MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630
SHA3-384 hash: 5d561a56bf448629aa06270a9bf0a2d4433153e9e6ee27d755e2cf70630253666672ecd36c4e316368a3c12afa3f3b37
SHA1 hash: 2b84c1fcd2b24d6a2cd358758c1aa637213bf55a
MD5 hash: fefc6fbdca66c18fe56ff3cb84e97eac
humanhash: finch-steak-nine-arizona
File name:fefc6fbdca66c18fe56ff3cb84e97eac
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'288'192 bytes
First seen:2023-10-06 19:14:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:qy73heY0lCvksMhZKAritR1wgZB9ufLphU6:x7gNlC8sMhIArib11ip6
TLSH T133552356FBD4A137E8F933B488F623A70B35FCB41E54871A22449C570932B85E97932B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Creating a file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/65205cb8426c8727d6f178db/reports/e7428518-b8b3-45e3-a9fb-77347c7a13af/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d64802cf-8e6e-4d3b-a18c-048751dc77f4
Result
Threat name:
Amadey, Babadeda, Healer AV Disabler, My
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321216
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Healer AV Disabler
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1321216 Sample: qvYiZPgDwh.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 137 Snort IDS alert for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 17 other signatures 2->143 13 qvYiZPgDwh.exe 1 4 2->13         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        20 2 other processes 2->20 process3 file4 121 C:\Users\user\AppData\Local\...\mH6fb77.exe, PE32 13->121 dropped 123 C:\Users\user\AppData\Local\...\6jr1ml33.exe, PE32 13->123 dropped 22 mH6fb77.exe 1 4 13->22         started        process5 file6 113 C:\Users\user\AppData\Local\...\UE7Tn57.exe, PE32 22->113 dropped 115 C:\Users\user\AppData\Local\...\5xH3LL7.exe, PE32 22->115 dropped 183 Antivirus detection for dropped file 22->183 185 Machine Learning detection for dropped file 22->185 26 UE7Tn57.exe 1 4 22->26         started        signatures7 process8 file9 117 C:\Users\user\AppData\Local\...\nD7ns77.exe, PE32 26->117 dropped 119 C:\Users\user\AppData\Local\...\4jV385Gg.exe, PE32 26->119 dropped 187 Antivirus detection for dropped file 26->187 189 Machine Learning detection for dropped file 26->189 30 nD7ns77.exe 1 4 26->30         started        34 4jV385Gg.exe 26->34         started        signatures10 process11 file12 125 C:\Users\user\AppData\Local\...\hG4KT29.exe, PE32 30->125 dropped 127 C:\Users\user\AppData\Local\...\3Wo8102.exe, PE32 30->127 dropped 209 Antivirus detection for dropped file 30->209 211 Machine Learning detection for dropped file 30->211 36 hG4KT29.exe 1 4 30->36         started        40 3Wo8102.exe 1 30->40         started        129 C:\Users\user\AppData\Local\...\explothe.exe, PE32 34->129 dropped 213 Multi AV Scanner detection for dropped file 34->213 42 explothe.exe 34->42         started        signatures13 process14 dnsIp15 105 C:\Users\user\AppData\Local\...\2Ee77RN.exe, PE32 36->105 dropped 107 C:\Users\user\AppData\Local\...\1lu22Ri3.exe, PE32 36->107 dropped 167 Antivirus detection for dropped file 36->167 169 Machine Learning detection for dropped file 36->169 45 2Ee77RN.exe 1 36->45         started        48 1lu22Ri3.exe 9 36->48         started        171 Writes to foreign memory regions 40->171 173 Allocates memory in foreign processes 40->173 175 Injects a PE file into a foreign processes 40->175 50 AppLaunch.exe 40->50         started        53 conhost.exe 40->53         started        55 AppLaunch.exe 40->55         started        57 WerFault.exe 40->57         started        135 77.91.124.1, 49717, 49718, 49719 ECOTEL-ASRU Russian Federation 42->135 109 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 42->109 dropped 111 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 42->111 dropped 177 Multi AV Scanner detection for dropped file 42->177 179 Creates an undocumented autostart registry key 42->179 181 Uses schtasks.exe or at.exe to add and modify task schedules 42->181 59 rundll32.exe 42->59         started        61 cmd.exe 42->61         started        63 schtasks.exe 42->63         started        file16 signatures17 process18 dnsIp19 191 Machine Learning detection for dropped file 45->191 193 Contains functionality to inject code into remote processes 45->193 195 Writes to foreign memory regions 45->195 205 2 other signatures 45->205 65 AppLaunch.exe 22 45->65         started        70 WerFault.exe 22 16 45->70         started        72 conhost.exe 45->72         started        197 Antivirus detection for dropped file 48->197 199 Multi AV Scanner detection for dropped file 48->199 201 Found many strings related to Crypto-Wallets (likely being stolen) 48->201 207 3 other signatures 48->207 133 77.91.124.55, 19071, 49716, 49736 ECOTEL-ASRU Russian Federation 50->133 203 Contains functionality to modify clipboard data 59->203 74 conhost.exe 61->74         started        76 cmd.exe 61->76         started        78 cacls.exe 61->78         started        82 4 other processes 61->82 80 conhost.exe 63->80         started        signatures20 process21 dnsIp22 131 5.42.92.211, 49712, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 65->131 99 C:\Users\user\AppData\...\Hv61ZQyFbtM4gfQ.exe, PE32 65->99 dropped 101 C:\Users\user\AppData\...\Aimiga954hyD910.exe, PE32 65->101 dropped 103 C:\Users\user\...\0S07j0sVG2NPTXiz.dll, PE32 65->103 dropped 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->145 147 Found many strings related to Crypto-Wallets (likely being stolen) 65->147 149 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->149 151 3 other signatures 65->151 84 Aimiga954hyD910.exe 65->84         started        87 Hv61ZQyFbtM4gfQ.exe 65->87         started        89 cmd.exe 65->89         started        91 cmd.exe 65->91         started        file23 signatures24 process25 signatures26 153 Multi AV Scanner detection for dropped file 84->153 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 84->155 157 Machine Learning detection for dropped file 84->157 165 2 other signatures 84->165 159 Writes to foreign memory regions 87->159 161 Allocates memory in foreign processes 87->161 163 Injects a PE file into a foreign processes 87->163 93 conhost.exe 87->93         started        95 conhost.exe 89->95         started        97 conhost.exe 91->97         started        process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 19:15:07 UTC
File Type:
PE (Exe)
Extracted files:
191
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eohumrhokhq3krjkvafjahwklw6qox2xgshx53acm7isxsjykyya._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:mystic family:redline botnet:frant evasion infostealer persistence stealer trojan
Link:
https://tria.ge/reports/231006-xx766afd6x/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Amadey
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Mystic
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
Unpacked files
SH256 hash:
4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb771c072bc7bbf60e
MD5 hash:
9550b6022fcadfa9c2b6ed54f716b5eb
SHA1 hash:
0f2056f10af352f7c96cd0be0ab10538688512c2
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
bab2520411d2c3fe556e10402867e719d7e944e8c522d8ac152d292d3201be04
MD5 hash:
1a784df9022ccbed8f8dfdf147f144ed
SHA1 hash:
8a0f266bfdd3ebc3d04341befab97f4d2f5d7da4
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
431be214153fd5ffd4ff4fe2826276c8feb1459837eda7462a171c824bd63d31
MD5 hash:
94a8f3962afb223c692c8c8757e2b14d
SHA1 hash:
3d5a3f9bcd56b73a96a70cdfb9def93b54643c1e
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
78b24bb7320f7f4366527d68279d8d4dddbf48b5406e2ef11d5b6c1db840717f
MD5 hash:
fc35c988d8f80633616d67ffe1a56a85
SHA1 hash:
55e49e2064035d839681d9185671449c3569b882
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
209dfc383d8dbc96d80c62c59130d8e00c07837111ddfdfc2d3554e9fac782b9
MD5 hash:
6d481e5146200d2509cb9c5af956adbd
SHA1 hash:
3ae9caab6a5c0629aa541613940aec140456b62a
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
2b90091395cce1afb307821a0f87e134c31eaddedae4083dbcafcaa15d600d5f
MD5 hash:
2d8f2cd476f5097567b86a86d3ab8381
SHA1 hash:
31f9673c0917f05a812e3e3fb84bfbf611b0c8dd
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
Parent samples :
238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630
70c585099f0c4cc551566cc0422a10fbbf1231ba561790e365ef8487ebfa13e6
729daa3232aa59c480e56c199bc33e059e22d33e96ad036f14c1ea036ee4b799
96a6e6f7fe394ab529a28ede2480044331c52f2a18d3ee9290cf23397ba1c210
2f2084dcd8e2ad68cd7c32428d5f30410c3a7853ab63eb9b3c7a05677d545cd0
SH256 hash:
63bfd9fe4573665a669578daea0689ce3fad12e6c013de2c875d5d95195e0cb4
MD5 hash:
3b0b65c23a232c8175f3ddfb2e6e39f3
SHA1 hash:
973caed206a6cbfe6fbe6579d283580370031cd3
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
SH256 hash:
238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630
MD5 hash:
fefc6fbdca66c18fe56ff3cb84e97eac
SHA1 hash:
2b84c1fcd2b24d6a2cd358758c1aa637213bf55a
Link:
https://www.unpac.me/results/56d110ef-5af1-4c29-ba01-4e986cad7228/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/238f4644ee51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2023-10-06 19:14:11 UTC

url : hxxp://77.91.68.78/file/lega.exe