MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457
SHA3-384 hash: e992e8bc29a2874008b1d95ce790241823f9edeb41c3ad02e21a6d35e6105b5f71953510be628e7cacc9fd8c1d4f0134
SHA1 hash: 1fbadfa528a85e0d7a8593f979f13d7a56864cb1
MD5 hash: 52ea327b3dc0374d00cda6d01563687e
humanhash: bulldog-music-glucose-pip
File name:52ea327b3dc0374d00cda6d01563687e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:112'000 bytes
First seen:2022-01-14 16:28:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'880 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 1536:SUVr05Rh4BpHD9MLMK+IMYy878I4L5PbYpfbDeRPQvsSB00XuGFSG:SUVAfeHDm4K+kp7WDcCf0pueSG
Threatray 2'941 similar samples on MalwareBazaar
TLSH T1AFB32B6437C88A04D6BE4F75B8F0519943F0F5536601EB5F6EC650FD0EB2B81AA21AF2
Reporter @abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:AMCERT,LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-30T00:00:00Z
Valid to:2022-11-30T23:59:59Z
Serial number: 5ef27fc51ee80b30430947c9967db440
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: c2dcc4a1ea16e45f86828e81eda20f83e70cbf77e152ddd80b1b4a730ef77551
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Twitter
@abuse_ch
RedLineStealer C2:
45.150.67.126:12829

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52ea327b3dc0374d00cda6d01563687e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 16:33:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/1d24fc06-d36d-4fe4-b3e7-8e71ffdb49ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219362/
Detection(s):
Win.Packed.Generickdz-9879553-0
Create hunting rule

Win.Packed.Bulz-9892763-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Delayed reading of the file
Stealing user critical data
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool obfuscated overlay packed redline replace.exe stealer
Link:
https://www.filescan.io/uploads/61e1a49df2e8ec86fefd932d/reports/1986335e-5a10-432f-81f0-5f07ff22ad13/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e9fc399-2f63-4752-bba9-6c9b4e9632ad
Result
Threat name:
Amadey RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920858
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553336 Sample: y186EWErK6.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 9 other signatures 2->59 9 y186EWErK6.exe 15 7 2->9         started        14 mjlooy.exe 2->14         started        16 mjlooy.exe 2->16         started        18 mjlooy.exe 2->18         started        process3 dnsIp4 49 45.150.67.126, 12829, 49751, 49752 ASDETUKhttpwwwheficedcomGB Montenegro 9->49 45 C:\Users\user\AppData\Local\Temp\Chrome.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\y186EWErK6.exe.log, ASCII 9->47 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->69 71 Tries to harvest and steal browser information (history, passwords, etc) 9->71 73 2 other signatures 9->73 20 Chrome.exe 3 9->20         started        24 cmd.exe 1 9->24         started        file5 signatures6 process7 file8 43 C:\Users\user\AppData\Local\...\mjlooy.exe, PE32 20->43 dropped 63 Multi AV Scanner detection for dropped file 20->63 65 Machine Learning detection for dropped file 20->65 26 mjlooy.exe 16 20->26         started        30 conhost.exe 24->30         started        signatures9 process10 dnsIp11 51 185.215.113.35, 49755, 49756, 49757 WHOLESALECONNECTIONSNL Portugal 26->51 75 Multi AV Scanner detection for dropped file 26->75 77 Detected unpacking (changes PE section rights) 26->77 79 Detected unpacking (overwrites its own PE header) 26->79 81 3 other signatures 26->81 32 cmd.exe 1 26->32         started        34 schtasks.exe 1 26->34         started        signatures12 process13 process14 36 reg.exe 1 32->36         started        39 conhost.exe 32->39         started        41 conhost.exe 34->41         started        signatures15 61 Creates an undocumented autostart registry key 36->61
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 19:51:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/dxt5cig6ftvqss5epg4grn7nrihrnvppsxshm4d2dtfzjntdcrlq._file
Verdict:
malicious
Similar samples:
3b4e9d9fdb7262f1f62072f7f9b7d48086fcb39b3343b21ae7bfa8f633ee2166
RedLineStealer
886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
RedLineStealer
aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
RedLineStealer
adf3fb72f8855baa050d1e7c5a15944abeb1ae775570aee6bfab1b2d6ac26a45
RedLineStealer
bcde8cc7afa18238ecc08833bb2b60a0cbdac2d117a31d4b3e926ddcc20f0293
RedLineStealer
f124cfb109ce44f6cddb7d673dca30ed5b26fea1f500a21fd81454f684cf78be
RedLineStealer
f96fb1160aaaa0b073ef0cdb061c85c7faf4efe018b18be19d21228c7455e489
RedLineStealer
+ 2'931 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery spyware stealer trojan
Link:
https://tria.ge/reports/220114-tyqrqahbf4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Amadey
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457
MD5 hash:
52ea327b3dc0374d00cda6d01563687e
SHA1 hash:
1fbadfa528a85e0d7a8593f979f13d7a56864cb1
Link:
https://www.unpac.me/results/f30294ce-4bb2-4823-a3fd-2e783a0795ac/
AV coverage:
51.47%
AV detections:
35 / 68
Link:
https://www.virustotal.com/gui/file/1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457/detection/f-1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457-1642076883
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.150.67.126:12829 https://threatfox.abuse.ch/ioc/295276

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219362/

Comments