MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 12
| SHA256 hash: | fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e |
|---|---|
| SHA3-384 hash: | ab79ed83733f65c88980fca72023975664b0a80ea5c3366ecae6566ff7df28b90195ca461d5bf6c530cba8b4b63caf9d |
| SHA1 hash: | 3ff75312b9eaebbcdd948ae248684ba30acce89f |
| MD5 hash: | 0536674f9cfd8d69e044c17c83620f26 |
| humanhash: | fish-nitrogen-high-yankee |
| File name: | 0536674f9cfd8d69e044c17c83620f26.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 18'781'591 bytes |
| First seen: | 2021-12-09 20:51:40 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 393216:JDTM99S8xpL8R8PKAcYkrapORbLD0dHTNJZA2QZguN:JDMgwpL8RVdYkWpOJOLw/ |
| Threatray | 805 similar samples on MalwareBazaar |
| TLSH | T1EA17336CFDF2511AEA9416FA3675ADD560A3E70137390B0DD108D634A26EE0C23F399B |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://194.180.174.97/ | https://threatfox.abuse.ch/ioc/271545/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0536674f9cfd8d69e044c17c83620f26.exe
Verdict:
No threats detected
Analysis date:
2021-12-09 20:55:13 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
DNS request
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Creating a window
Creating a process with a hidden window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
overlay packed
Result
Verdict:
MALICIOUS
Result
Threat name:
Amadey RedLine SmokeLoader Socelars Vida
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Execution Of Other File Type Than .exe
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Woreflint
Status:
Malicious
First seen:
2021-12-08 02:50:00 UTC
File Type:
PE (Exe)
Extracted files:
254
AV detection:
22 of 28 (78.57%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 795 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:amadey family:loaderbot family:redline family:socelars family:vidar botnet:03.12_build_3 aspackv2 discovery evasion infostealer loader miner spyware stealer suricata trojan
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Program crash
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
Amadey
LoaderBot
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
185.215.113.35/d2VxjasuwS/index.php
45.9.20.221:15590
http://www.wgqpw.com/
45.9.20.221:15590
http://www.wgqpw.com/
Unpacked files
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
SH256 hash:
d1c351cb812296eb57229d7457642a58245e17f5f80bdc1731c31e245ed23558
MD5 hash:
071f0adc2721cfd1472868a572a52050
SHA1 hash:
daff31cdaf918c7685f0b4ff828211bdd7364589
Detections:
win_raccoon_auto
Parent samples :
e15eca7be72dec23df207af8366166fdd6e4bc2b878477c5aaaba5e2a9b4330d
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
89c7c028a7e7f95a3595dade72ac1f48da3c71fa3e482347a5a61a714dd57d0c
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
a048547702aaf89637813c4cdc925cf25ab7a3710bfc95f21046be931c1cae63
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
74bb6b2e6e0fb719237cb58c1ed17a91032ff3c8a3c11da92011b8e0ba5a1179
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
89c7c028a7e7f95a3595dade72ac1f48da3c71fa3e482347a5a61a714dd57d0c
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
a048547702aaf89637813c4cdc925cf25ab7a3710bfc95f21046be931c1cae63
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
74bb6b2e6e0fb719237cb58c1ed17a91032ff3c8a3c11da92011b8e0ba5a1179
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
SH256 hash:
b56b333218590e42264e3c569891875e6e2c9955d322f2a1a940c53a09cefb63
MD5 hash:
d01a52c156a6a80dd6c12fa897159f94
SHA1 hash:
173411cd147973b6366c11bbbbf87bafcfa4403a
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
SH256 hash:
29a3240cf1db2969ff7ebecf2f2a1017b6076cb6d2d39e7507c63d3875667a6d
MD5 hash:
a9aa93a92b10c07ed7c5154b39806df0
SHA1 hash:
b2e7e5d326c0a7756d3e8beaba623169c088c807
SH256 hash:
3bb55b0de90de0cc651dba71c869675c4fb5cfd1b9b21bd4957f1680f7506f06
MD5 hash:
f9d056f1d085e83a64c8ef2ba5f3be52
SHA1 hash:
bf04d73f991d0e45d459a5341593524e4e498801
SH256 hash:
b19104b568ca3ddccc2a8d3d10ecddb1ea240171e798dc3a486292cfa14b6365
MD5 hash:
7b0900da932f4ed9630d65b04422736d
SHA1 hash:
6fa340436e3a8e73ae2b3e911f861483183c68ef
SH256 hash:
9c1421eae9bae987215a9726d8577d0a9307831929cec7dd5aee02602d81825f
MD5 hash:
b6ae2bd794fd8fa5a0c7d06ec4a24dae
SHA1 hash:
b448b3606fbcc7c3265821a059d1a3809548be43
SH256 hash:
3dfaf7011ead17be2757d0872e2f9babfeb16353f72011e31586822bffe7b635
MD5 hash:
0849298189ef3ab451eba13e46df2caa
SHA1 hash:
762fa39ba4fb594504ba0881b799ce36fc932c5e
SH256 hash:
a684b438d98dbecc0ecd32bebe42f8ea8a5f7b023594596218051c79bcba2caa
MD5 hash:
167247f3ee18593f2476746e90eb08ac
SHA1 hash:
e9671e1e8b896ee792a2739bdb266d9394c9d5a7
SH256 hash:
704c0c111d0c12b3b69b7a3a4e79b1cf47681d1c647d68bf257322e6e31a4800
MD5 hash:
a449a6ffe006c9007847ff265074cdb8
SHA1 hash:
df7362987d48c01f7296fcb7a1c96adb7c0c7dbc
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
SH256 hash:
ec6745a1c965f233999a896b9205c025861e9597e0eabbe2e303a416ed2b4989
MD5 hash:
8fd106bb3271e40da4c46ec62c854f3a
SHA1 hash:
92a3c0151b8b8a76a539c997a7dac84240d41b34
SH256 hash:
64f55d5e15b9dbbb0d6e16ffb9aceaee91ee440beef80e4cd1b74b0ded11c7c1
MD5 hash:
1404f942070e57b2ef0b6b3693f730be
SHA1 hash:
7ef83b925afb34c52627b66ad960400fbc1bf776
SH256 hash:
37044dc3f94c920290c4ff39dd1fe0920b017ccdfe596862e8cc4e5324602322
MD5 hash:
5c88bc74f624f8035b756fad5878a846
SHA1 hash:
6df96a6ba61fb64160dcb67f3085b0bebb2a5e0d
SH256 hash:
29abe81ce0fa83841359c8730469f3e9f68466e0e803c5e6e269a2667d7612d5
MD5 hash:
f5f4179714531e3e7240cb09466fa737
SHA1 hash:
67eba2eb0f806036c1d9a69382bc9fbeae3977b6
SH256 hash:
72d45867268468be77b9b12ef1ae4c826e369cf6eb7093dfea61d86dc1e6b2df
MD5 hash:
f177b4503990f5c6c38db2d3c5e63d3f
SHA1 hash:
6696ade4760090fe7f24f3a7acfe58f7e49effc9
SH256 hash:
2315313c48d21bee5b03dfebcb7897f290deadcfb99eb916b5f0b86f13e0b44f
MD5 hash:
86d623ed32cbbf3f6b24e42766e1230e
SHA1 hash:
413ec6f3bc87aac1af1a32ad2d03dff558a48287
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
SH256 hash:
02fe69b9b9b37b2bb32f47ca2115a2f2a17a0cf182efb981cb29395cb18bd2c1
MD5 hash:
73991d455f432ff79ea0716c5f5d3525
SHA1 hash:
3fb4183f387e0cc43e090da5b2732ea451c5d3ce
SH256 hash:
2d8cd533e30132fc8c70e8d981a8cb8d157851840c0e1e1e18af33a99d265001
MD5 hash:
702456677ddc7a0dc847d947b09fbed0
SHA1 hash:
3dd326877676c2037c758c1222c5bfbc26417d21
SH256 hash:
32003c7e5625a458c5a8ae7d95cd5ceb2f480070caef23bd7dd0a5e9ed253287
MD5 hash:
2204b3394618855ee4bdf56d0e78fa9d
SHA1 hash:
158cf5ffd362143d64d8bbd696974e93c708ec61
SH256 hash:
fb8dc0272a15b72acb0e9e4836ef4db6b888baae8ee9c40340284cbf802f3675
MD5 hash:
87a1f1791f691c79ccfee34459131f5b
SHA1 hash:
0d3e3375456dc80a57707be394e5facb3d9537bd
SH256 hash:
ae4d7ba3d74a6c5a8070895c847de7df443ecad93fccd5e6bf1cb05877c8435a
MD5 hash:
962551598d1b3373e5fe3f0fa3547a6e
SHA1 hash:
0b54aaab01d64285e0d1d5d5ce2d8d746dbd59c5
SH256 hash:
3e627ea5a0a3ed72c6f60b3a9c3ee0a2264cc22178ea20aba1cedb43919a60e3
MD5 hash:
ebfee6765c7e448e3ea21b40550d1a70
SHA1 hash:
08464d94727b3a9f523b93ddbaf21191c65214e5
SH256 hash:
840b106054cbe6b56c2fdc588abb8e006543d90848d0fbe68f6871ce010da418
MD5 hash:
ab5c4d4688dd1eacf5ae0dc3b3a738fe
SHA1 hash:
04b8cee430991d3dc77bbe031479a472548c6b6f
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
SH256 hash:
6637fa5c8da4174619214058cf04c754591befb3cc0e6f4ddc996e0447da3bfd
MD5 hash:
8b3fe1cc77f59723fe643026a5486479
SHA1 hash:
a231292f57de9bfa4f5940e293eb332cd78fdd71
SH256 hash:
2a2d97ed995a689a4231d4308e484903b973061e85f35de3b4224557d403e398
MD5 hash:
dfb3412feba2b75e8bfc06adcb391d8f
SHA1 hash:
4d5b1715c56ddca647d6222c60e6ab19eeb5e0b4
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
SH256 hash:
63525b0c1ef894632109c3169876b9e2ce728e38ed7f7c574021d5261d56e502
MD5 hash:
ff9b14f4f607a81117cc58916332262e
SHA1 hash:
aed4fe230075f2a067e4ac61fac117aaeb5ef6f9
SH256 hash:
f626bc08a1c21505a4a4ba76a7d6da276f759f899ad7f96ddfd6e1ca977d2117
MD5 hash:
173084c01e13712c00cfff0b2b4de63b
SHA1 hash:
1fa8e3e149fa202077ce1f9decf75ca18e8a61fb
SH256 hash:
434799cf25de143db91316c7fbb713631b962aed2cbf876d5baa82a5d0f5c00a
MD5 hash:
55b9ab29c5de09546e2121b9f750ddd6
SHA1 hash:
9042ccb622ab44a4f1c31267cc59d00c3094ea6c
SH256 hash:
d56a0450ea708d58753324f01c8e9ba24dc93494bfd4107ed7d850fbe5e95acc
MD5 hash:
80431bf76d03002a6c553041ddba7c8f
SHA1 hash:
0a320ee817978db2ac51a5e079dfb5c10aa0c10b
SH256 hash:
c33cee5db25273131e8e696065eebe00ed148938004aa2c7863df21a5cfa2473
MD5 hash:
47ab95e5e377f382c52d17d88930eae0
SHA1 hash:
3499aa5fd3076ddbb04d439c0f184f6d6184f6a6
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
SH256 hash:
058eee72daf356ab2a5c51775def331426412751e8de46bef3ebcac1b0c8188a
MD5 hash:
ba5dca559ed220d4de9a67ce74d752a6
SHA1 hash:
3188bad504e71515ec9efde748922d5488ef2388
SH256 hash:
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
MD5 hash:
0536674f9cfd8d69e044c17c83620f26
SHA1 hash:
3ff75312b9eaebbcdd948ae248684ba30acce89f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BitcoinAddress |
|---|---|
| Author: | Didier Stevens (@DidierStevens) |
| Description: | Contains a valid Bitcoin address |
| Rule name: | crime_ZZ_botnet_aicm |
|---|---|
| Author: | imp0rtp3 |
| Description: | DDoS Golang Botnet sample for linux called 'aicm' |
| Reference: | https://twitter.com/IntezerLabs/status/1401869234511175683 |
| Rule name: | Glupteba |
|---|
| Rule name: | GoBinTest |
|---|
| Rule name: | golang |
|---|
| Rule name: | identity_golang |
|---|---|
| Author: | Eric Yocam |
| Description: | find Golang malware |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing URLs to raw contents of a Github gist |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing SQL queries to confidential data stores. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many varying, potentially fake Windows User-Agents |
| Rule name: | MALWARE_Win_Vidar |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Vidar / ArkeiStealer |
| Rule name: | UroburosVirtualBoxDriver |
|---|
| Rule name: | Vidar |
|---|---|
| Author: | kevoreilly |
| Description: | Vidar Payload |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.