63609969b0edcb9c1f93d6c6fab1f69cb
MD5 hash:
00dca2ae0f929abfaf7795abb1eca281
SHA1 hash:
dee6348f3b76f100b5bc70d87339c833552ba145
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
fbe5afdf3f25d7b2debf61822633d591914117833cc3df9814b93fdc7ec4c742
MD5 hash:
24430e10238cb9befe75198aed51b5a5
SHA1 hash:
d4f94dcfde79c3ab19820898f788e80d4dbad1fa
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
06a5887ebef8b20027a50158bd4ff2659d8f74daf63da0ed89370a7676161c9c
MD5 hash:
9d7092d2324fb3820210bb73a0955609
SHA1 hash:
74896a4a99ed45152a8b5d9164696b0804828277
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
672de575be1acad78dfb31276570731886ca7a01bc49f18147134715f455b9ce
MD5 hash:
96bfd9523a7898c4b2758b287d9eb2ef
SHA1 hash:
5a176718e54979000c048203b4c6ebec3fb45bad
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
031a40dfa8e349cfdd6e52b90196bf08bc192226690c42d6796e01c886c797fa
MD5 hash:
35597c8fd996fd9629cc6e787c272991
SHA1 hash:
4a630aae526f03b8f821112080111134199feed6
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
652fe1eb4d2423221ed6df459e9ea49352153bb337ad07efd5aab76e42120857
MD5 hash:
9fa07ee81c6b743ec509c8fb20fb2ac8
SHA1 hash:
37f5607313814b723dbf9035339a88318a793a1c
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
89916e8765a77a884a74a037d554e67e4541ac3a40b4dbfe3d60333361a93f79
MD5 hash:
47b7513a8434710d66d48489182a6ca8
SHA1 hash:
220391e3e03d2e3334c223c38011d2fde00029ef
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
84f745ceea980ed2342724f877d798e5c18ab46ba10af0986ee306c05d5a486f
MD5 hash:
fe2c8b8a149d61280c73d89ef54664ed
SHA1 hash:
03c9d039a43364b35ddeb4ae27a82aa3f9b284a3
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
1c4facc8c21e51e3fb4331b2e49bca4ab7a75ff876f2bf287ae48417e17786f1
MD5 hash:
14c2dec2eb57987a8bf813eeef79d937
SHA1 hash:
bcc6013182cf263e0e2a4b7fbc6458e8ae6b3567
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
39232f0755d0d5cd705e0bee37d2c405d7074fd97087c926c07f3f3027b5eebc
MD5 hash:
01538f8d0c6bfe77eef7d783061526e3
SHA1 hash:
c5592a983bdf61f131a2124d342ca14ae01325c8
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
b63e58f312fe4bff3a1a5de15eb97daf1a66d403dc3198f035930c23a9648326
MD5 hash:
3be1b8a8d88bee326c8858c5565558fb
SHA1 hash:
73a4ecd621b1a724b9f04c1f55b600f4b03bb545
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
947e2d26c50561cd73df77b65fa3e5f7441052c567955d29d4bfef814074f807
MD5 hash:
8a6cb8dfbcde15256e6feeba1377c0c3
SHA1 hash:
1c1a8a57494c8ed70d1f432882fc9c34f7f4c958
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
794a76889662f956ca3ec6693cd80219c3d3f64032fc3e5439bbc3a75c90ede4
MD5 hash:
b5c97e3c1eb1e3dfc16a9f3d35622dac
SHA1 hash:
04993c50c4a0828d12c7c4322241fe97c4127108
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
356c8b47f3be6b0e2ef8e71085de700cfda4be89108561fc484052e64e104cf6
MD5 hash:
489bcd743158c9d43665f5d20f912647
SHA1 hash:
e27e9cb67ddc2627b1cb4a33d8dbb2d085015eeb
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
e3c70d878c3f6bb25ce82cf0b8e4d754fecd92fc57d6ca630d94ed0daf72aae2
MD5 hash:
432a7013c47b634e76cde51f5439cfce
SHA1 hash:
4793515da62d14b3f61adcb49271331f777ec6ef
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
SH256 hash:
ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d
MD5 hash:
a9dd8b265393fa06ae5841cb38421101
SHA1 hash:
e76d6136b813c665f051c859924a53a2a7f9f8f6
Link:
https://www.unpac.me/results/614d968a-7000-4b78-ab5d-306cffb0718f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebfe121f28f0cde253640238d03009c79d392a6bf5adfdb9aff509787505f88d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258520/

Comments