MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e
SHA3-384 hash: ff888146aa497a9e42dbc9acb2fcc02eb0610383401081d06e1008a57383dfd138bfd72cc3465c0b6691ad5901f47d33
SHA1 hash: df0103a952c1696a8cc4a046aed75a2f3a7d087c
MD5 hash: 271a4c33fd920b3211b862e0527af2a5
humanhash: grey-eleven-alabama-summer
File name:271a4c33fd920b3211b862e0527af2a5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'097'216 bytes
First seen:2023-09-08 05:24:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:ay64o/TNCfi9sDhBpl0vYfhFrpWfpemg:hM/TMfV/pl0gZPMAm
Threatray 1'894 similar samples on MalwareBazaar
TLSH T187352322A3D06432E4B59BB01CF603C70B35FC916E7087AB3795951E4DB2B50A936B3B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
271a4c33fd920b3211b862e0527af2a5
Verdict:
Suspicious activity
Analysis date:
2023-09-08 05:27:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf833fde-aea2-4515-aad8-58f43ec10af7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447332/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/895d2ab1-4303-40e0-a8c1-086d8b3150b8
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305926
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1305926 Sample: y8cvtLEMhI.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 127 tse1.mm.bing.net 2->127 139 Snort IDS alert for network traffic 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 145 12 other signatures 2->145 14 y8cvtLEMhI.exe 1 4 2->14         started        17 explonde.exe 2->17         started        19 rundll32.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 file5 115 C:\Users\user\AppData\Local\...\z1851821.exe, PE32 14->115 dropped 117 C:\Users\user\AppData\Local\...\w2820516.exe, PE32 14->117 dropped 23 z1851821.exe 1 4 14->23         started        process6 file7 103 C:\Users\user\AppData\Local\...\z6212780.exe, PE32 23->103 dropped 105 C:\Users\user\AppData\Local\...\u5534145.exe, PE32 23->105 dropped 159 Antivirus detection for dropped file 23->159 161 Multi AV Scanner detection for dropped file 23->161 163 Machine Learning detection for dropped file 23->163 27 z6212780.exe 1 4 23->27         started        signatures8 process9 file10 107 C:\Users\user\AppData\Local\...\z0231406.exe, PE32 27->107 dropped 109 C:\Users\user\AppData\Local\...\t4317340.exe, PE32 27->109 dropped 165 Antivirus detection for dropped file 27->165 167 Machine Learning detection for dropped file 27->167 31 z0231406.exe 1 4 27->31         started        35 t4317340.exe 27->35         started        signatures11 process12 file13 121 C:\Users\user\AppData\Local\...\z5524089.exe, PE32 31->121 dropped 123 C:\Users\user\AppData\Local\...\s4009633.exe, PE32 31->123 dropped 135 Antivirus detection for dropped file 31->135 137 Machine Learning detection for dropped file 31->137 37 z5524089.exe 1 4 31->37         started        41 s4009633.exe 31->41         started        125 C:\Users\user\AppData\Local\...\legota.exe, PE32 35->125 dropped 44 legota.exe 35->44         started        signatures14 process15 dnsIp16 95 C:\Users\user\AppData\Local\...\r6710328.exe, PE32 37->95 dropped 97 C:\Users\user\AppData\Local\...\q0048618.exe, PE32 37->97 dropped 147 Antivirus detection for dropped file 37->147 149 Machine Learning detection for dropped file 37->149 46 r6710328.exe 3 37->46         started        50 q0048618.exe 1 37->50         started        129 77.91.124.82, 19071, 49714 ECOTEL-ASRU Russian Federation 41->129 151 Multi AV Scanner detection for dropped file 41->151 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->153 155 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->155 157 Tries to harvest and steal browser information (history, passwords, etc) 41->157 131 77.91.68.78, 49748, 49749, 49751 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 44->131 99 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->99 dropped 101 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 44->101 dropped 52 cmd.exe 44->52         started        54 schtasks.exe 44->54         started        56 rundll32.exe 44->56         started        file17 signatures18 process19 file20 119 C:\Users\user\AppData\Local\...