MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
SHA3-384 hash: 6fde48be1a3eb710be344e6a2499b1c69a34634b951a2e529e6b145def5d26a3d1cc65f118ce718fab064897cf41992e
SHA1 hash: 14031a40973ef9851a9e6dd2d1843b00247c32f0
MD5 hash: 8e05c72da260ffa2255ca5b309377959
humanhash: jupiter-jig-twenty-friend
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'870'848 bytes
First seen:2023-11-03 22:04:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:dyHo8DR+yHRO8U4EkyicLd4nkszZZz169AHg4XHXQn9rpWwRGNRXhSYOID:4X4yxO8U4UicLC1ZZy4XgnlpxYN
TLSH T191853323EBF49427C876177021F207A31A393CA49874916F7F96EC8A19B1781B674B37
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://185.46.46.146/none/vah50.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Сreating synchronization primitives
Creating a file
Creating a window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Running batch commands
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65456e933b0c3d66260616f4/reports/21924b3d-30d1-4439-92ae-9bd54bc99b8e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d4719c8-c1f6-4ec6-b094-d79956bfb102
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336931
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1336931 Sample: file.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 206 Antivirus detection for dropped file 2->206 208 16 other signatures 2->208 14 file.exe 1 4 2->14         started        17 svchost.exe 2->17         started        20 chrome.exe 2->20         started        22 explothe.exe 2->22         started        process3 dnsIp4 166 C:\Users\user\AppData\Local\...\rE3yv05.exe, PE32 14->166 dropped 168 C:\Users\user\AppData\Local\...\7oM6EI07.exe, PE32 14->168 dropped 24 rE3yv05.exe 1 4 14->24         started        176 23.199.50.2 AKAMAI-ASN1EU United States 17->176 178 127.0.0.1 unknown unknown 17->178 28 chrome.exe 20->28         started        file5 process6 file7 150 C:\Users\user\AppData\Local\...\Uk9Fo72.exe, PE32 24->150 dropped 152 C:\Users\user\AppData\Local\...\6Ub8sP8.exe, PE32 24->152 dropped 250 Antivirus detection for dropped file 24->250 252 Machine Learning detection for dropped file 24->252 30 Uk9Fo72.exe 1 4 24->30         started        34 6Ub8sP8.exe 24->34         started        signatures8 process9 file10 170 C:\Users\user\AppData\Local\...\Ul1hq84.exe, PE32 30->170 dropped 172 C:\Users\user\AppData\Local\...\5AM4vu0.exe, PE32 30->172 dropped 274 Antivirus detection for dropped file 30->274 276 Machine Learning detection for dropped file 30->276 36 Ul1hq84.exe 1 4 30->36         started        40 5AM4vu0.exe 30->40         started        signatures11 process12 file13 128 C:\Users\user\AppData\Local\...\wB0gW16.exe, PE32 36->128 dropped 130 C:\Users\user\AppData\Local\...\4Ju320Lj.exe, PE32 36->130 dropped 230 Antivirus detection for dropped file 36->230 232 Machine Learning detection for dropped file 36->232 42 wB0gW16.exe 1 4 36->42         started        46 4Ju320Lj.exe 36->46         started        132 C:\Users\user\AppData\Local\...\explothe.exe, PE32 40->132 dropped 48 explothe.exe 40->48         started        signatures14 process15 dnsIp16 154 C:\Users\user\AppData\Local\...\xE6DY46.exe, PE32 42->154 dropped 156 C:\Users\user\AppData\Local\...\3JN35wF.exe, PE32 42->156 dropped 254 Antivirus detection for dropped file 42->254 256 Multi AV Scanner detection for dropped file 42->256 258 Machine Learning detection for dropped file 42->258 51 3JN35wF.exe 42->51         started        54 xE6DY46.exe 1 4 42->54         started        260 Writes to foreign memory regions 46->260 262 Allocates memory in foreign processes 46->262 264 Injects a PE file into a foreign processes 46->264 57 AppLaunch.exe 46->57         started        174 77.91.124.1 ECOTEL-ASRU Russian Federation 48->174 158 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 48->158 dropped 160 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 48->160 dropped 266 Creates an undocumented autostart registry key 48->266 268 Uses schtasks.exe or at.exe to add and modify task schedules 48->268 60 cmd.exe 48->60         started        62 schtasks.exe 48->62         started        64 rundll32.exe 48->64         started        file17 signatures18 process19 dnsIp20 210 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->210 212 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->212 214 Maps a DLL or memory area into another process 51->214 216 2 other signatures 51->216 66 explorer.exe 20 20 51->66 injected 71 chrome.exe 51->71         started        73 chrome.exe 51->73         started        83 7 other processes 51->83 134 C:\Users\user\AppData\Local\...\2Tc4789.exe, PE32 54->134 dropped 136 C:\Users\user\AppData\Local\...