MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
SHA3-384 hash:	bafd37cd0f6d8dcc29977def3f41466f084d9874c3f864a42e91d543dc1ff3364a8382e397ac0f6c1b08f2b06b15388f
SHA1 hash:	3e2528a891216d42011d3a51e508b29594272ddb
MD5 hash:	0c9a3e5bb47b223aa1b643788673f595
humanhash:	may-may-delaware-foxtrot
File name:	0c9a3e5bb47b223aa1b643788673f595.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'335'296 bytes
First seen:	2023-09-06 19:46:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:6yVjuh94fFGm7dlvun6IK44RxCMyyHNZbz8neYqTCDihYMuHt:BVjoSGm7Ddh8MyytZUzDuhc
Threatray	1'855 similar samples on MalwareBazaar
TLSH	T1FF55234B66E40033D9F837F19EF202870730BC750628A76B7789ADAF5CB159025767AB
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://77.91.68.52/mac/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

16'184

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

0c9a3e5bb47b223aa1b643788673f595.exe

Verdict:

Malicious activity

Analysis date:

2023-09-06 19:46:42 UTC

Tags:

stealc stealer redline amadey botnet trojan opendir loader

Link:

https://app.any.run/tasks/ce23715b-f9e9-4c11-ae24-d6d7a8b9939e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/446727/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file

Launching a process

Launching cmd.exe command interpreter

Connecting to a non-recommended domain

Sending an HTTP POST request

Adding an access-denied ACE

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Enabling autorun by creating a file

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/64f8d7374578d9c35e04d8fa/reports/375992b5-f773-445d-82bd-3175b50f73e9/overview

Verdict:

Malicious

Labled as:

Crifi.Generic

Link:

https://www.hybrid-analysis.com/sample/2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6afde164-293c-4a62-88d4-edf4fe839fea

Result

Threat name:

Amadey, Mystic Stealer, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1304700

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Amadey bot

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected Mystic Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2023-09-06 17:51:00 UTC

File Type:

PE (Exe)

Extracted files:

347

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=egigeo4gbvtyhzggowgak7hozoichq5ytobezlghjzvjzbhnthaq._file

Verdict:

malicious

RedLineStealer

134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238

RedLineStealer

26918e9ba064d1103201e95f3365ce9fc0106b12f5faea3c5f0bbfbc226d2850

RedLineStealer

49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347

RedLineStealer

4b99a608a3e190a4198c2ef97805fe9af771df6c2e217e06b8e3f49c6daa2ef7

RedLineStealer

545b0788b07c9c9820390f0057e9830cf18a4b4ca2140b11c459509838a927bd

RedLineStealer

83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb

RedLineStealer

8dd2405699cf0e2054b82da7c5c986ddbcbfd175ac18ba72a3ddab5a24b21046

RedLineStealer

f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856

RedLineStealer

f793e51ce11573edeba45c9ae5c3d7257b6c40a271bc9c4dd15173af08719020

RedLineStealer

+ 1'845 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:amadey family:redline botnet:mrak infostealer persistence trojan

Link:

https://tria.ge/reports/230906-yg1b2sbd6s/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Amadey

RedLine

Malware Config

C2 Extraction:

77.91.68.52/mac/index.php
77.91.124.82:19071

Unpacked files

SH256 hash:

81aa2e80fbceb1bafc1c88cba1286221edd837bede5f66a08fdf9f93b65b5931

MD5 hash:

4890b43792b80b0b585a198e76355db1

SHA1 hash:

fc2e70a931e6c4d4a9ab702bcca5dbe70e086130

Detections:

Amadey

Link:

https://www.unpac.me/results/425fa9a0-b7dd-4856-9539-99341ce312e0/

Parent samples :

b80293318467bc0d3c8e676ef544ef9e973eb14150740338c2ddc0f5671494ee
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665

SH256 hash:

23ab8940b2d77bac7caa36a34b763a34aedf6db448b0be3d1b6ae6b4e0f0e6fb

MD5 hash:

bc23924907da63cc009457d65303d256

SHA1 hash:

8a0db3b3e77be73192d1ca7fe20e2e18939929da

Detections:

redline

Link:

https://www.unpac.me/results/425fa9a0-b7dd-4856-9539-99341ce312e0/

Parent samples :

SH256 hash:

729434e7582bea15ec03b2b2ff3b5f50effb2e1304d4f9648454a3b8ad1dc97c

MD5 hash:

cd91e02431fc5f29ff209feceb5fffec

SHA1 hash:

14f2a956476f814817045ca597a1b354ce924ce3

Link:

https://www.unpac.me/results/425fa9a0-b7dd-4856-9539-99341ce312e0/

SH256 hash:

806f3c9282e65ed0a699dc617d0c6c2654e3a0d5134685c020054e94d884ec41

MD5 hash:

0319e2efb46066c3a6f3b8ae1c814bc9

SHA1 hash:

5cad835625ca79741d2dce45456e5f8db81e0e6b

Link:

https://www.unpac.me/results/425fa9a0-b7dd-4856-9539-99341ce312e0/

SH256 hash:

2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1

MD5 hash:

0c9a3e5bb47b223aa1b643788673f595

SHA1 hash:

3e2528a891216d42011d3a51e508b29594272ddb

Link:

https://www.unpac.me/results/425fa9a0-b7dd-4856-9539-99341ce312e0/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2190623b860d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.