MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9
SHA3-384 hash: 388076a23cfd0f4eed6e37ffa09b94860e5133c3ab7a0465628bcb1f377a00fbe6d7d9b35d4251ea6684db8b5e0bcdd2
SHA1 hash: 69b699431dbbee3b6fd76d762a27db30f1f792b5
MD5 hash: 52c82f6ceb8cf41de8a4c01b313e3712
humanhash: happy-six-apart-magazine
File name:52c82f6ceb8cf41de8a4c01b313e3712.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'672'128 bytes
First seen:2024-12-15 08:10:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47087efffcd29d4c0a6c8a29360deeec (1 x RedLineStealer, 1 x Amadey)
ssdeep 12288:CId+rFKcOyCwoXjMbTKLNhEpZ4m0vXQKQrxgbcv0NTR:7d+9CwoXjMbTUhgqm01cvkTR
TLSH T1C7C536C22381E096F297613EC01457F4DE6AACE5F225CD8B5290BE6E3A331C14BD7A57
TrID 41.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
21.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.8% (.EXE) Win64 Executable (generic) (10522/11/4)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 0f0f55969617170f (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52c82f6ceb8cf41de8a4c01b313e3712.exe
Verdict:
Malicious activity
Analysis date:
2024-12-15 08:14:51 UTC
Tags:
payload loader crypto-regex
Link:
https://app.any.run/tasks/096eb0a7-fba6-4ade-b7e7-98c600ca03a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Ulise-10037990-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.170.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675e8fcf653a8698dfccf41f
Tags:
ransomware dropper emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Creating a window
Searching for the window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Sending an HTTP POST request to an infection source
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e12cd13b-61d1-42f9-877f-e54ffdcbfa71
Result
Threat name:
Babadeda, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1575318
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Babadeda
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575318 Sample: K6qneGSDSB.exe Startdate: 15/12/2024 Architecture: WINDOWS Score: 100 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 11 other signatures 2->88 10 K6qneGSDSB.exe 2 2->10         started        process3 file4 68 C:\Users\user\Desktopbehaviorgraphrabber.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Roaming\systemsx.exe, PE32+ 10->70 dropped 13 systemsx.exe 1 2 10->13         started        17 Grabber.exe 8 10->17         started        process5 file6 72 C:\Users\user\...\616766F8886C145454191.exe, PE32+ 13->72 dropped 128 Multi AV Scanner detection for dropped file 13->128 130 Found evasive API chain (may stop execution after checking mutex) 13->130 132 Found API chain indicative of debugger detection 13->132 136 9 other signatures 13->136 19 svchost.exe 1 13->19         started        22 audiodg.exe 1 13->22         started        24 msiexec.exe 1 13->24         started        134 Detected unpacking (overwrites its own PE header) 17->134 26 cmd.exe 1 1 17->26         started        signatures7 process8 signatures9 90 Found evasive API chain (may stop execution after checking mutex) 19->90 92 Found API chain indicative of debugger detection 19->92 94 Contains functionality to inject threads in other processes 19->94 98 4 other signatures 19->98 28 explorer.exe 80 16 19->28 injected 96 Changes the view of files in windows explorer (hidden files and folders) 22->96 33 conhost.exe 26->33         started        process10 dnsIp11 80 185.81.68.147, 1912, 49704, 49705 KLNOPT-ASFI Finland 28->80 74 C:\Users\user\AppData\...\DB9C.tmp.ssg.exe, PE32 28->74 dropped 76 C:\Users\user\AppData\...\58B.tmp.zx.exe, PE32+ 28->76 dropped 78 C:\Users\user\AppData\...\12DB.tmp.update.exe, PE32+ 28->78 dropped 138 System process connects to network (likely due to code injection or exploit) 28->138 140 Benign windows process drops PE files 28->140 142 Contains functionality to inject threads in other processes 28->142 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->144 35 58B.tmp.zx.exe 28->35         started        39 616766F8886C145454191.exe 3 28->39         started        41 616766F8886C145454191.exe 28->41         started        43 DB9C.tmp.ssg.exe 5 4 28->43         started        file12 signatures13 process14 file15 60 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->60 dropped 62 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 35->62 dropped 64 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 35->64 dropped 66 47 other files (7 malicious) 35->66 dropped 100 Multi AV Scanner detection for dropped file 35->100 102 Machine Learning detection for dropped file 35->102 45 58B.tmp.zx.exe 35->45         started        104 Found evasive API chain (may stop execution after checking mutex) 39->104 106 Found API chain indicative of debugger detection 39->106 108 Contains functionality to inject threads in other processes 39->108 122 2 other signatures 39->122 47 svchost.exe 39->47         started        49 audiodg.exe 39->49         started        51 msiexec.exe 39->51         started        110 Writes to foreign memory regions 41->110 112 Allocates memory in foreign processes 41->112 124 2 other signatures 41->124 53 msiexec.exe 41->53         started        56 svchost.exe 41->56         started        58 audiodg.exe 41->58         started        114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->116 118 Tries to harvest and steal browser information (history, passwords, etc) 43->118 120 Tries to steal Crypto Currency Wallets 43->120 signatures16 process17 signatures18 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 53->126
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-12-11 03:04:00 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkn6y44yb23hotqokdnj3waskuosbj6yhebas5xl3qh3spws5p4q._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:eewx discovery infostealer persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/241215-j29c5aylbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
185.81.68.147:1912
Verdict:
Malicious
Tags:
Win.Trojan.Ulise-10037990-0
YARA:
n/a
Link:
https://app.threat.zone/submission/9dfd31b2-76ce-4699-802e-688ab96f37df
Unpacked files
SH256 hash:
0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1
MD5 hash:
1bbc3bff13812c25d47cd84bca3da2dc
SHA1 hash:
d3406bf8d0e9ac246c272fa284a35a3560bdbff5
Detections:
ReflectiveLoader
Create hunting rule
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Link:
https://www.unpac.me/results/26fdf66c-f612-438d-9d9f-6f52028ce404/
SH256 hash:
b3808d7cbfb5e0fb492e104bb5718234da87e5aa948be9ce15bedc4e231794f9
MD5 hash:
b59e033cd8e0c7d647f4c9605ad46111
SHA1 hash:
69d0a2dab0de7056d4083bb7e00e43d754823af4
Link:
https://www.unpac.me/results/26fdf66c-f612-438d-9d9f-6f52028ce404/
SH256 hash:
ed0da0e51c62f4a299e46017b3affa616495a89a5a8ddd365a81788f039bcd76
MD5 hash:
1ef4bf43cef27aa6dbc6b6c275878836
SHA1 hash:
47f5cb439ee5f78fe55865cf7228eae0e5041a91
Detections:
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/26fdf66c-f612-438d-9d9f-6f52028ce404/
Parent samples :
0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1
0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9
SH256 hash:
0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9
MD5 hash:
52c82f6ceb8cf41de8a4c01b313e3712
SHA1 hash:
69b699431dbbee3b6fd76d762a27db30f1f792b5
Link:
https://www.unpac.me/results/26fdf66c-f612-438d-9d9f-6f52028ce404/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a9bec73980e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a9bec73980eb6774e0e50da9dd812551d20a7d839020976ebdc0fb93ed2ebf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments