MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c
SHA3-384 hash: b3a3f90ed639e550ccfb174d9444e825151b0693eaa4fe71ae8b5e4e26c085714d709d3c3215942a5cc8c95bcdf43865
SHA1 hash: 210085d4f3cf1cf08c34baa5bfba0b0fc5a6c639
MD5 hash: b85fa0d79d936b8b006c535d006c7f29
humanhash: texas-fix-spaghetti-oven
File name:b85fa0d79d936b8b006c535d006c7f29
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'880'576 bytes
First seen:2024-07-13 05:04:43 UTC
Last seen:2024-07-24 11:36:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:K23fbpRhR0OiwF7BESrgRSzLBEF7YcMs6:3zhR9FdVOFSz
TLSH T1069533D57FAE2A15F0A146F99B23853375439003AB7BABB35D66CA38CD360C2165DC0B
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
425
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2024-07-12 16:20:37 UTC
Tags:
amadey botnet stealer themida loader redline metastealer
Link:
https://app.any.run/tasks/3a3573b6-b410-4b52-bd5d-03b4466a1a62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader47.8667.16216.25788.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66920affbcca3f923eb45b8awin7simulatehigh_evasion
Tags:
Banker Stealth Malware Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ab8df2d5-f75c-40c3-aa60-9b52a991fdd8
Result
Threat name:
Amadey, Mars Stealer, PureLog Stealer, Q
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1472622
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Quasar RAT
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472622 Sample: mlk3kK6uLZ.exe Startdate: 13/07/2024 Architecture: WINDOWS Score: 100 89 api.proxyscrape.com 2->89 91 tmpfiles.org 2->91 93 3 other IPs or domains 2->93 111 Snort IDS alert for network traffic 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 117 33 other signatures 2->117 10 axplong.exe 45 2->10         started        15 espartu.exe 2->15         started        17 mlk3kK6uLZ.exe 5 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 95 43.153.49.49, 58985, 8888 LILLY-ASUS Japan 10->95 97 77.232.41.110, 58979, 80 EUT-ASEUTIPNetworkRU Russian Federation 10->97 81 C:\Users\user\AppData\Local\...\leg222.exe, PE32 10->81 dropped 83 C:\Users\user\AppData\Local\...\leg222[1].exe, PE32 10->83 dropped 167 Antivirus detection for dropped file 10->167 169 Multi AV Scanner detection for dropped file 10->169 171 Detected unpacking (changes PE section rights) 10->171 187 3 other signatures 10->187 21 leg222.exe 10->21         started        24 hello.exe 10->24         started        26 ZharkBOT.exe 10->26         started        38 4 other processes 10->38 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->173 175 Writes to foreign memory regions 15->175 177 Allocates memory in foreign processes 15->177 179 Injects a PE file into a foreign processes 15->179 28 FRaqbC8wSA1XvpFVjCRGryWt.exe 15->28         started        30 schtasks.exe 15->30         started        32 RegSvcs.exe 15->32         started        85 C:\Users\user\AppData\Local\...\axplong.exe, PE32 17->85 dropped 87 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 17->87 dropped 181 Tries to evade debugger and weak emulator (self modifying code) 17->181 183 Tries to detect virtualization through RDTSC time measurements 17->183 185 Hides threads from debuggers 17->185 34 axplong.exe 17->34         started        99 127.0.0.1 unknown unknown 19->99 36 WerFault.exe 2 19->36         started        file6 signatures7 process8 signatures9 119 Multi AV Scanner detection for dropped file 21->119 121 Machine Learning detection for dropped file 21->121 123 Contains functionality to inject code into remote processes 21->123 40 RegAsm.exe 3 21->40         started        44 WerFault.exe 19 16 21->44         started        135 3 other signatures 24->135 46 aspnet_regiis.exe 24->46         started        49 conhost.exe 24->49         started        125 Creates an undocumented autostart registry key 26->125 137 3 other signatures 26->137 59 2 other processes 26->59 127 Detected unpacking (changes PE section rights) 28->127 129 Detected unpacking (overwrites its own PE header) 28->129 139 2 other signatures 28->139 51 svchost.exe 28->51         started        53 schtasks.exe 28->53         started        55 conhost.exe 30->55         started        141 2 other signatures 34->141 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->131 133 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->133 143 3 other signatures 38->143 57 Hkbsse.exe 38->57         started        process10 dnsIp11 77 C:\Users\user\AppData\...\Z73fDV6g4L.exe, PE32 40->77 dropped 79 C:\Users\user\AppData\...\VP2pdCInvS.exe, PE32 40->79 dropped 145 Found many strings related to Crypto-Wallets (likely being stolen) 40->145 61 VP2pdCInvS.exe 40->61         started        65 Z73fDV6g4L.exe 4 40->65         started        103 85.28.47.70, 58981, 80 GES-ASRU Russian Federation 46->103 147 Tries to steal Mail credentials (via file / registry access) 46->147 149 Tries to harvest and steal ftp login credentials 46->149 151 Tries to harvest and steal browser information (history, passwords, etc) 46->151 163 2 other signatures 46->163 105 142.54.235.9 ZEROLAGUS United States 51->105 107 199.102.104.70 ZEROLAGUS United States 51->107 109 93 other IPs or domains 51->109 153 System process connects to network (likely due to code injection or exploit) 51->153 155 Creates multiple autostart registry keys 51->155 157 Hides threads from debuggers 51->157 165 4 other signatures 51->165 67 schtasks.exe 51->67         started        69 conhost.exe 53->69         started        159 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->159 161 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->161 71 conhost.exe 59->71         started        file12 signatures13 process14 dnsIp15 101 185.172.128.33, 49710, 8970 NADYMSS-ASRU Russian Federation 61->101 189 Antivirus detection for dropped file 61->189 191 Multi AV Scanner detection for dropped file 61->191 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->193 199 4 other signatures 61->199 195 Machine Learning detection for dropped file 65->195 197 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 65->197 73 conhost.exe 65->73         started        75 conhost.exe 67->75         started        signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c/
Threat name:
Win32.Spyware.Redline
Create hunting rule
Status:
Malicious
First seen:
2024-07-12 02:52:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4aajn5wxk3mhsdauzac7hj5rgeoj466o2bofbzyypbhvqz3byoa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:@logscloudyt_bot botnet:e76b71 discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240713-fqtxhsyhkf/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://77.91.77.81
185.172.128.33:8970
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2939440-9fd1-4714-8a36-db9374af0d1e
Unpacked files
SH256 hash:
73b1b292bf6a036e3a8c3e96cb70b35bdda6edaab4448eba6673f851ebf16162
MD5 hash:
50d53cb5e49a2a47c1df1212ffa829bd
SHA1 hash:
fd547a6b660e9fc407f2e46cc29af118a154aa22
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/ef0caad5-c269-4e82-a087-1103698019b8/
SH256 hash:
170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c
MD5 hash:
b85fa0d79d936b8b006c535d006c7f29
SHA1 hash:
210085d4f3cf1cf08c34baa5bfba0b0fc5a6c639
Link:
https://www.unpac.me/results/ef0caad5-c269-4e82-a087-1103698019b8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/170004b7b6ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/
  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-07-13 05:04:44 UTC

url : hxxp://77.91.77.81/soka/random.exe