\explonde.exe, PE32 46->119 dropped 181 Antivirus detection for dropped file 46->181 183 Machine Learning detection for dropped file 46->183 58 explonde.exe 17 46->58         started        185 Multi AV Scanner detection for dropped file 50->185 187 Contains functionality to inject code into remote processes 50->187 189 Writes to foreign memory regions 50->189 191 2 other signatures 50->191 63 AppLaunch.exe 9 1 50->63         started        65 WerFault.exe 23 9 50->65         started        67 conhost.exe 50->67         started        69 conhost.exe 52->69         started        71 cmd.exe 52->71         started        73 cacls.exe 52->73         started        77 4 other processes 52->77 75 conhost.exe 54->75         started        signatures21 process22 dnsIp23 133 77.91.68.52, 49712, 49713, 49715 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 58->133 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 58->111 dropped 113 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 58->113 dropped 169 Antivirus detection for dropped file 58->169 171 Creates an undocumented autostart registry key 58->171 173 Machine Learning detection for dropped file 58->173 175 Uses schtasks.exe or at.exe to add and modify task schedules 58->175 79 cmd.exe 58->79         started        81 schtasks.exe 58->81         started        83 rundll32.exe 58->83         started        177 Disable Windows Defender notifications (registry) 63->177 179 Disable Windows Defender real time protection (registry) 63->179 file24 signatures25 process26 process27 85 conhost.exe 79->85         started        87 cmd.exe 79->87         started        89 cacls.exe 79->89         started        93 4 other processes 79->93 91 conhost.exe 81->91         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e/
Threat name:
Win32.Trojan.Plugx
Create hunting rule
Status:
Malicious
First seen:
2023-09-08 05:25:06 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7m4krmrdsaajlbvgh42k5ta35iahtmedo622eg6qfsidrxfieha._file
Verdict:
malicious
Similar samples:
0391a506cb7415cea3ce31589bd12a5c724eb16e8b4f923aa9fefc7eb48b1ccb
RedLineStealer
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
RedLineStealer
26918e9ba064d1103201e95f3365ce9fc0106b12f5faea3c5f0bbfbc226d2850
RedLineStealer
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
RedLineStealer
4b99a608a3e190a4198c2ef97805fe9af771df6c2e217e06b8e3f49c6daa2ef7
RedLineStealer
545b0788b07c9c9820390f0057e9830cf18a4b4ca2140b11c459509838a927bd
RedLineStealer
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
RedLineStealer
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
RedLineStealer
f793e51ce11573edeba45c9ae5c3d7257b6c40a271bc9c4dd15173af08719020
RedLineStealer
facfc6f7f10b4282f97e89cbcd49b96c7db5962a8b50d7561739b7026682a424
RedLineStealer
+ 1'884 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:redline botnet:mrak dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230908-f4ae2agh7x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.68.52/mac/index.php
77.91.124.82:19071
Unpacked files
SH256 hash:
5f5b38f7cb767f7125bcd91ddf1aab399ae6126c6941daf9fce1939852625ddd
MD5 hash:
747845c7d3e92aa02820fdaea1742a90
SHA1 hash:
7587a96682207044d265fbfd140c26ea405e63ab
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e216981c-d1ea-4bc7-b583-0441a151f735/
Parent samples :
75ff95a6deb24eabfb5851714523f832ead06e9d19c2d2c5ae808463403f169d
07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e
SH256 hash:
0013d20575de6df7b1e0b8c4745f9e6f56835f9ebe6cd5dab09a18e17e910bdf
MD5 hash:
27b908b7e95f1bce1ed95398ab8c90ee
SHA1 hash:
b8a41f21c7e757a20cde41eb77dc90f9e554e69d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e216981c-d1ea-4bc7-b583-0441a151f735/
SH256 hash:
6cd22f9815d884802a20deee2d64104c1839f68d2c5a867d0282e0f54986654b
MD5 hash:
22529a6672ca2df35b7d1de387fc51e5
SHA1 hash:
8d13ed1c5d12084e26499e52ba9b004d56cfa631
Link:
https://www.unpac.me/results/e216981c-d1ea-4bc7-b583-0441a151f735/
SH256 hash:
07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e
MD5 hash:
271a4c33fd920b3211b862e0527af2a5
SHA1 hash:
df0103a952c1696a8cc4a046aed75a2f3a7d087c
Link:
https://www.unpac.me/results/e216981c-d1ea-4bc7-b583-0441a151f735/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07d9c545911c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 07d9c545911c8004ac3531f9a57660df5003cd841bbdad10de816481c6e5410e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447332/

Comments


Avatar
zbet commented on 2023-09-08 05:24:43 UTC

url : hxxp://77.91.68.52/file/lega.exe