MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349
SHA3-384 hash: 0241ed2a2d425cba64e66c42745246dbbb4a722e400f04b69eb8bb1585855c7602b9da044ad1b811fc593b56c801f92b
SHA1 hash: e8004170f53ff94665f2ff97a97fb7a78d3a0a74
MD5 hash: ca15de24c3fa60e90b343b7376808d1c
humanhash: missouri-green-princess-cola
File name:CA15DE24C3FA60E90B343B7376808D1C.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'448'994 bytes
First seen:2021-08-25 03:26:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yIfOSOUrxz7b98tUs3nKN/r/i3AF6mwQApnC1VUc21ZBNcPflHM:yIfPOCxzHqB3t5NToVULBNc3a
TLSH T12F263321998138FEED276EF08C17BB9E48B1449408F5A8167B9437B1113779B9F3A387
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.234.247.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.35/ https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CA15DE24C3FA60E90B343B7376808D1C.exe
Verdict:
No threats detected
Analysis date:
2021-08-25 03:26:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b029a634-7cd2-43ef-92e0-27dd850570db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182049/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0c5f205-a6f0-4ff9-bb33-0a5f46aa3e45
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838684
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471115 Sample: vJD7NhhDgR.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 115 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->115 117 google.vrthcobj.com 34.97.69.225 GOOGLEUS United States 2->117 119 DrbPbUkqxjgjxlbJzPNI.DrbPbUkqxjgjxlbJzPNI 2->119 147 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->147 149 Multi AV Scanner detection for domain / URL 2->149 151 Antivirus detection for URL or domain 2->151 153 14 other signatures 2->153 13 vJD7NhhDgR.exe 10 2->13         started        16 rundll32.exe 2->16         started        18 svchost.exe 1 2->18         started        21 svchost.exe 2->21         started        signatures3 process4 dnsIp5 97 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->97 dropped 24 setup_installer.exe 18 13->24         started        27 rundll32.exe 16->27         started        145 System process connects to network (likely due to code injection or exploit) 18->145 123 23.211.4.86 AKAMAI-ASUS United States 21->123 file6 signatures7 process8 file9 89 C:\Users\user\AppData\...\setup_install.exe, PE32 24->89 dropped 91 C:\Users\user\AppData\...\Mon20f645bba5.exe, PE32 24->91 dropped 93 C:\Users\user\...\Mon20ea2d1a99fe5.exe, PE32 24->93 dropped 95 13 other files (8 malicious) 24->95 dropped 30 setup_install.exe 1 24->30         started        163 Writes to foreign memory regions 27->163 165 Allocates memory in foreign processes 27->165 167 Creates a thread in another existing process (thread injection) 27->167 34 svchost.exe 27->34 injected signatures10 process11 dnsIp12 141 127.0.0.1 unknown unknown 30->141 143 watira.xyz 30->143 173 Performs DNS queries to domains with low reputation 30->173 175 Adds a directory exclusion to Windows Defender 30->175 36 cmd.exe 30->36         started        38 cmd.exe 30->38         started        40 cmd.exe 1 30->40         started        43 8 other processes 30->43 177 Sets debug register (to hijack the execution of another thread) 34->177 179 Modifies the context of a thread in another process (thread injection) 34->179 signatures13 process14 signatures15 45 Mon204f125a31b.exe 36->45         started        50 Mon200e0fb06f0e4eb.exe 38->50         started        155 Submitted sample is a known malware sample 40->155 157 Obfuscated command line found 40->157 159 Uses ping.exe to sleep 40->159 161 2 other signatures 40->161 52 powershell.exe 26 40->52         started        54 Mon20261d41513882.exe 43->54         started        56 Mon20dfbf5709ab4.exe 1 14 43->56         started        58 Mon2010d77a08c41abda.exe 43->58         started        60 4 other processes 43->60 process16 dnsIp17 133 2 other IPs or domains 45->133 99 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 45->99 dropped 181 Antivirus detection for dropped file 45->181 183 Machine Learning detection for dropped file 45->183 62 LzmwAqmV.exe 45->62         started        185 Multi AV Scanner detection for dropped file 50->185 66 cmd.exe 50->66         started        68 dllhost.exe 50->68         started        135 2 other IPs or domains 54->135 187 Detected unpacking (changes PE section rights) 54->187 189 May check the online IP address of the machine 54->189 191 Performs DNS queries to domains with low reputation 54->191 127 ip-api.com 56->127 137 3 other IPs or domains 56->137 101 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 56->101 dropped 103 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 56->103 dropped 193 Contains functionality to steal Chrome passwords or cookies 56->193 195 Drops PE files to the startup folder 56->195 197 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 58->197 199 Checks if the current machine is a virtual machine (disk enumeration) 58->199 70 explorer.exe 58->70 injected 129 37.0.10.237 WKD-ASIE Netherlands 60->129 131 37.0.11.8 WKD-ASIE Netherlands 60->131 139 6 other IPs or domains 60->139 201 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 60->201 203 Tries to harvest and steal browser information (history, passwords, etc) 60->203 205 2 other signatures 60->205 72 Mon206987d94f0ed4.exe 60->72         started        file18 signatures19 process20 dnsIp21 105 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 62->105 dropped 107 C:\Users\user\AppData\Local\Temp\5.exe, PE32 62->107 dropped 109 C:\Users\user\AppData\Local\Temp\4.exe, PE32 62->109 dropped 113 3 other malicious files 62->113 dropped 207 Antivirus detection for dropped file 62->207 209 Machine Learning detection for dropped file 62->209 75 cmd.exe 66->75         started        78 conhost.exe 66->78         started        125 live.goatgame.live 104.21.70.98, 443, 49716 CLOUDFLARENETUS United States 72->125 111 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 72->111 dropped 80 conhost.exe 72->80         started        file22 signatures23 process24 signatures25 169 Obfuscated command line found 75->169 171 Uses ping.exe to sleep 75->171 82 PING.EXE 75->82         started        85 findstr.exe 75->85         started        87 Talune.exe.com 75->87         started        process26 dnsIp27 121 192.168.2.3, 443, 49690, 49709 unknown unknown 82->121
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 07:15:14 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66ualmsrkbkdhy2fc7ngt3glookvuqslxhmqmeyjbeopklahuneq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 botnet:pab3 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210825-s365btz5ca/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
11056c89b02dffdd9f97e429fbd1262d329016d117079abbbd50451bb3486ac2
MD5 hash:
ab636769db5d8c33fb964876115e3e1c
SHA1 hash:
00f0f9de24c0429f43ec1ab3e8fdbfac5854b23a
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
2e1af97bad2994cff581ef2d635b18f196dfbf59064419a65c9654b010616a48
MD5 hash:
2fd64b22d558fa7dd8515fbbe408c38c
SHA1 hash:
fac8bad77c09b6ed8248afe5e7aa3d0761b5122b
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
1bcb37743701239dae6f17b3a633cc5f9d15f9195d593e73821b3b5bf6b7be84
MD5 hash:
a7d32ba3114e58446a9a046e3169f82b
SHA1 hash:
d0f7b546bb3baf60a592a869ee9e0775c0dce561
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
3ac82c275c09d21438858d48eea37fe653d188a4ec4a783fad1ed022405f941b
MD5 hash:
99ce1ecb2cc198a8984618f53b786c00
SHA1 hash:
ce0cc43ea97bdaf7f6813047d6c2606e5d3f38de
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
MD5 hash:
ce3a49b916b81a7d349c0f8c9f283d34
SHA1 hash:
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
51088d93d4d9295147726de8b39363fdeced7d442709e25cebd1a47548c28fae
MD5 hash:
812ec7e0bdb24116171db9ea961fcf65
SHA1 hash:
b3131a68477d0e987a16a6787cfd738299041309
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
23ca810f87cf793365067dddeba490a68c08eb535106c4108eca3952ee374837
MD5 hash:
5419d1a3d4977ff6b2403b71f15fbfe8
SHA1 hash:
d7d2270cfd19f0d69ca6789dc4aa45810aeda699
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
007383f92761d2df393bc8d085cbf8d5f6ad7890817685572158c6b5e0251435
MD5 hash:
f1d2659a72f06754cf3c66f743a7e833
SHA1 hash:
3550046fa9044a31caeb7e774d6928c44577c45f
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
85b8e246d2f55a00b61ddec70a297c00b3357ad262c43eebd94ce53ef3b698bf
MD5 hash:
f29fbae205c8a66ef925b434162a1e1b
SHA1 hash:
33b23646e864e588dab5d9aae9db059799d006dd
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
814a26d0bdf03c297858fd22d3b3df6425ca7e2b0c88921e0cb8a45fad73d744
MD5 hash:
27b96b978c060226e8bb794f6331016d
SHA1 hash:
70234ae45b1e0d712397197eec8fb4e8cfdaaf60
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
SH256 hash:
f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349
MD5 hash:
ca15de24c3fa60e90b343b7376808d1c
SHA1 hash:
e8004170f53ff94665f2ff97a97fb7a78d3a0a74
Link:
https://www.unpac.me/results/0c882e19-c21e-402e-841d-aa91797e2131/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f7a805b25150/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7a805b251505433e34517da69eccb73955a424bb9d9061309091cf52c07a349

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182049/

Comments