MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
SHA3-384 hash: 633708960c50d1898d8e806d28c72d31c85110a501b0df84266752649555b4e4bd512339f27b9d583a3944af098c27cb
SHA1 hash: 57dba56481bc616d299d67f6fac5536e0e848d46
MD5 hash: 1322008e75c620fd60416b4264d42e7e
humanhash: seven-washington-autumn-bulldog
File name:1322008e75c620fd60416b4264d42e7e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'395'200 bytes
First seen:2023-09-10 15:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 24576:PAHCWpD0TJCKRi96Gd2/vaRgkrnexq0IfbgUu/bX7/Z5JnAxToNu0ikz1:YHCWpDgzHGdx/Dek0csr/Z51AxToNu0B
Threatray 21 similar samples on MalwareBazaar
TLSH T19E551240B0D1C0B2C87714B518E4EBB6297E79E00A139DDF7BEA1B7A4F612C05279F66
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1322008e75c620fd60416b4264d42e7e.exe
Verdict:
No threats detected
Analysis date:
2023-09-10 15:21:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23ad08ce-1899-4d59-bfe2-a078b9f8dbc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447742/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25610.14840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64fddedf86964ed9c618be76/reports/6661154d-4fea-4d76-b3d9-26d307534ad3/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d83bc6ae-5dc5-4caf-8812-f2e5d9b722b3
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306888
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306888 Sample: 92alMKOBb3.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 123 Snort IDS alert for network traffic 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 12 other signatures 2->129 13 92alMKOBb3.exe 1 2->13         started        16 rundll32.exe 2->16         started        process3 signatures4 153 Contains functionality to inject code into remote processes 13->153 155 Writes to foreign memory regions 13->155 157 Allocates memory in foreign processes 13->157 159 Injects a PE file into a foreign processes 13->159 18 AppLaunch.exe 1 4 13->18         started        21 WerFault.exe 23 9 13->21         started        23 conhost.exe 13->23         started        process5 file6 87 C:\Users\user\AppData\Local\...\v9492834.exe, PE32 18->87 dropped 89 C:\Users\user\AppData\Local\...\f8276361.exe, PE32 18->89 dropped 25 v9492834.exe 1 4 18->25         started        process7 file8 91 C:\Users\user\AppData\Local\...\v6161139.exe, PE32 25->91 dropped 93 C:\Users\user\AppData\Local\...\e0627817.exe, PE32 25->93 dropped 149 Antivirus detection for dropped file 25->149 151 Machine Learning detection for dropped file 25->151 29 v6161139.exe 1 4 25->29         started        signatures9 process10 file11 99 C:\Users\user\AppData\Local\...\v8528947.exe, PE32 29->99 dropped 101 C:\Users\user\AppData\Local\...\d8077178.exe, PE32 29->101 dropped 161 Antivirus detection for dropped file 29->161 163 Machine Learning detection for dropped file 29->163 33 v8528947.exe 1 4 29->33         started        37 d8077178.exe 29->37         started        signatures12 process13 dnsIp14 83 C:\Users\user\AppData\Local\...\v1506589.exe, PE32 33->83 dropped 85 C:\Users\user\AppData\Local\...\c3576046.exe, PE32 33->85 dropped 131 Machine Learning detection for dropped file 33->131 40 c3576046.exe 33->40         started        43 v1506589.exe 1 4 33->43         started        113 77.91.124.82, 19071, 49758, 49769 ECOTEL-ASRU Russian Federation 37->113 133 Antivirus detection for dropped file 37->133 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->137 139 Tries to harvest and steal browser information (history, passwords, etc) 37->139 file15 signatures16 process17 file18 141 Machine Learning detection for dropped file 40->141 143 Writes to foreign memory regions 40->143 145 Allocates memory in foreign processes 40->145 147 Injects a PE file into a foreign processes 40->147 46 AppLaunch.exe 40->46         started        49 WerFault.exe 40->49         started        52 conhost.exe 40->52         started        54 AppLaunch.exe 40->54         started        95 C:\Users\user\AppData\Local\...\b9567100.exe, PE32 43->95 dropped 97 C:\Users\user\AppData\Local\...\a6784291.exe, PE32 43->97 dropped 56 a6784291.exe 1 43->56         started        58 b9567100.exe 1 43->58         started        signatures19 process20 dnsIp21 165 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->165 167 Maps a DLL or memory area into another process 46->167 169 Checks if the current machine is a virtual machine (disk enumeration) 46->169 171 Creates a thread in another existing process (thread injection) 46->171 60 explorer.exe 46->60 injected 111 192.168.2.1 unknown unknown 49->111 173 Writes to foreign memory regions 56->173 175 Allocates memory in foreign processes 56->175 177 Injects a PE file into a foreign processes 56->177 65 AppLaunch.exe 9 1 56->65         started        67 WerFault.exe 19 9 56->67         started        69 conhost.exe 56->69         started        77 3 other processes 56->77 179 Machine Learning detection for dropped file 58->179 71 AppLaunch.exe 13 58->71         started        73 conhost.exe 58->73         started        75 WerFault.exe 58->75         started        signatures22 process23 dnsIp24 115 79.137.192.18, 49779, 80 PSKSET-ASRU Russian Federation 60->115 117 77.91.68.29, 49760, 49766, 49770 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 60->117 121 2 other IPs or domains 60->121 103 C:\Users\user\AppData\Roaming\wuvhgeg, PE32 60->103 dropped 105 C:\Users\user\AppData\Local\Temp\B5C6.exe, PE32 60->105 dropped 107 C:\Users\user\AppData\Local\Temp\9BBA.exe, PE32+ 60->107 dropped 109 4 other malicious files 60->109 dropped 181 System process connects to network (likely due to code injection or exploit) 60->181 183 Benign windows process drops PE files 60->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->185 79 rundll32.exe 60->79         started        81 rundll32.exe 60->81         started        187 Disable Windows Defender notifications (registry) 65->187 189 Disable Windows Defender real time protection (registry) 65->189 119 5.42.92.211, 49750, 49771, 49777 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 71->119 file25 signatures26 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 15:21:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzjh6innsf5yp6j7ftlgl5pfxdfg6unckbnfaaxdxsbqsm22oxja._file
Verdict:
unknown
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
RedLineStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
RedLineStealer
752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
RedLineStealer
806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413
RedLineStealer
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
RedLineStealer
a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
RedLineStealer
b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6
RedLineStealer
c3de8f808b7c5b3b37549bb8b6bea11463eed6a74532797f9a4214c1b5ea747f
RedLineStealer
ca54c6e3edac0185342ae18baa70ba469bdafa338fc67fba81fad6796e963ff6
RedLineStealer
d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
RedLineStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:redline family:smokeloader botnet:virad backdoor discovery dropper evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230910-sra71saa9z/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
MD5 hash:
1322008e75c620fd60416b4264d42e7e
SHA1 hash:
57dba56481bc616d299d67f6fac5536e0e848d46
Link:
https://www.unpac.me/results/2bd49844-c912-4849-a9d9-7f082546d501/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e527f21ad91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710216/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447742/

Comments