MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 128fa9c5e91c61f07f41747506930f91dc37de7fca0948f1f1d00e03233d673f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 128fa9c5e91c61f07f41747506930f91dc37de7fca0948f1f1d00e03233d673f
SHA3-384 hash: 1e96bf73e6dc413bc3c841123502318b202edcda8a2c1b4df47b55bd94573ad11a96fb6a2764de0f28e51487165fc16e
SHA1 hash: fa7521f87169f862d797e09f4e1c5e13f5fc1c2b
MD5 hash: 05a5f0c75f72f0125827ab83d62ab179
humanhash: muppet-don-december-jig
File name:05a5f0c75f72f0125827ab83d62ab179.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'565'560 bytes
First seen:2022-10-28 03:10:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cda23ed6a96ffe8c9ba5d7bae4aa8499 (3 x Smoke Loader, 1 x RedLineStealer)
ssdeep 49152:g2EPSZlTwhH8M2PBVTwhH8M2PBVTwhH8M2PBVTwhH8M2PBc:PGcTwhH8M2PBVTwhH8M2PBVTwhH8M2PK
Threatray 225 similar samples on MalwareBazaar
TLSH T197C550ED671995D9DAA409304FCACE3042016E63BB65CACFB8EA7F4722343D459F244B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://79.137.197.181/g93dLhG2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://79.137.197.181/g93dLhG2/index.php https://threatfox.abuse.ch/ioc/952385/

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325311/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a window
Creating a file
Sending an HTTP POST request
Delayed reading of the file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46215/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8d1d9ff-7bcf-42c7-9e2f-ecef87787fc1
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100040
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 732701 Sample: BauaZYqpg2.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 100 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 10 other signatures 2->88 10 BauaZYqpg2.exe 2->10         started        13 5shvJegCclEz.exe 2->13         started        15 5shvJegCclEz.exe 2->15         started        17 3 other processes 2->17 process3 signatures4 118 Detected unpacking (changes PE section rights) 10->118 120 Detected unpacking (overwrites its own PE header) 10->120 122 Contains functionality to inject code into remote processes 10->122 124 Contains functionality to behave differently if execute on a Russian/Kazak computer 10->124 19 BauaZYqpg2.exe 4 10->19         started        126 Writes to foreign memory regions 13->126 128 Allocates memory in foreign processes 13->128 130 Injects a PE file into a foreign processes 13->130 22 InstallUtil.exe 13->22         started        24 InstallUtil.exe 13->24         started        26 InstallUtil.exe 15->26         started        28 MSI-uLsVJ4QkcuSVTA5q.exe 17->28         started        31 MSI-uLsVJ4QkcuSVTA5q.exe 17->31         started        33 rovwer.exe 17->33         started        process5 file6 62 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 19->62 dropped 64 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 19->64 dropped 35 rovwer.exe 19->35         started        144 Tries to steal Crypto Currency Wallets 28->144 signatures7 process8 signatures9 90 Multi AV Scanner detection for dropped file 35->90 92 Detected unpacking (changes PE section rights) 35->92 94 Detected unpacking (overwrites its own PE header) 35->94 96 3 other signatures 35->96 38 rovwer.exe 2 25 35->38         started        process10 dnsIp11 74 79.137.197.181, 49695, 49696, 49699 PSKSET-ASRU Russian Federation 38->74 76 bitbucket.org 104.192.141.1, 443, 49697, 49698 AMAZON-02US United States 38->76 78 4 other IPs or domains 38->78 66 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 38->66 dropped 68 C:\Users\user\...\MSI-uLsVJ4QkcuSVTA5q.exe, PE32 38->68 dropped 70 C:\Users\user\AppData\...\5shvJegCclEz.exe, PE32 38->70 dropped 72 3 other malicious files 38->72 dropped 112 Creates an undocumented autostart registry key 38->112 114 Creates autostart registry keys with suspicious names 38->114 116 Creates multiple autostart registry keys 38->116 43 5shvJegCclEz.exe 38->43         started        46 MSI-uLsVJ4QkcuSVTA5q.exe 38->46         started        48 rundll32.exe 38->48         started        50 schtasks.exe 1 38->50         started        file12 signatures13 process14 signatures15 132 Machine Learning detection for dropped file 43->132 134 Writes to foreign memory regions 43->134 136 Allocates memory in foreign processes 43->136 52 InstallUtil.exe 43->52         started        138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->138 140 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->140 142 Injects a PE file into a foreign processes 46->142 55 MSI-uLsVJ4QkcuSVTA5q.exe 5 46->55         started        58 rundll32.exe 12 48->58         started        60 conhost.exe 50->60         started        process16 dnsIp17 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->98 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->100 102 Tries to harvest and steal browser information (history, passwords, etc) 52->102 80 77.73.133.87 AS43260TR Kazakhstan 55->80 104 Tries to steal Crypto Currency Wallets 55->104 106 System process connects to network (likely due to code injection or exploit) 58->106 108 Tries to steal Instant Messenger accounts or passwords 58->108 110 Tries to harvest and steal ftp login credentials 58->110 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/128fa9c5e91c61f07f41747506930f91dc37de7fca0948f1f1d00e03233d673f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 18:43:43 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckh2trpjdrq7a72bor2qneypshodpxt7zieur4pr2ahagiz5m47q._file
Verdict:
malicious
Similar samples:
094093b6d67fec5c395a987628965d54974a50ea8da167acbc992a804416f1dd
RedLineStealer
10ddb599ed1008906023a0b43f46d9a85ec07568f74a5c54ee5a698c73411b0d
RedLineStealer
23443648c2468ae2297b052c2cef4c652cfac9dc275b825a4407d8ba97963904
RedLineStealer
292952ec16f4a603899012bc3f138de8f7b3953466fb56cd047a6118cabba11e
RedLineStealer
861e7b200c592c963f1505de4cb8870d38a1b052fda99d4014d87bb1eebd8727
RedLineStealer
8705edd12d81d96ea26ed36283cf91a186c8715544d8f76bed72d8882bfb8f0d
RedLineStealer
893b497c2297b10de6407206bad6f0da6fe25269a72866515a79cebb81998008
RedLineStealer
+ 215 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:alpaca discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/221028-dplhmsedc6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Amadey
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.133.87:25907
Unpacked files
SH256 hash:
3fbbb7bf6d00d47916d24db0230159f05e09c934649a30a7b911ac5ac7b96d18
MD5 hash:
88cfc757629e28364e569ba490e6b18f
SHA1 hash:
db451bc27a4d6911ad06840865aa225963e6c9b3
Link:
https://www.unpac.me/results/27abbc63-c930-4aea-ae0e-2e276141370f/
SH256 hash:
3544139d41e15d39b19281ec88e645985e966f112e67e5cf2528405673b14f26
MD5 hash:
9bffc5b08cb659b20d913bc1187e9221
SHA1 hash:
efce330609e7ca7cc59ec40e0cebb968a2e76e53
Link:
https://www.unpac.me/results/27abbc63-c930-4aea-ae0e-2e276141370f/
SH256 hash:
128fa9c5e91c61f07f41747506930f91dc37de7fca0948f1f1d00e03233d673f
MD5 hash:
05a5f0c75f72f0125827ab83d62ab179
SHA1 hash:
fa7521f87169f862d797e09f4e1c5e13f5fc1c2b
Link:
https://www.unpac.me/results/27abbc63-c930-4aea-ae0e-2e276141370f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/128fa9c5e91c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/128fa9c5e91c61f07f41747506930f91dc37de7fca0948f1f1d00e03233d673f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325311/

Comments