MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments

SHA256 hash: 1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457
SHA3-384 hash: e992e8bc29a2874008b1d95ce790241823f9edeb41c3ad02e21a6d35e6105b5f71953510be628e7cacc9fd8c1d4f0134
SHA1 hash: 1fbadfa528a85e0d7a8593f979f13d7a56864cb1
MD5 hash: 52ea327b3dc0374d00cda6d01563687e
humanhash: bulldog-music-glucose-pip
File name:52ea327b3dc0374d00cda6d01563687e.exe
Download: download sample
Signature RedLineStealer
File size:112'000 bytes
First seen:2022-01-14 16:28:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'880 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 1536:SUVr05Rh4BpHD9MLMK+IMYy878I4L5PbYpfbDeRPQvsSB00XuGFSG:SUVAfeHDm4K+kp7WDcCf0pueSG
Threatray 2'941 similar samples on MalwareBazaar
TLSH T1AFB32B6437C88A04D6BE4F75B8F0519943F0F5536601EB5F6EC650FD0EB2B81AA21AF2
Reporter @abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:AMCERT,LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-30T00:00:00Z
Valid to:2022-11-30T23:59:59Z
Serial number: 5ef27fc51ee80b30430947c9967db440
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: c2dcc4a1ea16e45f86828e81eda20f83e70cbf77e152ddd80b1b4a730ef77551
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Twitter
@abuse_ch
RedLineStealer C2:
45.150.67.126:12829

Intelligence


File Origin
# of uploads :
1
# of downloads :
262
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52ea327b3dc0374d00cda6d01563687e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 16:33:04 UTC
Tags:
trojan rat redline

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
–°reating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Delayed reading of the file
Stealing user critical data
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool obfuscated overlay packed redline replace.exe stealer
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey RedLine
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553336 Sample: y186EWErK6.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 9 other signatures 2->59 9 y186EWErK6.exe 15 7 2->9         started        14 mjlooy.exe 2->14         started        16 mjlooy.exe 2->16         started        18 mjlooy.exe 2->18         started        process3 dnsIp4 49 45.150.67.126, 12829, 49751, 49752 ASDETUKhttpwwwheficedcomGB Montenegro 9->49 45 C:\Users\user\AppData\Local\Temp\Chrome.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\y186EWErK6.exe.log, ASCII 9->47 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->69 71 Tries to harvest and steal browser information (history, passwords, etc) 9->71 73 2 other signatures 9->73 20 Chrome.exe 3 9->20         started        24 cmd.exe 1 9->24         started        file5 signatures6 process7 file8 43 C:\Users\user\AppData\Local\...\mjlooy.exe, PE32 20->43 dropped 63 Multi AV Scanner detection for dropped file 20->63 65 Machine Learning detection for dropped file 20->65 26 mjlooy.exe 16 20->26         started        30 conhost.exe 24->30         started        signatures9 process10 dnsIp11 51 185.215.113.35, 49755, 49756, 49757 WHOLESALECONNECTIONSNL Portugal 26->51 75 Multi AV Scanner detection for dropped file 26->75 77 Detected unpacking (changes PE section rights) 26->77 79 Detected unpacking (overwrites its own PE header) 26->79 81 3 other signatures 26->81 32 cmd.exe 1 26->32         started        34 schtasks.exe 1 26->34         started        signatures12 process13 process14 36 reg.exe 1 32->36         started        39 conhost.exe 32->39         started        41 conhost.exe 34->41         started        signatures15 61 Creates an undocumented autostart registry key 36->61
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Status:
Malicious
First seen:
2022-01-13 19:51:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:amadey discovery spyware stealer trojan
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Amadey
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457
MD5 hash:
52ea327b3dc0374d00cda6d01563687e
SHA1 hash:
1fbadfa528a85e0d7a8593f979f13d7a56864cb1

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.150.67.126:12829 https://threatfox.abuse.ch/ioc/295276

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments