MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
SHA3-384 hash: d7160ebef8b8eefd8170c90227e631b62007854550fe660e8b622252b3317d13b45a9f9ac88154aae777a9fc3d933dc5
SHA1 hash: a9d0ce078ee1b6eb453009235dd9819dfa94cfd1
MD5 hash: ca6a56773bcfecf81d5ab307173ff9b3
humanhash: west-sierra-april-missouri
File name:EC306F0A108C77A02AB48C5C85296C4B3B7D4B690245F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'195'231 bytes
First seen:2022-08-13 18:15:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBGaIbUyCW8Q4ES6v35m62oXNaQ9PFPcNuEwJ84vLRaBtIl9mTpkBDoT4:xFDcQ4X6/I66XCvLUBsKK6T4
TLSH T1E2A53362B3D7C4BFC90610305E84BFB690F7A35617341A9FB345CA0E4F7A895C62B668
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://45.159.248.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.159.248.173/ https://threatfox.abuse.ch/ioc/842877/
77.73.131.38:19955 https://threatfox.abuse.ch/ioc/842938/

Intelligence

File Origin
# of uploads :
1
# of downloads :
605
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EC306F0A108C77A02AB48C5C85296C4B3B7D4B690245F.exe
Verdict:
No threats detected
Analysis date:
2022-08-13 18:16:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac2e39d5-54bc-44cc-9e78-4b7cb4e156cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298448/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9882942-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28893/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
barys overlay packed shell32.dll upatre wacatac zusy
Link:
https://www.filescan.io/uploads/62f7eadcfae2a3f517bddfaa/reports/62b8fad7-d275-42f4-95f0-b30f10dd2c79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51469c91-894f-4369-9f9a-a4b5f5e9e5c6
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051057
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683567 Sample: EC306F0A108C77A02AB48C5C852... Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 98 accounts.google.com 2->98 100 www.filifilm.com.br 2->100 102 17 other IPs or domains 2->102 142 Snort IDS alert for network traffic 2->142 144 Multi AV Scanner detection for domain / URL 2->144 146 Malicious sample detected (through community Yara rule) 2->146 150 17 other signatures 2->150 11 EC306F0A108C77A02AB48C5C85296C4B3B7D4B690245F.exe 15 2->11         started        14 vbvctgb 2->14         started        signatures3 148 May check the online IP address of the machine 98->148 process4 file5 74 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32+ 11->74 dropped 76 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 11->76 dropped 78 C:\Users\user\AppData\Local\...\sonia_5.txt, PE32 11->78 dropped 80 10 other files (6 malicious) 11->80 dropped 17 setup_install.exe 1 11->17         started        160 Antivirus detection for dropped file 14->160 162 Machine Learning detection for dropped file 14->162 signatures6 process7 dnsIp8 92 watira.xyz 17->92 94 live.goatgame.live 17->94 96 127.0.0.1 unknown unknown 17->96 64 C:\Users\user\AppData\...\sonia_6.exe (copy), PE32 17->64 dropped 66 C:\Users\user\AppData\...\sonia_5.exe (copy), PE32 17->66 dropped 68 C:\Users\user\AppData\...\sonia_2.exe (copy), PE32 17->68 dropped 70 4 other files (1 malicious) 17->70 dropped 152 Antivirus detection for dropped file 17->152 154 Multi AV Scanner detection for dropped file 17->154 156 Performs DNS queries to domains with low reputation 17->156 158 Machine Learning detection for dropped file 17->158 22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        28 7 other processes 17->28 file9 signatures10 process11 process12 30 sonia_6.exe 22->30         started        35 sonia_2.exe 1 24->35         started        37 sonia_5.exe 3 26->37         started        39 sonia_1.exe 2 28->39         started        41 sonia_7.exe 28->41         started        43 sonia_4.exe 14 2 28->43         started        45 sonia_3.exe 14 28->45         started        dnsIp13 110 212.193.30.115, 49792, 80 SPD-NETTR Russian Federation 30->110 116 12 other IPs or domains 30->116 82 C:\Users\...\wSeDusGTVcbVMtuKwsXo9srC.exe, PE32 30->82 dropped 84 C:\Users\...\ZYIKFvMlqOf2pwq976JtV0_n.exe, PE32 30->84 dropped 86 C:\Users\...\XmvJRZgy6qmN8MqX5iYN_iqU.exe, PE32 30->86 dropped 90 8 other files (7 malicious) 30->90 dropped 124 Drops PE files to the document folder of the user 30->124 126 May check the online IP address of the machine 30->126 128 Tries to harvest and steal browser information (history, passwords, etc) 30->128 130 Disable Windows Defender real time protection (registry) 30->130 47 XmvJRZgy6qmN8MqX5iYN_iqU.exe 30->47         started        50 ZYIKFvMlqOf2pwq976JtV0_n.exe 30->50         started        52 FBJtIMlis1zl7FrS5nQuTGhk.exe 30->52         started        60 3 other processes 30->60 88 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 35->88 dropped 132 DLL reload attack detected 35->132 134 Detected unpacking (changes PE section rights) 35->134 136 Renames NTDLL to bypass HIPS 35->136 140 3 other signatures 35->140 54 explorer.exe 35->54 injected 118 4 other IPs or domains 37->118 138 Performs DNS queries to domains with low reputation 37->138 57 sonia_1.exe 39->57         started        112 s.lletlee.com 41->112 120 6 other IPs or domains 41->120 114 cdn.discordapp.com 162.159.129.233, 443, 49745, 49749 CLOUDFLARENETUS United States 43->114 122 2 other IPs or domains 45->122 file14 signatures15 process16 dnsIp17 164 Tries to detect virtualization through RDTSC time measurements 47->164 72 C:\Users\user\AppData\Roaming\vbvctgb, PE32 54->72 dropped 166 Benign windows process drops PE files 54->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->168 104 live.goatgame.live 57->104 106 s.lletlee.com 57->106 108 pcfixmy-download-96.xyz 57->108 62 conhost.exe 57->62         started        file18 170 Performs DNS queries to domains with low reputation 104->170 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8/
Threat name:
Win32.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 11:05:29 UTC
File Type:
PE (Exe)
Extracted files:
101
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qyg6cqqrr32akvurroikklmjm5x2s3jajc7txmkm7pxos3edt4a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:privateloader family:redline family:vidar botnet:706 aspackv2 banker infostealer loader stealer trojan
Link:
https://tria.ge/reports/220813-wwfj3scfap/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Gozi, Gozi IFSB
PrivateLoader
RedLine
Vidar
Malware Config
C2 Extraction:
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
6dcea01b2e7b7d97346c397df8195f1a03a8eda15f798349210a23b7648d2f8c
MD5 hash:
d666b702f7ed9be4421f5871045d1de7
SHA1 hash:
c97e3d1ef11ce69f92281da51e52e38860ea1dda
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
c204948f88c6d384b39069c2c5c69ed62105ee73f391ff105b3e36081f12fc5d
MD5 hash:
cd8b4ea3aa92a0ed9eee929b3585c711
SHA1 hash:
da430a7a38bd3c7ad75ab6e9ed4a4ca6a077ac54
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
69524918f1096bd5022e42338010d60cffbe9701b24cd37dcaef0968d613b61f
MD5 hash:
dd2bf0dee6ae5d48dca6ac3f662a3efa
SHA1 hash:
7a34b5dc6e1cf5a30aeddefd84e6c93bc4bd8994
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
bfd61920735254ab798c1f7a1be84d7e250574c3b9a7d6d51a95303c1bf02d0f
MD5 hash:
77f0d126269bd9fd6d669292e0d947c0
SHA1 hash:
f40529ce7b9ef94d779b66cbc48062a011be8796
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
944d0036c359c3406803a1b8ebb0f434e9a53bf443cce4a92038202cbfd71655
MD5 hash:
e392bc384c98ddd5dd55794a096ab787
SHA1 hash:
afd2c5471065d10ee67d89b037360d80b9474885
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
53b77d51acdb7436557c9cc6eaa7234f51aface44486decea9d26996945d770b
MD5 hash:
89a240239ad9d68adcd5966c4293633a
SHA1 hash:
a1081370844ee069aad427b0c3f4c522ae669c81
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
a11e68c8315b35d3dbc5ddcc6a30a2699b54b57d8c8b486cb83156b569ede041
MD5 hash:
a1f938677aff9be7b4ab5add5a25521b
SHA1 hash:
b1a5c6e38e16972b7224f4e2540806680287c129
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
SH256 hash:
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
MD5 hash:
ca6a56773bcfecf81d5ab307173ff9b3
SHA1 hash:
a9d0ce078ee1b6eb453009235dd9819dfa94cfd1
Link:
https://www.unpac.me/results/0a526106-c364-415a-b0e9-156af4472bf0/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec306f0a108c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298448/

Comments