MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c
SHA3-384 hash: 8096dd3b6f041af5abf7602fbaee1c40fa9e00a075a184865c9451b60073d1709bda439e2df955ac5bf2768ce730a6d0
SHA1 hash: 02bc5d590f413c10f1846eaad45db40b425351e6
MD5 hash: 58fc32b8dd5fecda153ec0275ac5ac85
humanhash: tennessee-papa-sodium-pizza
File name:58fc32b8dd5fecda153ec0275ac5ac85.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'242'568 bytes
First seen:2023-07-19 20:01:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:2VRZIgNvEao5vRe22qrB2f2e5OUbR1S6LPYp39U0Ul/BlnjyHIG/L5LCOPA1:2VRZIgNvEao5vRe22qrB2f2e5OUb9gp2
Threatray 516 similar samples on MalwareBazaar
TLSH T143A5D0507F18C901E5B86931EAAAC2EC4BB03C433EB1D10B6E907A8DD5747E67F09697
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 98f8b8b89b8a8c8c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.209.3.7:11615

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
58fc32b8dd5fecda153ec0275ac5ac85.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 20:01:51 UTC
Tags:
rat redline loader amadey trojan
Link:
https://app.any.run/tasks/4168e589-5887-4953-99ba-cde2bd6dd1f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425710/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68176377.5931.29146.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin msbuild net obfuscated overlay packed remote replace
Link:
https://www.filescan.io/uploads/64b8413bf3c193545ac6f0f9/reports/40ea53fe-7a10-4f76-9044-e357256b2196/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18e842c5-cc9a-4df2-b5a0-5c87ccf9c403
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276275
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1276275 Sample: 21PjGL37Sf.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 100 second.amadgood.com 2->100 102 api.ip.sb 2->102 116 Snort IDS alert for network traffic 2->116 118 Multi AV Scanner detection for domain / URL 2->118 120 Found malware configuration 2->120 122 14 other signatures 2->122 11 21PjGL37Sf.exe 1 2->11         started        14 cmd.exe 2->14         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 98 C:\Users\user\AppData\...\21PjGL37Sf.exe.log, ASCII 11->98 dropped 21 MSBuild.exe 15 8 11->21         started        170 Uses powercfg.exe to modify the power settings 14->170 172 Modifies power options to not sleep / hibernate 14->172 26 conhost.exe 14->26         started        28 sc.exe 14->28         started        30 sc.exe 14->30         started        38 3 other processes 14->38 32 conhost.exe 17->32         started        40 4 other processes 17->40 34 conhost.exe 19->34         started        36 conhost.exe 19->36         started        signatures6 process7 dnsIp8 112 85.209.3.7, 11615, 49696 SQUITTER-NETWORKSNL Russian Federation 21->112 114 165.232.162.31, 49697, 80 ALLEGHENYHEALTHNETWORKUS United States 21->114 86 C:\Users\user\AppData\...\taskhostmt.exe, PE32 21->86 dropped 88 C:\Users\user\AppData\...\taskhostamd.exe, MS-DOS 21->88 dropped 90 C:\Users\user\AppData\Local\...\rdpcllp.exe, PE32+ 21->90 dropped 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->132 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->134 136 Tries to harvest and steal browser information (history, passwords, etc) 21->136 138 Tries to steal Crypto Currency Wallets 21->138 42 taskhostamd.exe 3 21->42         started        46 rdpcllp.exe 1 21->46         started        48 taskhostmt.exe 1 21->48         started        file9 signatures10 process11 file12 92 C:\Users\user\AppData\Local\...\oneetx.exe, MS-DOS 42->92 dropped 140 Multi AV Scanner detection for dropped file 42->140 142 Detected unpacking (changes PE section rights) 42->142 144 Query firmware table information (likely to detect VMs) 42->144 146 Tries to detect sandboxes / dynamic malware analysis system (registry check) 42->146 50 oneetx.exe 42->50         started        94 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 46->94 dropped 96 C:\Windows\System32\drivers\etc\hosts, ASCII 46->96 dropped 148 Modifies the hosts file 46->148 150 Adds a directory exclusion to Windows Defender 46->150 152 Hides threads from debuggers 46->152 154 Machine Learning detection for dropped file 48->154 156 Writes to foreign memory regions 48->156 158 Allocates memory in foreign processes 48->158 160 Injects a PE file into a foreign processes 48->160 55 MSBuild.exe 2 48->55         started        57 MSBuild.exe 48->57         started        signatures13 process14 dnsIp15 104 45.15.156.208 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 50->104 106 second.amadgood.com 50->106 108 192.168.2.1 unknown unknown 50->108 82 C:\Users\user\AppData\...\foxtaskhost.exe, PE32 50->82 dropped 84 C:\Users\user\AppData\...\foxtaskhost[1].exe, PE32 50->84 dropped 124 Multi AV Scanner detection for dropped file 50->124 126 Detected unpacking (changes PE section rights) 50->126 128 Query firmware table information (likely to detect VMs) 50->128 130 5 other signatures 50->130 59 foxtaskhost.exe 50->59         started        62 cmd.exe 50->62         started        64 schtasks.exe 50->64         started        110 167.99.14.220 DIGITALOCEAN-ASNUS United States 55->110 file16 signatures17 process18 signatures19 162 Multi AV Scanner detection for dropped file 59->162 164 Writes to foreign memory regions 59->164 166 Allocates memory in foreign processes 59->166 168 Injects a PE file into a foreign processes 59->168 66 conhost.exe 59->66         started        68 AppLaunch.exe 59->68         started        70 WerFault.exe 59->70         started        72 conhost.exe 62->72         started        74 cmd.exe 62->74         started        76 cacls.exe 62->76         started        80 4 other processes 62->80 78 conhost.exe 64->78         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 20:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
196
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bs6ykqblauq2a4bfvexip3exqwp5tqjra6dhfcezwomb5c6flyga._file
Verdict:
malicious
Similar samples:
0c7bb00419b2c6ef401007d45b83bfa2067da8aa59afdbe7a9bd2d0d7cf97c23
RedLineStealer
3dff203bab1db4bd7012e5daa23e467f7919587e5a306e497edb85caa2497dbe
RedLineStealer
46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1
RedLineStealer
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
RedLineStealer
8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c
RedLineStealer
96e49850a66d17e4952c6753db1f3da67f8c49c23a2297891954df55b144d1a8
RedLineStealer
a4b553e1924688bd6232633b707797ba24efc75f6d7bc0a33cd9c0c00c910e19
RedLineStealer
b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b
RedLineStealer
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
RedLineStealer
d2a3162a538ecf208de5fcc49815c338eb1c71083209e650134dc8b6bd0a6181
RedLineStealer
+ 506 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:140723_11_red evasion infostealer spyware themida trojan
Link:
https://tria.ge/reports/230719-yr4gfsbd9x/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
85.209.3.7:11615
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Unpacked files
SH256 hash:
f352a201766de6f4e2a102aa039edd2e09033df655c1d2e85653f51b23e93a4d
MD5 hash:
32273ce8dc6d59305710d5ccee0dce35
SHA1 hash:
f236f1ed700b087fab35321ede0c3157526288e4
Link:
https://www.unpac.me/results/23cdc290-d2f2-4eed-a9f9-8d59ef76b578/
SH256 hash:
8d848dfda6a73a408dc3118d5bd307f3e0f3ee04b7ca1a96838d23732ee3135b
MD5 hash:
5e932ce6ea5fa815234db34c2bc7193a
SHA1 hash:
fc29d5d130cd1486c4082203b2f2877a3d9e7495
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/23cdc290-d2f2-4eed-a9f9-8d59ef76b578/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/23cdc290-d2f2-4eed-a9f9-8d59ef76b578/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
c9a4b1916bb404b798cee0dc7db4eed94f4598e24c8b05b83904b9d0b7f20eeb
MD5 hash:
49bde8a1a6e837405519dbf13ef31477
SHA1 hash:
3758e103ff05e82e0e0e1c2b3f2d88814d06a503
Link:
https://www.unpac.me/results/23cdc290-d2f2-4eed-a9f9-8d59ef76b578/
SH256 hash:
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c
MD5 hash:
58fc32b8dd5fecda153ec0275ac5ac85
SHA1 hash:
02bc5d590f413c10f1846eaad45db40b425351e6
Link:
https://www.unpac.me/results/23cdc290-d2f2-4eed-a9f9-8d59ef76b578/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cbd85402b05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/425710/

Comments