MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
SHA3-384 hash: 446d0d9f539c47c3178733092802940aff05808bca8919683ca8e2ec15530e6fc67f3d7d40c3384ffbebabc966b15d74
SHA1 hash: 924cc9ed33a64aaa2ee72f5ade42b03bcf40c7de
MD5 hash: e25438b6c7892bb93c9ce20a606d3b60
humanhash: oscar-bravo-south-robert
File name:F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'398'418 bytes
First seen:2021-11-18 20:16:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JYzkO+nC6W+R5DLYw43oJNla4vFaDlpRs0uS6D0JCSOYsJOYT:J7nW+/DMYJzaGsW0uSohOs/T
TLSH T1D4163311A9CCD862DE45253B0C67D507FBBCE9A80B2D92DA572086FE124CB13998FFC5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
49.12.216.102:42622

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
49.12.216.102:42622 https://threatfox.abuse.ch/ioc/250768/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe
Verdict:
No threats detected
Analysis date:
2021-11-18 20:50:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2cf4395-7e7c-43e5-b739-15d8d223dbfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895022-1
Create hunting rule

Win.Malware.Socelars-9901324-1
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901376-1
Create hunting rule

Win.Malware.Socelars-9901387-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys overlay packed
Link:
https://www.filescan.io/uploads/6196b4c22695a62af9f346f1/reports/8faf58bd-fdcc-4b85-9bf8-c26ec256e20f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e5da9c1-a0e2-4981-b272-af72de4a2dff
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892293
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524763 Sample: F2433DFBA69148A0C3A5A5951D3... Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 68 23.35.236.56 ZAYO-6461US United States 2->68 70 186.182.55.44 TechtelLMDSComunicacionesInteractivasSAAR Argentina 2->70 72 11 other IPs or domains 2->72 90 Antivirus detection for URL or domain 2->90 92 Antivirus detection for dropped file 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 20 other signatures 2->96 10 F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 19 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Tue01f3b5c549ce3ed2.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Tue01ccd7ff2c77.exe, PE32 13->52 dropped 54 14 other files (9 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Tue0109ea42588a21d8.exe 20->29         started        34 Tue0189f82e1d48.exe 22->34         started        36 Tue019ef5eaeda6.exe 24->36         started        98 Adds a directory exclusion to Windows Defender 26->98 38 Tue01f3b5c549ce3ed2.exe 26->38         started        40 Tue01434e690b0ee12.exe 14 2 26->40         started        42 Tue01ccd7ff2c77.exe 26->42         started        44 2 other processes 26->44 process13 dnsIp14 74 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 29->74 76 188.225.85.124 TIMEWEB-ASRU Russian Federation 29->76 84 12 other IPs or domains 29->84 56 C:\Users\...\Duu53QvILNp58lliW2q91CnI.exe, PE32 29->56 dropped 58 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 29->58 dropped 60 C:\Users\user\...\foradvertisingwwb[1].exe, PE32 29->60 dropped 64 29 other files (8 malicious) 29->64 dropped 100 Antivirus detection for dropped file 29->100 102 Machine Learning detection for dropped file 29->102 104 Tries to harvest and steal browser information (history, passwords, etc) 29->104 106 Disable Windows Defender real time protection (registry) 29->106 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->108 110 Maps a DLL or memory area into another process 34->110 112 Checks if the current machine is a virtual machine (disk enumeration) 34->112 78 65.108.20.195 ALABANZA-BALTUS United States 36->78 114 Detected unpacking (overwrites its own PE header) 36->114 80 172.67.204.112 CLOUDFLARENETUS United States 38->80 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->62 dropped 116 Creates processes via WMI 38->116 86 3 other IPs or domains 40->86 82 35.205.61.67 GOOGLEUS United States 42->82 file15 signatures16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 03:15:23 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jbt365gsfekbq5fuwkr2nqlnq6aiueq3ydpchrhh4j4zua4ilzq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:jamesoldd aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211118-y2pq2sfdgj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Download via BitsAdmin
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
839488e2ed483fc9987ea9460eadb533cfb414d255824346e21a33d11423fb4c
MD5 hash:
3a6b7fce7bdf4474bb580cb4581a8574
SHA1 hash:
75fcbe9ca317cff0d173400c5db7774fe5c68090
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
c43c4ba2b6d7fa8f979f91077b21e57a75b2dc7794efb6f901f39e481d878448
MD5 hash:
52da452865e606e10398d997ff4d34ca
SHA1 hash:
f4b750d6212e38081f33b02e93b2586dfcbcac17
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
a3dfbab943acc3a164409407b24848112fe15a8129c75ab27dd9ae02dc91c681
MD5 hash:
f42d87cb6fa3a337244c49c7cfd48438
SHA1 hash:
b7d85a5372b2ab8d8b2cd7df0cc46c6059e23eac
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
80464f04e98da420e92c07cc96f8fcdc9225864fd4206b4ca18a8f4d86a09023
MD5 hash:
393c3d1a1ccd98cea918665a16889a96
SHA1 hash:
9c4388dac170a2b439c9d0b7dede8d57cb656ddf
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
4107c225002d3383cabe5c61d0b58cf874b41acb00577fa5d2431d1ff3779c9b
MD5 hash:
a2eee9dea2767da9d6801cd6fd19dc97
SHA1 hash:
70eb9e114b3e16831869a41d1d74d62a7effd9ef
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
4cc40eac33d9b3cb7d6cf2df1b664c6a436d53a5b3e5baab3f5f3200da8c362a
MD5 hash:
dd44aab00c34184da4d0e85749f46440
SHA1 hash:
3be6671f4874408d7c6ab3d1ea3e3afbb504c118
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
638442315859fac82d98c297108b2ff26584777ad5ea34471a7d4f326b8d9839
MD5 hash:
d8b7a4c93347d77f43e0627625a6cd28
SHA1 hash:
1ce48d24de64fcce621899873e6902766d9c354b
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
b17556e0701ba790d74827a85c7632bc6e621aae6eac300ab7c4f47e677d4dc6
MD5 hash:
4de7b53cf359da4230b3ffb88bbd7725
SHA1 hash:
40591c50a302156c49ee1afd70e917d50a29f9a9
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
3691b8eb51e58504a386d24b4bad22dad122c2073ed4e327015d761abefb377e
MD5 hash:
a22a15cbecb7bf7ecdcecfaf6d614c2b
SHA1 hash:
fce3b260c07230fa26d611fc567230aff79438c9
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
889ec47a74e687cb7ac692080a02d561d9054a7aedd49a3599ee5004545a2542
MD5 hash:
44dc91db3fc49001d0123736dc52453d
SHA1 hash:
4f3dedc8458c3c0281301ff5f8d9be1c84550397
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
1d7cc88a6dc4d68a2f134048ae9b09d94ea6b3b645eb50268ab8f16e4cc67c99
MD5 hash:
22f78f1ccb9a0dbb9fb7a21db9bb4252
SHA1 hash:
affa6555528bd39614d0310d8d0e1cb94c26cfc2
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
7c597821c0f3088f18a649a313c2160d60304797686cc93f96c5bd8c8397c4a0
MD5 hash:
0562bb8cd7fe0e8f3dc156c2584bd2b7
SHA1 hash:
6191d22789ce90298199d797fa7580c05ba468ae
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
SH256 hash:
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
MD5 hash:
e25438b6c7892bb93c9ce20a606d3b60
SHA1 hash:
924cc9ed33a64aaa2ee72f5ade42b03bcf40c7de
Link:
https://www.unpac.me/results/225be3b3-ac14-4e7d-81e3-d7bf79fd645e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f2433dfba691/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207387/

Comments