MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
SHA3-384 hash: af6de3a4ed2bf903b0c20641c6af447b893622cd26179aafb240343b34d214ac833eea130b76bf29e7f6a88351016396
SHA1 hash: 15bca8e4ff1b61115f837916d99161a42d1949c8
MD5 hash: 2fedfa0417d379ff9485cd1718bfa2ee
humanhash: pizza-august-zebra-indigo
File name:2FEDFA0417D379FF9485CD1718BFA2EE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'031'710 bytes
First seen:2021-07-13 18:11:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 98304:vKI+y1o8pu1hJQ+b/e0JzWqToVoSmFoBbJ11GJqnVCiJwnH:v5q80Lm8J3oVpfDnm
Threatray 129 similar samples on MalwareBazaar
TLSH T183163365368940B2C2B174309F95DB700B3A3E301FA89AC7A7D17D2F7A385D39636726
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.142.213.135:30058

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.142.213.135:30058 https://threatfox.abuse.ch/ioc/160114/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://keygenit.com
Verdict:
Malicious activity
Analysis date:
2021-07-10 18:55:07 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader keylogger agenttesla fareit pony redline
Link:
https://app.any.run/tasks/08dbb2e4-d826-44c1-8424-1720f9e9d369

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171488/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12a0bb3b-bd17-4f20-a1c1-27f0b861b75d
Result
Threat name:
Cookie Stealer RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815814
Signature
Antivirus detection for dropped file
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448225 Sample: 73hU2cs3Em.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 43 google.vrthcobj.com 2->43 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 9 other signatures 2->55 9 73hU2cs3Em.exe 15 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\note866.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\askinstall39.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\Install.EXE, PE32+ 9->37 dropped 39 2 other malicious files 9->39 dropped 57 Creates files with lurking names (e.g. Crack.exe) 9->57 13 note866.exe 19 9->13         started        18 Crack.exe 2 9->18         started        signatures6 process7 dnsIp8 45 101.36.107.74, 49715, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 13->45 47 iplogger.org 88.99.66.31, 443, 49717 HETZNER-ASDE Germany 13->47 41 C:\Users\user\Documents\...\note866.exe, PE32 13->41 dropped 59 Antivirus detection for dropped file 13->59 61 Multi AV Scanner detection for dropped file 13->61 63 Drops PE files to the document folder of the user 13->63 67 3 other signatures 13->67 65 Creates processes via WMI 18->65 20 Crack.exe 5 18->20         started        23 conhost.exe 18->23         started        file9 signatures10 process11 file12 27 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 20->27 dropped 29 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 20->29 dropped 31 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 20->31 dropped 25 conhost.exe 20->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 18:54:23 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6go76qep2zjgrjq6y6pff2gbs6anonslebla5lekbhys2fcipymq._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
0a0101a2b0df24effbb4265898076d01113e9d3d158b70f77e1d9c591e9e6445
RedLineStealer
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
RedLineStealer
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
RedLineStealer
4f0f79ed4115f930e5f67354d90801965b71a2d8ab86847fc656afe6aed566b7
RedLineStealer
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
RedLineStealer
+ 119 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars discovery evasion infostealer persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210713-c4hnns3h26/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
77be8bbae03a61e6c7f0058a9519d66bf6d044eac9facde65ec0f1d56e90281c
MD5 hash:
91e677a3e513b4e35b2dfae9368b839f
SHA1 hash:
d46decd2afb4cd355019de0236fc1a8aacfcd67e
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
32e62c643c322dec05d03b884873f651346c8b540a33ed3c64bea23e41924091
MD5 hash:
7ceed721ca4a06cc148c16d8b6216785
SHA1 hash:
5167201993fa3d787c609f18b238072b01bc88af
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
887c758fa9da9829f471f7ed071b2fd8b0317c0950eeecc4c2fb7c85338cbfe1
MD5 hash:
10455ce3a52591fc886e0e8486ce2685
SHA1 hash:
2ad02b6931115cd7c951ca353935dac6ed06040c
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
b10c39066032526e67d9df965ee0dad3c2a061d7f16b972a60910f78c5d8ce6c
MD5 hash:
73cd6e595941b3147b7189eef60f989e
SHA1 hash:
fd525e864f4820665b24e451cec716995c337d42
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
742cb3409ed783fa597dcf1e42de10ae3e5f20183020fd8d2e0683768ae4bf57
MD5 hash:
262486d0b125f0e83c4a410b840125bf
SHA1 hash:
904c8ac5a59ec5f783a8c94e91cf72e1ee38a75d
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
a7c94cd00235b9d3dc327a6ab319a6b0d83e91264d2136dadbc816265c92cb82
MD5 hash:
174bdfea32a75d76c52c7184d873a0fc
SHA1 hash:
dfe0c0137f870b74429912c5508724f462ba4e7d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
SH256 hash:
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
MD5 hash:
2fedfa0417d379ff9485cd1718bfa2ee
SHA1 hash:
15bca8e4ff1b61115f837916d99161a42d1949c8
Link:
https://www.unpac.me/results/7f5924c7-5cf8-429a-9e6c-8d64b917faf4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171488/

Comments