MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA3-384 hash: e54809223cddd78c20fb9eabed433a17f6be211326631f07150b82e0c01f959b556be4c5574d8aaa3ff363f682228dd9
SHA1 hash: 4e63843e9c51f907952bb2f51d6b3866f81f7bd6
MD5 hash: 34807a743f2d680eef051852eaef0b16
humanhash: diet-music-north-rugby
File name:34807a743f2d680eef051852eaef0b16.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'288'512 bytes
First seen:2024-12-27 07:17:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF
TLSH T10B163312A9DE59B2E03A29319018B35B84B58F155B404BA347F93D3F0A709E9DB3F2D7
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 00c896968eaaa200 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34807a743f2d680eef051852eaef0b16.exe
Verdict:
Malicious activity
Analysis date:
2024-12-27 07:21:04 UTC
Tags:
autoit stealer github
Link:
https://app.any.run/tasks/305c1a4b-de5b-45d3-a699-62fcdb4dd740

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Valyria-10040891-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Doina.16573.10452.10137.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676e54ac8a4d48ee35ffebc3
Tags:
valyria autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/676e54aca561e5a2873add25/reports/8f0a2327-a8bb-48b9-b557-3df0c5cf4e07/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88fca584-a8d0-4495-9f5a-ff29d96b6830
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1581194
Signature
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides user accounts
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Add User to Remote Desktop Users Group
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581194 Sample: 8lOT1rXZp5.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 143 lYvskCQZEcQueZ.lYvskCQZEcQueZ 2->143 145 bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv 2->145 147 3 other IPs or domains 2->147 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 Antivirus detection for URL or domain 2->175 177 12 other signatures 2->177 14 8lOT1rXZp5.exe 11 2->14         started        17 wscript.exe 2->17         started        21 wscript.exe 2->21         started        signatures3 process4 dnsIp5 205 Found many strings related to Crypto-Wallets (likely being stolen) 14->205 207 Contains functionality to register a low level keyboard hook 14->207 23 cmd.exe 1 14->23         started        26 makecab.exe 1 14->26         started        141 raw.githubusercontent.com 185.199.111.133, 443, 49842 FASTLYUS Netherlands 17->141 125 C:\Program Files\RDP Wrapper\rdpwrap.bat, exported 17->125 dropped 209 System process connects to network (likely due to code injection or exploit) 17->209 211 Wscript starts Powershell (via cmd or directly) 17->211 213 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->213 28 cmd.exe 17->28         started        127 C:\Users\user\AppData\...\BACCrSAh.bat, DOS 21->127 dropped 30 cmd.exe 21->30         started        file6 signatures7 process8 signatures9 179 Wscript starts Powershell (via cmd or directly) 23->179 181 Obfuscated command line found 23->181 183 Uses ping.exe to sleep 23->183 185 6 other signatures 23->185 32 cmd.exe 7 23->32         started        36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 fsutil.exe 28->42         started        44 cmd.exe 30->44         started        46 cmd.exe 30->46         started        48 conhost.exe 30->48         started        process10 file11 117 C:\Users\user\AppData\Roaming\...\Uno.exe.com, PE32 32->117 dropped 119 C:\Users\user\AppData\...\Rifiutare.exe.com, PE32 32->119 dropped 121 C:\Users\user\AppData\...\Inebriato.exe.com, PE32 32->121 dropped 123 C:\Users\user\AppData\Roaming\...\R, ASCII 32->123 dropped 165 Obfuscated command line found 32->165 167 Uses ping.exe to sleep 32->167 50 Inebriato.exe.com 32->50         started        53 Rifiutare.exe.com 32->53         started        55 Uno.exe.com 32->55         started        61 4 other processes 32->61 57 WMIC.exe 44->57         started        59 WMIC.exe 46->59         started        signatures12 process13 dnsIp14 169 Found API chain indicative of sandbox detection 50->169 64 Inebriato.exe.com 50->64         started        67 Rifiutare.exe.com 1 53->67         started        70 Uno.exe.com 55->70         started        149 127.0.0.1 unknown unknown 61->149 signatures15 process16 file17 151 Writes to foreign memory regions 64->151 153 Injects a PE file into a foreign processes 64->153 72 RegAsm.exe 64->72         started        129 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 67->129 dropped 155 Found many strings related to Crypto-Wallets (likely being stolen) 67->155 76 RegAsm.exe 15 2 67->76         started        78 RegAsm.exe 70->78         started        signatures18 process19 file20 135 C:\Users\user\AppData\...\UILIklkzCJ.bat, DOS 72->135 dropped 137 C:\Users\user\AppData\Roaming\UeNuQ\578.vbs, ASCII 72->137 dropped 139 C:\Users\user\AppData\Roaming\...\1186.vbs, Unicode 72->139 dropped 187 Modifies Windows Defender protection settings 72->187 189 Adds a directory exclusion to Windows Defender 72->189 80 cmd.exe 72->80         started        83 cmd.exe 72->83         started        85 cmd.exe 72->85         started        87 7 other processes 72->87 191 Potential malicious VBS script found (suspicious strings) 76->191 193 Potential malicious VBS script found (has network functionality) 76->193 195 Tries to harvest and steal browser information (history, passwords, etc) 78->195 signatures21 process22 signatures23 157 Wscript starts Powershell (via cmd or directly) 80->157 159 Adds a directory exclusion to Windows Defender 80->159 89 powershell.exe 80->89         started        92 conhost.exe 80->92         started        94 powershell.exe 83->94         started        96 conhost.exe 83->96         started        161 Modifies Windows Defender protection settings 85->161 98 powershell.exe 85->98         started        100 conhost.exe 85->100         started        163 Adds a new user with administrator rights 87->163 102 cscript.exe 87->102         started        105 powershell.exe 87->105         started        107 18 other processes 87->107 process24 file25 197 Loading BitLocker PowerShell Module 89->197 131 C:\Users\user\AppData\Roaming\UeNuQ\939.vbs, ASCII 102->131 dropped 199 Potential malicious VBS script found (suspicious strings) 102->199 201 Potential malicious VBS script found (has network functionality) 102->201 133 C:\Users\user\AppData\Roaming\UeNuQ\RBV.dll, XML 107->133 dropped 203 Hides user accounts 107->203 109 WMIC.exe 107->109         started        111 WMIC.exe 107->111         started        113 net1.exe 107->113         started        115 3 other processes 107->115 signatures26 process27
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-12-22 21:28:45 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akqzhkqmxx5ofvj6onbrkapnwsrghqixnts4xs2oaptfu4g7fhfa._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
rdpwrap
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan
Link:
https://tria.ge/reports/241227-h4yhzasrgm/
Behaviour
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Hide Artifacts: Hidden Users
Suspicious use of SetThreadContext
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Password Policy Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies RDP port number used by Windows
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
21jhss.club:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1cf59ebf-1b15-4694-83c5-5c483f684905
Unpacked files
SH256 hash:
215fc8b681f44070baa532694e9ef1bd02dc1ef7726bd35af783d141041b6ba0
MD5 hash:
20bfad7f29a069cc157e80e5b8cbf8d2
SHA1 hash:
ca3dac09d89c55977c876b99c3c82b32ab88e9ae
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/bd4d742b-8dd7-4451-b855-38165d4033b0/
Parent samples :
42edc53eec43edfe500967882f8e7f7e787614223466817b25d71565fdf3b49c
02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SH256 hash:
02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
MD5 hash:
34807a743f2d680eef051852eaef0b16
SHA1 hash:
4e63843e9c51f907952bb2f51d6b3866f81f7bd6
Link:
https://www.unpac.me/results/bd4d742b-8dd7-4451-b855-38165d4033b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments