MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
SHA3-384 hash: 8136f49abfc7821aac784a98727bdaeff49b3fccee02e6ff1a6d211c58115422a365e01ef2b41cae5e9c5513074af782
SHA1 hash: a823a688c53789ad26e0ef7f77fd67b90d9b5035
MD5 hash: b78f4ee8c6a5c7a0c882bab8cc230246
humanhash: comet-rugby-uranus-washington
File name:b78f4ee8c6a5c7a0c882bab8cc230246.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'531'904 bytes
First seen:2023-10-31 07:26:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:Cyj/APcoljZfq3BMnSQgPXaeobm2YJSSuqG92VgiNKTOB4JC/RQYgQTJO0+kV3:pj/APcK03BioXaeEmnGYGOB4qVTJO0++
Threatray 2'446 similar samples on MalwareBazaar
TLSH T184652313B7E44433CCF50B7055FB0283577ABCE26824C74B3746A96E0CA2685BAB5B76
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457302/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin mokes packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6540ac48b95974e82228e7ee/reports/a18a93b3-fbf1-40b5-bd16-42e5be71578b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dae3220a-e78a-4b81-b0af-77362db4afcd
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334728
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1334728 Sample: nKdPFPuJoq.exe Startdate: 31/10/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 15 other signatures 2->86 11 nKdPFPuJoq.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 64 C:\Users\user\AppData\Local\...\rg7yA6zI.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\Local\...\6cx21df.exe, PE32 11->66 dropped 20 rg7yA6zI.exe 1 4 11->20         started        process5 file6 56 C:\Users\user\AppData\Local\...\vm4eC4pd.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\5yB06VE.exe, PE32 20->58 dropped 96 Antivirus detection for dropped file 20->96 98 Multi AV Scanner detection for dropped file 20->98 100 Machine Learning detection for dropped file 20->100 24 vm4eC4pd.exe 1 4 20->24         started        signatures7 process8 file9 60 C:\Users\user\AppData\Local\...\tN5PL4Va.exe, PE32 24->60 dropped 62 C:\Users\user\AppData\Local\...\4Fc876jH.exe, PE32 24->62 dropped 102 Antivirus detection for dropped file 24->102 104 Multi AV Scanner detection for dropped file 24->104 106 Machine Learning detection for dropped file 24->106 28 tN5PL4Va.exe 1 4 24->28         started        32 4Fc876jH.exe 24->32         started        signatures10 process11 file12 68 C:\Users\user\AppData\Local\...\MY4ls4Sy.exe, PE32 28->68 dropped 70 C:\Users\user\AppData\Local\...\3lf9Vw64.exe, PE32 28->70 dropped 124 Antivirus detection for dropped file 28->124 126 Multi AV Scanner detection for dropped file 28->126 128 Machine Learning detection for dropped file 28->128 34 MY4ls4Sy.exe 1 4 28->34         started        38 3lf9Vw64.exe 12 28->38         started        130 Writes to foreign memory regions 32->130 132 Allocates memory in foreign processes 32->132 134 Injects a PE file into a foreign processes 32->134 40 AppLaunch.exe 32->40         started        signatures13 process14 file15 52 C:\Users\user\AppData\Local\...\2Qn384tA.exe, PE32 34->52 dropped 54 C:\Users\user\AppData\Local\...\1Jx49eJ3.exe, PE32 34->54 dropped 88 Antivirus detection for dropped file 34->88 90 Multi AV Scanner detection for dropped file 34->90 92 Machine Learning detection for dropped file 34->92 42 1Jx49eJ3.exe 34->42         started        45 2Qn384tA.exe 4 34->45         started        94 Tries to harvest and steal browser information (history, passwords, etc) 40->94 signatures16 process17 dnsIp18 108 Multi AV Scanner detection for dropped file 42->108 110 Contains functionality to inject code into remote processes 42->110 112 Writes to foreign memory regions 42->112 122 2 other signatures 42->122 48 AppLaunch.exe 12 42->48         started        74 77.91.124.86, 19084, 49710, 49715 ECOTEL-ASRU Russian Federation 45->74 114 Antivirus detection for dropped file 45->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->116 118 Machine Learning detection for dropped file 45->118 120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->120 signatures19 process20 dnsIp21 72 193.233.255.73, 49709, 49714, 80 FREE-NET-ASFREEnetEU Russian Federation 48->72 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->76 78 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->78 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 04:13:26 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhnflz43kh3wpyoxhtiaz7popbweeqqkyrbgyza2tw63ff4ryo6a._file
Verdict:
malicious
Similar samples:
2c0fb18b2e43ccfc041607fa3b09d9ed8d8e230be6bad2f3603bd0750c1c5fa6
RedLineStealer
500e43e6a7019a08e4fec2c08e23ea8e430577d9f1b72f2faad77f9f54132827
RedLineStealer
88b3a11a5d9fb5684a89fdd5608cee1751ef49c9a1ed19bb03bf950b2c9a8fd1
RedLineStealer
8a794ce2b6a72d61679233eb991a3e0be11adf6553e09706fc4f3b6a4b071b49
RedLineStealer
bc417d0bfee132ac3aa7372021b29f32889d3610030f3b21135205bb46745762
RedLineStealer
bc70fd921cb99f3cd89f9485b33d7e585c1232dd6f1da0a78fd8846966e17cbf
RedLineStealer
cfcf431cedf47ac61fb34db7b9c08811337cb85c856806d4ac917e1a550d625a
RedLineStealer
dcb1e2d3d9568e8da59d7abfc683970b31773b50be050cb0a1c8f028f9077704
RedLineStealer
e7582d33bd902544d4d50cb40d3dab5dd211f69ca084078cfbc06a2237a6081e
RedLineStealer
eaf310d061f769ac1300067d99222f67426ea014a1f0841288504af934a318b9
RedLineStealer
+ 2'436 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231031-h931mshc4w/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
aa5528539dfa090b64440fc5bc2ec26241767d5b46bf0cb9885e1298a28c09a9
MD5 hash:
2508e0abe50484987519304fac6258ef
SHA1 hash:
02a1f859b322a1abf02e2d30bf5492be3e19ec4c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
Parent samples :
9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
f5b56456c023f9abab5df3b60b4790a5541ddf8453769b6835ca43956770d423
19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
SH256 hash:
b3c116a521b18d9aa87db5bb6d9d6805ccd976448f9295387f87b5842bc67a07
MD5 hash:
f07197e128b5a3929884f97c166be3b6
SHA1 hash:
d83ab51a72d374dfc2f25e038fd4b4d8b70bf3de
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
SH256 hash:
29bce3356b774f2f3ee3455f9d06a3ca14b89e8c49b60bef07e4719418369b0f
MD5 hash:
ff888d58fb91e2f525b19cf7544a9b16
SHA1 hash:
31bb20f8850452e864d9892d57fd31ea5fb6e038
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
Parent samples :
19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
f12ecffd21520fbc12c7537d269532299b2ba86bc9249117c84ff1bc25fe05c3
SH256 hash:
be63a52ad4cb4ccf553e68a432a68699a981683335f2293fd4f043027ac47dbf
MD5 hash:
2e8f17280cd23b5458c1bfeb458f85ab
SHA1 hash:
8af16edfb4123ed103ec2db59d9339b81add54b3
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
SH256 hash:
25345f92314b53f153c483c9f8af6babed4e0559b7d8777d68160de573f06cde
MD5 hash:
d95d713ffe8c7c7c3c41785508e1940a
SHA1 hash:
d1fc92e4ec3f8bfb6863e599c2d398a4b8ce4368
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
SH256 hash:
19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
MD5 hash:
b78f4ee8c6a5c7a0c882bab8cc230246
SHA1 hash:
a823a688c53789ad26e0ef7f77fd67b90d9b5035
Link:
https://www.unpac.me/results/3a72cd4f-7bbd-45f8-80a4-1a355315a09a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2725299/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457302/

Comments