MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
SHA3-384 hash: 9669383aafa5c1ff040973d0ee2f99ab046317b2620e83fd0e55a4404513f2617467912382a9da308675f7a4735e1a63
SHA1 hash: b218a9d8ef616d3ca0aa82057d27d06fa20c0fe8
MD5 hash: 5242345c42ee4ceaa8fae3d2c439f224
humanhash: speaker-march-table-king
File name:5242345c42ee4ceaa8fae3d2c439f224.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'075'301 bytes
First seen:2021-10-26 22:05:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yMMoEWGtKb+IyjgHecekwecyCIzfsDF4hSeBL3aSGQPAoeAbL2:yMYKBHNfcTIzkqRvPeaq
Threatray 650 similar samples on MalwareBazaar
TLSH T104163376EC04C12FE84FCEB3A6776F762DA19E5778895B0BFB10060E94711B21C89726
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
213.142.148.231:58682

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.142.148.231:58682 https://threatfox.abuse.ch/ioc/237755/
185.81.115.38:81 https://threatfox.abuse.ch/ioc/237934/
84.38.189.175:18214 https://threatfox.abuse.ch/ioc/237935/

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200349/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61787bcedb358dd15eddc625/reports/1d8a8c38-6893-42a1-b415-f472d34b2c99/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9785445d-b815-4c75-94e2-405a20560590
Result
Threat name:
Backstage Stealer FormBook SmokeLoader S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877385
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509818 Sample: p3IJWYfJZw.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 90 51.15.78.68 OnlineSASFR France 2->90 92 213.32.74.157 OVHFR France 2->92 94 5 other IPs or domains 2->94 114 Sigma detected: Xmrig 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 18 other signatures 2->120 13 p3IJWYfJZw.exe 10 2->13         started        signatures3 process4 file5 88 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 13->88 dropped 16 setup.exe 8 13->16         started        process6 file7 60 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 16->60 dropped 62 C:\Users\user\AppData\...\setup_install.exe, PE32 16->62 dropped 64 C:\Users\user\AppData\Local\...\libzip.dll, PE32 16->64 dropped 66 3 other files (none is malicious) 16->66 dropped 19 setup_install.exe 3 16->19         started        process8 file9 68 C:\Users\user\AppData\...\c13ef79c884ab.exe, PE32 19->68 dropped 22 cmd.exe 1 19->22         started        25 conhost.exe 19->25         started        process10 signatures11 122 Adds a directory exclusion to Windows Defender 22->122 27 c13ef79c884ab.exe 16 22->27         started        process12 file13 70 C:\Users\user\AppData\...\setup_install.exe, PE32 27->70 dropped 72 C:\Users\user\...\Mon16f248f5178cf7.exe, PE32 27->72 dropped 74 C:\Users\user\AppData\...\Mon16df2c59942.exe, PE32 27->74 dropped 76 11 other files (5 malicious) 27->76 dropped 30 setup_install.exe 1 27->30         started        process14 dnsIp15 108 8.8.8.8 GOOGLEUS United States 30->108 110 172.67.190.165 CLOUDFLARENETUS United States 30->110 112 127.0.0.1 unknown unknown 30->112 144 Adds a directory exclusion to Windows Defender 30->144 34 cmd.exe 30->34         started        36 cmd.exe 30->36         started        38 cmd.exe 30->38         started        40 7 other processes 30->40 signatures16 process17 signatures18 43 Mon16f248f5178cf7.exe 34->43         started        48 Mon16df2c59942.exe 36->48         started        50 Mon16de11564d8d.exe 38->50         started        124 Adds a directory exclusion to Windows Defender 40->124 52 Mon160cae6eb9c9.exe 40->52         started        54 Mon162812607e58157d.exe 40->54         started        56 powershell.exe 25 40->56         started        58 Mon1685c58dbfe.exe 40->58         started        process19 dnsIp20 96 45.142.182.152 XSSERVERNL Germany 43->96 98 37.0.10.214 WKD-ASIE Netherlands 43->98 106 11 other IPs or domains 43->106 78 C:\Users\...\mx9tDrr1WndlBfvrorR0F0wv.exe, PE32 43->78 dropped 80 C:\Users\...\94_LH4UhpD8UqEu_A9xtyK5_.exe, PE32 43->80 dropped 82 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 43->82 dropped 86 26 other files (7 malicious) 43->86 dropped 126 Detected unpacking (creates a PE file in dynamic memory) 43->126 128 Tries to harvest and steal browser information (history, passwords, etc) 43->128 130 Disable Windows Defender real time protection (registry) 43->130 132 Machine Learning detection for dropped file 48->132 134 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->134 136 Maps a DLL or memory area into another process 48->136 138 Checks if the current machine is a virtual machine (disk enumeration) 48->138 100 208.95.112.1 TUT-ASUS United States 50->100 102 45.136.151.102 ENZUINC-US Latvia 50->102 140 Contains functionality to steal Chrome passwords or cookies 50->140 104 74.114.154.18 AUTOMATTICUS Canada 52->104 84 C:\Users\user\...\Mon162812607e58157d.tmp, PE32 54->84 dropped 142 Antivirus detection for dropped file 54->142 file21 signatures22
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 02:52:17 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kndz3gq56t7d4gelscxebemsqqjbxhl3wlixh6pjthehagadasa._file
Verdict:
unknown
Similar samples:
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
RedLineStealer
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
RedLineStealer
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
RedLineStealer
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
RedLineStealer
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
RedLineStealer
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
RedLineStealer
+ 640 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar botnet:706 aspackv2 backdoor discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/211026-1z3k8sada7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
ce0eceb737e78ea7141dc96cec7d233c8e743f1e5195c7a4e727959d0638ada1
MD5 hash:
38b3c3e31db4a513a099237133fa1268
SHA1 hash:
f1d1fe36210c73e1015a58b0856e2ec46af659c2
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
bc0dcc0e256cad5dddc38f204fd54b01250e444cf1facc8bee0030bb6b1ecdbb
MD5 hash:
48f857e6c61ee021cbcaef90254b62eb
SHA1 hash:
db9d7d8aea91b674218717b2883c72c68f9d4903
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
2dcdeb7595e193d1dc79c314da4ad08ededb077e999e032ca0543c876eee8d59
MD5 hash:
4336cdd2082496f94f5702210f8d0251
SHA1 hash:
9992e6ccc1047df5daa231cafe54d686cdde26f3
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
d4ce1c2d73c49960329244d20cadd19c75ba410f2eabbaa03852435c20a74e7c
MD5 hash:
b70d78c71d3ea295544d99ea27cc6e40
SHA1 hash:
59f430de7610638ec3c8a75fecbfffbba288afa0
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
7b36a597eb31d55ef2e75eb0eef1f462635e05df00284a7fb5ae0d1c1fcd02de
MD5 hash:
d3db6e1ac5bd7bfe7ef8921a45acdad6
SHA1 hash:
538b314490a8a734e54d684c28fcec0af7339568
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
d9d927fcebe74aaa4f2240ee1705a5ed322064838287dd5b93d93ed1f1724afb
MD5 hash:
99f74a0f46fc196b30802d895147e526
SHA1 hash:
3000a2056594fdf27bbbb0582d41bedaf6eee2fe
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
40f8dce31beb48a500833b7d9cc5e8e2c769383560144eca987d8d518d80319b
MD5 hash:
303d125ad60ffd7f3851cdfa5e55eaeb
SHA1 hash:
18aeb3956434721c664686c0ce3a4be1f7bd74b9
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
8f34a67f03c9a1795827a251f5ec6930759e43df27915101fcc9ecccdd60399e
MD5 hash:
15a2ee079506d121c975e60a039d1ad1
SHA1 hash:
fc2518cfa9641869b94944e4cf8bebf59068cc2d
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
918d6c0eefdf65105a529d1a8268871f94aa9c5342276faedcde2932e16fe1d3
MD5 hash:
8fa35c1eedb3b1aec95cb0ae4ea9f288
SHA1 hash:
cee9648cc9bd46f2c49adb511cc99f46533de3e5
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
95c89bb747b88dd9311720c3c20da87f389bcf09fd82cf18cede976592ba025c
MD5 hash:
6b49e424296f7f56cde9ea85c67c474b
SHA1 hash:
e700b34bf053a887672c83d68a0a302022878ebf
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
a743d4a43fd4f1f32b13a7e7072aba179b421af07ee7c0a1183aecf452b4f85f
MD5 hash:
3e32b7f5ef077583f10164466a37157f
SHA1 hash:
58ed61ea1e92a3ea352af41e25e377c65b70a4b2
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
a63419ae6ad779ca9907a876d63725062133b1c7fea8edcd48ba3a9ba43f1870
MD5 hash:
d63e42d193a4b7a8933ef9a2b0f66371
SHA1 hash:
17d931714446b9825f27515ab67ccabc3fec1f47
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
b3677bcac7e5350894d03497fde4065063b7a562609a23f6ce7655850eaeba4b
MD5 hash:
f5c7d91adf5dbc63a5200615323d608b
SHA1 hash:
b3d0dc7cfa902b1aceea4004e14bfb0211920fce
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
fc7bfcc9ae62c97a2a7e783f8d0dafc12021fec7aa6e88f1377f22faf02440c9
MD5 hash:
6351dbb2c9a987125248b96c24d32521
SHA1 hash:
bf145b1ca3bf91b4908a22994ad9a5a30636236a
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
SH256 hash:
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
MD5 hash:
5242345c42ee4ceaa8fae3d2c439f224
SHA1 hash:
b218a9d8ef616d3ca0aa82057d27d06fa20c0fe8
Link:
https://www.unpac.me/results/bf6def04-ea8d-43c9-b6aa-680821b4c3b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200349/

Comments