\1Am61ri0.exe, PE32 54->136 dropped 75 1Am61ri0.exe 54->75         started        77 2Tc4789.exe 54->77         started        188 77.91.124.86 ECOTEL-ASRU Russian Federation 57->188 79 conhost.exe 60->79         started        85 6 other processes 60->85 81 conhost.exe 62->81         started        file21 signatures22 process23 dnsIp24 180 185.196.9.171 SIMPLECARRIERCH Switzerland 66->180 182 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 66->182 186 4 other IPs or domains 66->186 120 C:\Users\user\AppData\Local\Temp\FCC6.exe, PE32 66->120 dropped 122 C:\Users\user\AppData\Local\Temp\FAA2.exe, PE32 66->122 dropped 124 C:\Users\user\AppData\Local\Temp\F512.exe, PE32 66->124 dropped 126 5 other malicious files 66->126 dropped 218 System process connects to network (likely due to code injection or exploit) 66->218 220 Benign windows process drops PE files 66->220 87 F512.exe 66->87         started        91 26A6.exe 66->91         started        93 FCC6.exe 66->93         started        104 5 other processes 66->104 184 239.255.255.250 unknown Reserved 71->184 95 chrome.exe 71->95         started        98 chrome.exe 73->98         started        222 Contains functionality to inject code into remote processes 75->222 224 Writes to foreign memory regions 75->224 226 Allocates memory in foreign processes 75->226 100 AppLaunch.exe 9 1 75->100         started        228 Injects a PE file into a foreign processes 77->228 102 AppLaunch.exe 12 77->102         started        106 6 other processes 83->106 file25 signatures26 process27 dnsIp28 138 C:\Users\user\AppData\Local\...\Qk8HH5My.exe, PE32 87->138 dropped 140 C:\Users\user\AppData\Local\...\6lb92GN.exe, PE32 87->140 dropped 234 Antivirus detection for dropped file 87->234 236 Machine Learning detection for dropped file 87->236 108 Qk8HH5My.exe 87->108         started        142 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 91->142 dropped 144 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 91->144 dropped 146 C:\Users\user\AppData\Local\Temp\kos4.exe, PE32 91->146 dropped 148 2 other malicious files 91->148 dropped 238 Multi AV Scanner detection for dropped file 91->238 240 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 91->240 190 104.244.42.2 TWITTERUS United States 95->190 192 104.244.42.5 TWITTERUS United States 95->192 196 32 other IPs or domains 95->196 242 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 100->242 244 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 100->244 246 Modifies windows update settings 100->246 248 2 other signatures 100->248 194 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 102->194 file29 signatures30 process31 file32 162 C:\Users\user\AppData\Local\...\cD4Vj2Gj.exe, PE32 108->162 dropped 164 C:\Users\user\AppData\Local\...\5UX29Ok.exe, PE32 108->164 dropped 270 Antivirus detection for dropped file 108->270 272 Machine Learning detection for dropped file 108->272 112 cD4Vj2Gj.exe 108->112         started        signatures33 process34 file35 116 C:\Users\user\AppData\Local\...\UD6Nj0wN.exe, PE32 112->116 dropped 118 C:\Users\user\AppData\Local\...\4dp287vv.exe, PE32 112->118 dropped 198 Antivirus detection for dropped file 112->198 200 Machine Learning detection for dropped file 112->200 signatures36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 22:05:06 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekpilho2ntalzgndswbe6rjene552ausws44kxigwt5dqj43h2ra._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:kedru botnet:pixelnew2.0 botnet:plost botnet:up3 backdoor dropper evasion infostealer loader persistence rat trojan
Link:
https://tria.ge/reports/231103-1zgnrscg73/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
194.49.94.11:80
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
718297507750eeebbad561d1d2ce2a0aed61095f9ed7ea790180a10e872d32ac
MD5 hash:
962cee236aec244a53501db079c1c626
SHA1 hash:
de456fe61513b456f0c75cfc0c77b4df39562008
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
Parent samples :
d24dbfc796b0b1b56e8a669aaac50a6eb730882738111cd1ba66790d85b4fa7e
aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
SH256 hash:
26b85afac5a7e28755a9093d2c66556fed1896d5006928cb1177bf0d864ff7c3
MD5 hash:
fa8fa71f3dc3c7a7e86842008955b718
SHA1 hash:
d71a8969c6ed416af91da54b94187f15e07a0217
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
SH256 hash:
e9beb172c78630d710286c8c9a81cb47fa93b84162788f8d34c6fdd546842aef
MD5 hash:
1c5233f07261fa0c4c36612286381aeb
SHA1 hash:
2a54230ef4d85ae8fc8909a18f8d89981d58602b
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
SH256 hash:
46eaab583b3526fd5e6270801507d5eb8591d359a5803d4a36647baa893bd91d
MD5 hash:
132576265cb5b533a3256d1564c3b367
SHA1 hash:
caaad4a4463b013683edd7436d6fe3221141f16d
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
SH256 hash:
cf24f6feee0c550af1b0203558558a1e85345550a9796689a2d9c7cbe86ddf09
MD5 hash:
cc36a6b3eab3c723ea9422aa3a5d2b8d
SHA1 hash:
69b79259f0683c8905fc27650474a36e6e8123d7
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
SH256 hash:
229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
MD5 hash:
8e05c72da260ffa2255ca5b309377959
SHA1 hash:
14031a40973ef9851a9e6dd2d1843b00247c32f0
Link:
https://www.unpac.me/results/e9f35b72-f9fd-48de-a469-5049cda0eb63/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/229e859dda6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments