MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816
SHA3-384 hash: af95eb4dbd8ab1899190b88da3facbecf4cc49ca89302d83bb141b8f86f9b88d8fdf611afb5bc26c1d783c96b76f4a99
SHA1 hash: 6f51566e4d2b90215f277553f92a49faad223cfd
MD5 hash: 3cff0e2e3c9fab904940bf29b87af501
humanhash: edward-potato-six-whiskey
File name:3cff0e2e3c9fab904940bf29b87af501.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'471'352 bytes
First seen:2023-09-11 10:45:25 UTC
Last seen:2023-09-11 11:51:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 24576:7WUCJCsJGLA6ELqR4i79f6O5H1N6Ldec2bugQnxw0Ys7qzx2CYEKu1Hg:yUCJCi0ARGF16ib6kcswSIqwCYEr1Hg
Threatray 628 similar samples on MalwareBazaar
TLSH T1E165125178E28073D833197539944777AA3BBC608F559DFBC3690F2E0D60381AE76A2B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3cff0e2e3c9fab904940bf29b87af501.exe
Verdict:
No threats detected
Analysis date:
2023-09-11 10:47:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18ec25c2-6fe1-4b6b-b3cf-052a3fe2f830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447914/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.19231.10495.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7b496daa-d6d0-4641-80be-b5d9b495e800
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307236
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307236 Sample: c1fb8gZFPs.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 118 Snort IDS alert for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 14 other signatures 2->124 12 c1fb8gZFPs.exe 1 2->12         started        process3 signatures4 154 Contains functionality to inject code into remote processes 12->154 156 Writes to foreign memory regions 12->156 158 Allocates memory in foreign processes 12->158 160 Injects a PE file into a foreign processes 12->160 15 AppLaunch.exe 1 4 12->15         started        18 WerFault.exe 23 9 12->18         started        20 conhost.exe 12->20         started        22 2 other processes 12->22 process5 file6 110 C:\Users\user\AppData\Local\...\z1054822.exe, PE32 15->110 dropped 112 C:\Users\user\AppData\Local\...\w0500832.exe, PE32 15->112 dropped 24 z1054822.exe 1 4 15->24         started        process7 file8 94 C:\Users\user\AppData\Local\...\z2615710.exe, PE32 24->94 dropped 96 C:\Users\user\AppData\Local\...\u5515457.exe, PE32 24->96 dropped 150 Antivirus detection for dropped file 24->150 152 Machine Learning detection for dropped file 24->152 28 z2615710.exe 1 4 24->28         started        32 u5515457.exe 24->32         started        signatures9 process10 file11 106 C:\Users\user\AppData\Local\...\z6231528.exe, PE32 28->106 dropped 108 C:\Users\user\AppData\Local\...\t2863391.exe, PE32 28->108 dropped 162 Antivirus detection for dropped file 28->162 164 Machine Learning detection for dropped file 28->164 34 z6231528.exe 1 4 28->34         started        37 t2863391.exe 28->37         started        166 Writes to foreign memory regions 32->166 168 Allocates memory in foreign processes 32->168 170 Injects a PE file into a foreign processes 32->170 40 conhost.exe 32->40         started        signatures12 process13 file14 88 C:\Users\user\AppData\Local\...\z5218579.exe, PE32 34->88 dropped 90 C:\Users\user\AppData\Local\...\s3730352.exe, PE32 34->90 dropped 42 z5218579.exe 1 4 34->42         started        45 s3730352.exe 34->45         started        92 C:\Users\user\AppData\Local\...\explonde.exe, PE32 37->92 dropped 144 Antivirus detection for dropped file 37->144 146 Multi AV Scanner detection for dropped file 37->146 148 Machine Learning detection for dropped file 37->148 48 explonde.exe 37->48         started        signatures15 process16 dnsIp17 98 C:\Users\user\AppData\Local\...\r6721830.exe, PE32 42->98 dropped 100 C:\Users\user\AppData\Local\...\q0134863.exe, PE32 42->100 dropped 51 q0134863.exe 1 42->51         started        54 r6721830.exe 1 42->54         started        172 Writes to foreign memory regions 45->172 174 Allocates memory in foreign processes 45->174 176 Injects a PE file into a foreign processes 45->176 56 AppLaunch.exe 45->56         started        58 conhost.exe 45->58         started        60 AppLaunch.exe 45->60         started        66 3 other processes 45->66 114 77.91.68.52, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 48->114 102 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 48->102 dropped 104 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 48->104 dropped 178 Antivirus detection for dropped file 48->178 180 Multi AV Scanner detection for dropped file 48->180 182 Creates an undocumented autostart registry key 48->182 184 2 other signatures 48->184 62 cmd.exe 48->62         started        64 schtasks.exe 48->64         started        file18 signatures19 process20 signatures21 126 Writes to foreign memory regions 51->126 128 Allocates memory in foreign processes 51->128 130 Injects a PE file into a foreign processes 51->130 68 AppLaunch.exe 9 1 51->68         started        71 WerFault.exe 19 9 51->71         started        73 conhost.exe 51->73         started        75 AppLaunch.exe 13 54->75         started        78 conhost.exe 54->78         started        80 WerFault.exe 54->80         started        132 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 56->132 134 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 56->134 136 Maps a DLL or memory area into another process 56->136 138 2 other signatures 56->138 82 conhost.exe 62->82         started        86 2 other processes 62->86 84 conhost.exe 64->84         started        process22 dnsIp23 140 Disable Windows Defender notifications (registry) 68->140 142 Disable Windows Defender real time protection (registry) 68->142 116 5.42.92.211, 49727, 49828, 49842 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 75->116 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 10:46:07 UTC
File Type:
PE (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6pira6zr4m76blu64wahopskd53kvoj3b3ut7bky6wqggzftala._file
Verdict:
malicious
Similar samples:
17e6d489c82aafd9cb685806bf44acd6e2fc2c0fe5a249b16196ddecce66e348
RedLineStealer
2f27f32ea2ee1aa1b5085855ff553dec50e29cb5bec11d950766605f8d2150d4
RedLineStealer
75ff95a6deb24eabfb5851714523f832ead06e9d19c2d2c5ae808463403f169d
RedLineStealer
7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178
RedLineStealer
adae27992594d21e3d9b08969d6159068b82c8c1cda9c9cc9a2390dbec26a9da
RedLineStealer
b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6
RedLineStealer
cca65a9ffc4cc09af8e29a65071ff6b5c2b10086caa8ca201322fab28d46a48d
RedLineStealer
edcade63346f48f03b9420c18c0b9c2246b72ea5ea29baf58abbb7fe8b8ce358
RedLineStealer
ee74da6cbb63a8e1f33c490358537559fa15855ebaec6866888af4b2bf46cc9b
RedLineStealer
+ 618 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:redline family:smokeloader botnet:tuco backdoor discovery dropper evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230911-mtys7sfd6t/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
77.91.124.82:19071
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816
MD5 hash:
3cff0e2e3c9fab904940bf29b87af501
SHA1 hash:
6f51566e4d2b90215f277553f92a49faad223cfd
Link:
https://www.unpac.me/results/e922f3f4-bdd1-4251-9b00-d351b1aca2dd/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f9e8883d98f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1f9e8883d98f19ff0574f72c03b9f250fbb555c9d87749fc2ac7ad031b259816

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447914/

Comments