MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d
SHA3-384 hash: ef797c97579a6021f56c9ecbaf993ca64fff583ce6fb239be0152441c0f9eeb39bc61afd4a22b65f2869f8653cacb072
SHA1 hash: 9f63acc82d0d979c81a5f2d281237024a7a0c7f1
MD5 hash: 1111c4fcc0071594b415e959f1b66729
humanhash: green-angel-twenty-wolfram
File name:1111c4fcc0071594b415e959f1b66729.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'077'696 bytes
First seen:2023-07-06 17:05:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Th+ZkldoPK8YavqqJwn8Q0Q5FDZHHFRu/Qt:c2cPK8Vyn8Qbdu
Threatray 119 similar samples on MalwareBazaar
TLSH T145A5E0027395C036FFAA9273DB69F2B14ABD7D658123852F13983D7AB9701B1123D263
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 014decc84d4d7133 (4 x RedLineStealer, 1 x DCRat, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.106.92.84:3626

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1111c4fcc0071594b415e959f1b66729.exe
Verdict:
Malicious activity
Analysis date:
2023-07-06 17:08:28 UTC
Tags:
rat redline asyncrat
Link:
https://app.any.run/tasks/24faa6b9-bb85-4995-9747-cbd2026c885f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/410123/
Detection(s):
Win.Packed.Lazy-9958163-0
Create hunting rule

Win.Packed.Clipbanker-9964524-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file
Launching a process
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Query of malicious DNS domain
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96054/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit control greyware keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/64a6f47b60057e5006846650/reports/4bf088c1-e3e0-428e-a6eb-470861c14a33/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41645250-c368-490f-90ba-ba0cb4824c44
Result
Threat name:
AsyncRAT, RedLine, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268383
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1268383 Sample: 6RE0uo6R38.exe Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 12 other signatures 2->64 8 6RE0uo6R38.exe 6 2->8         started        12 Updater.exe 2->12         started        process3 file4 36 C:\Users\user\AppData\Roaming\...\BLTools.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Roaming\...\123.exe, PE32 8->38 dropped 66 Binary is likely a compiled AutoIt script file 8->66 14 123.exe 15 6 8->14         started        19 BLTools.exe 2 8->19         started        68 Writes to foreign memory regions 12->68 70 Allocates memory in foreign processes 12->70 72 Injects a PE file into a foreign processes 12->72 21 AppLaunch.exe 12->21         started        23 WerFault.exe 12->23         started        signatures5 process6 dnsIp7 44 185.106.92.84, 3626, 4449, 49702 SUPERSERVERSDATACENTERRU Russian Federation 14->44 46 bitbucket.org 104.192.141.1, 443, 49704 AMAZON-02US United States 14->46 48 3 other IPs or domains 14->48 42 C:\Users\user\AppData\Roaming\sys.exe, PE32 14->42 dropped 50 Antivirus detection for dropped file 14->50 52 Multi AV Scanner detection for dropped file 14->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->54 56 4 other signatures 14->56 25 sys.exe 1 14->25         started        29 WerFault.exe 24 9 19->29         started        file8 signatures9 process10 file11 40 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32 25->40 dropped 74 Multi AV Scanner detection for dropped file 25->74 76 Drops PE files to the startup folder 25->76 78 Writes to foreign memory regions 25->78 80 2 other signatures 25->80 31 AppLaunch.exe 4 25->31         started        34 WerFault.exe 25->34         started        signatures12 process13 signatures14 82 Queries memory information (via WMI often done to detect virtual machines) 31->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 03:40:22 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=blpuz2v2ybar47ahmdsrk243dzm6pwqq3xd4isik4z7t6mr7ouwq._file
Verdict:
malicious
Similar samples:
2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
RedLineStealer
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
RedLineStealer
3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
RedLineStealer
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
RedLineStealer
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
RedLineStealer
bf1bd7d13b353fcfcfac7fb3735575afb0a20eb6a5a3fd3b25ee95e91bcedd3d
RedLineStealer
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
RedLineStealer
e0e267a1da22b796f4f8a7b84a81d0f0a461183cdc03d267a75e34d9fc497ccd
RedLineStealer
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
RedLineStealer
+ 109 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:systemer botnet:telegrams discovery infostealer rat spyware stealer
Link:
https://tria.ge/reports/230706-vmdtfsed8z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Async RAT payload
AsyncRat
RedLine
Malware Config
C2 Extraction:
185.106.92.84:3626
185.106.92.84:4449
Unpacked files
SH256 hash:
f5ca972606fcf08daf338861847021dec077ef8d725091f7814bc84b3e06898d
MD5 hash:
cd11424327d6371775919f3d5b7c1401
SHA1 hash:
e72445c8a8dd86e192dc570cf6e8a9c0d9fa8898
Link:
https://www.unpac.me/results/2bce64e7-b42c-44ab-b48b-715d3a5cc8cf/
SH256 hash:
0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d
MD5 hash:
1111c4fcc0071594b415e959f1b66729
SHA1 hash:
9f63acc82d0d979c81a5f2d281237024a7a0c7f1
Link:
https://www.unpac.me/results/2bce64e7-b42c-44ab-b48b-715d3a5cc8cf/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0adf4ceabac0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/410123/

Comments