MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
SHA3-384 hash: 1b6efd16ece441ace114ec93e0e84c23713bbde08b7f302b546f240aed4214e3923e62592184067877c52b370f71aa35
SHA1 hash: 926253e894b9afb824726e7312ac65220509acf9
MD5 hash: b54b8cd2e321a3f31a07921940c351fa
humanhash: gee-vegan-mississippi-april
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:424'960 bytes
First seen:2024-07-20 05:08:25 UTC
Last seen:2024-07-21 18:01:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39e221da42b9cac717741c15ca264eb9 (4 x Amadey, 1 x RedLineStealer)
ssdeep 12288:CPXaOtGpmLb84Jjzo6yDBuKuJ+ITOCV0d:C7tGpmf8edychVV0d
TLSH T1C6947D207813C032C62192711E68FFF691ADB9255F7109DBB7D84F3B6E211E26A35E36
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Chainskilabs
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe
Verdict:
Malicious activity
Analysis date:
2024-07-19 23:33:59 UTC
Tags:
amadey botnet stealer loader metastealer redline stealc zharkbot lumma proxy evasion phishing telegram python smokeloader miner pastebin quasar xmrig upx
Link:
https://app.any.run/tasks/9fd1eb5c-84e7-4014-b4a7-38d8d96f4468

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-10033391-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669b4673b302ab76f448034a
Tags:
Execution Generic Infostealer Network Stealth Trojan Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
amadey epmicrosoft_visual_cc lolbin microsoft_visual_cc shell32
Link:
https://www.filescan.io/uploads/669b46707b9add553ed834bf/reports/3b4ff07d-c85e-4de7-a85e-ad10a9315b63/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67e419ea-b73d-42dd-9cb2-a185c8ffe5dc
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Mars Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477143
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Quasar RAT
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477143 Sample: setup.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 136 freezetdopzx.shop 2->136 138 coe.com.vn 2->138 160 Snort IDS alert for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 27 other signatures 2->166 11 setup.exe 5 2->11         started        15 Hkbsse.exe 2->15         started        18 espartu.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 122 C:\Users\user\AppData\Local\...\axplong.exe, PE32 11->122 dropped 124 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 11->124 dropped 222 Contains functionality to inject code into remote processes 11->222 22 axplong.exe 44 11->22         started        154 coe.com.vn 103.28.36.182 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN Viet Nam 15->154 126 C:\Users\user\AppData\Local\...\FirstZ.exe, PE32+ 15->126 dropped 128 C:\Users\user\AppData\Local\Temp\...\2.exe, PE32 15->128 dropped 130 C:\Users\user\AppData\Local\...\2[1].exe, PE32 15->130 dropped 132 C:\Users\user\AppData\Local\...\FirstZ[1].exe, PE32+ 15->132 dropped 27 2.exe 15->27         started        29 FirstZ.exe 15->29         started        156 185.216.214.218, 62038, 80 SERVERDISCOUNTERserverdiscountercomDE Germany 18->156 134 C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe, PE32+ 18->134 dropped 224 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->224 226 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->226 228 Writes to foreign memory regions 18->228 230 LummaC encrypted strings found 18->230 31 schtasks.exe 18->31         started        158 127.0.0.1 unknown unknown 20->158 232 Allocates memory in foreign processes 20->232 234 Injects a PE file into a foreign processes 20->234 33 schtasks.exe 20->33         started        35 WerFault.exe 20->35         started        file6 signatures7 process8 dnsIp9 142 185.196.10.57, 49731, 49748, 49754 SIMPLECARRIERCH Switzerland 22->142 144 79.137.192.15, 62041, 80 PSKSET-ASRU Russian Federation 22->144 146 2 other IPs or domains 22->146 94 C:\Users\user\AppData\Local\...\svchost.exe, PE32 22->94 dropped 96 C:\Users\user\AppData\Local\...\34v3vz.exe, PE32 22->96 dropped 98 C:\Users\user\AppData\Local\...\134598672.exe, PE32 22->98 dropped 102 16 other malicious files 22->102 dropped 184 Found many strings related to Crypto-Wallets (likely being stolen) 22->184 186 Drops PE files with benign system names 22->186 37 g245x.exe 22->37         started        40 crypted777777.exe 22->40         started        42 Files.exe 1 22->42         started        50 7 other processes 22->50 188 Detected unpacking (changes PE section rights) 27->188 190 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->190 192 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->192 196 4 other signatures 27->196 100 C:\ProgramData\...\reakuqnanrkn.exe, PE32+ 29->100 dropped 194 Adds a directory exclusion to Windows Defender 29->194 44 powershell.exe 29->44         started        46 conhost.exe 31->46         started        48 conhost.exe 33->48         started        file10 signatures11 process12 dnsIp13 168 Writes to foreign memory regions 37->168 170 Allocates memory in foreign processes 37->170 172 Injects a PE file into a foreign processes 37->172 54 RegAsm.exe 37->54         started        69 2 other processes 37->69 59 RegAsm.exe 40->59         started        71 2 other processes 40->71 61 RegAsm.exe 3 42->61         started        63 conhost.exe 42->63         started        174 Loading BitLocker PowerShell Module 44->174 65 conhost.exe 44->65         started        140 185.215.113.67, 40960, 49752 WHOLESALECONNECTIONSNL Portugal 50->140 88 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 50->88 dropped 90 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 50->90 dropped 92 C:\Users\user\AppData\Local\...\espartu.exe, PE32 50->92 dropped 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->176 178 Creates an undocumented autostart registry key 50->178 180 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->180 182 5 other signatures 50->182 67 RegAsm.exe 50->67         started        73 7 other processes 50->73 file14 signatures15 process16 dnsIp17 148 85.28.47.70, 49750, 80 GES-ASRU Russian Federation 54->148 104 C:\Users\user\AppData\...\softokn3[1].dll, PE32 54->104 dropped 106 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 54->106 dropped 108 C:\Users\user\AppData\...\mozglue[1].dll, PE32 54->108 dropped 118 9 other files (5 malicious) 54->118 dropped 198 Tries to steal Mail credentials (via file / registry access) 54->198 200 Found many strings related to Crypto-Wallets (likely being stolen) 54->200 202 Tries to steal Crypto Currency Wallets 54->202 150 40.86.87.10, 62043, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->150 110 C:\Users\user\AppData\...\softokn3[1].dll, PE32 59->110 dropped 120 5 other files (3 malicious) 59->120 dropped 204 Tries to harvest and steal ftp login credentials 59->204 206 Tries to harvest and steal browser information (history, passwords, etc) 59->206 208 Tries to harvest and steal Bitcoin Wallet information 59->208 112 C:\Users\user\AppData\...\cwos8v7iux.exe, PE32 61->112 dropped 114 C:\Users\user\AppData\...\a0CCgj6Qtw.exe, PE32 61->114 dropped 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->210 212 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->212 214 Found evasive API chain (may stop execution after checking locale) 61->214 216 Searches for specific processes (likely to inject) 61->216 75 a0CCgj6Qtw.exe 4 61->75         started        78 cwos8v7iux.exe 4 61->78         started        152 20.52.165.210, 39030, 62040 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 67->152 116 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 67->116 dropped 218 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 73->218 80 conhost.exe 73->80         started        82 conhost.exe 73->82         started        file18 signatures19 process20 signatures21 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 75->220 84 conhost.exe 75->84         started        86 conhost.exe 78->86         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-07-20 01:37:24 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cutnlfjnpflchcsdl25yon5l3vahgyyj77kthtoscec25h6rz3xq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:quasar family:redline family:stealc family:xmrig botnet:1307newbild botnet:e76b71 botnet:leg botnet:livetraffic botnet:proxy botnet:qll discovery evasion execution infostealer miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/240720-fs5rssxfjr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Amadey
Quasar RAT
Quasar payload
RedLine
RedLine payload
Stealc
xmrig
Malware Config
C2 Extraction:
http://77.91.77.81
185.215.113.67:40960
http://85.28.47.70
http://40.86.87.10
20.52.165.210:39030
45.66.231.154:45764
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0d7c0a0-d1f8-4d57-96c2-35390803bd48
Unpacked files
SH256 hash:
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
MD5 hash:
b54b8cd2e321a3f31a07921940c351fa
SHA1 hash:
926253e894b9afb824726e7312ac65220509acf9
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d7f14702-90bc-4cf9-b04b-9191458172b7/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1526d5952d79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_45d1e986
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetSidIdentifierAuthority
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments