MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb
SHA3-384 hash: 599a64d6abb7d83530f731809a680f1d12bb000f4aa985227dfa3cdaddd363eb32e13d8647fa2ed9a11b80d516d20a55
SHA1 hash: 148cf2b38d90a0710b187b47fefe7f6918fd9e4e
MD5 hash: b2d73546341a9fd03730f097240800f2
humanhash: red-wyoming-fanta-texas
File name:b2d73546341a9fd03730f097240800f2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:244'224 bytes
First seen:2023-09-10 15:20:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 6144:/ytRVgUwtKqCVkYdkEktqoigAOqlCORNJBrBi:/ewtHCOPfYvJBrBi
Threatray 22 similar samples on MalwareBazaar
TLSH T1D2349D11B4D18432D872153609F0EBF65A3EB960CB625EEFA7E40F7E4F302C1A671A56
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2d73546341a9fd03730f097240800f2.exe
Verdict:
No threats detected
Analysis date:
2023-09-10 15:21:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b0c0b0b-77e2-4a76-ab33-44c62a5f82ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447743/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.18801.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/31e7bdfd-cc1d-4980-85fe-f4e560a7fd6b
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306887
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306887 Sample: aD5N9QIXM7.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 143 Snort IDS alert for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 12 other signatures 2->149 12 aD5N9QIXM7.exe 1 2->12         started        15 feeduvs 2->15         started        17 oneetx.exe 2->17         started        process3 signatures4 193 Contains functionality to inject code into remote processes 12->193 195 Writes to foreign memory regions 12->195 197 Allocates memory in foreign processes 12->197 199 Injects a PE file into a foreign processes 12->199 19 AppLaunch.exe 12->19         started        22 WerFault.exe 23 9 12->22         started        24 conhost.exe 12->24         started        26 AppLaunch.exe 12->26         started        process5 signatures6 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->181 183 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->183 185 Maps a DLL or memory area into another process 19->185 187 2 other signatures 19->187 28 explorer.exe 1 19 19->28 injected process7 dnsIp8 137 79.137.192.18, 49730, 80 PSKSET-ASRU Russian Federation 28->137 139 77.91.68.29, 49714, 49718, 49721 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 28->139 141 2 other IPs or domains 28->141 115 C:\Users\user\AppData\Roaming\feeduvs, PE32 28->115 dropped 117 C:\Users\user\AppData\Local\Temp\CE58.exe, PE32 28->117 dropped 119 C:\Users\user\AppData\Local\Temp\B361.exe, PE32+ 28->119 dropped 121 4 other malicious files 28->121 dropped 219 System process connects to network (likely due to code injection or exploit) 28->219 221 Benign windows process drops PE files 28->221 223 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->223 33 4EFA.exe 4 28->33         started        37 CE58.exe 28->37         started        39 282F.exe 28->39         started        41 3 other processes 28->41 file9 signatures10 process11 dnsIp12 89 C:\Users\user\AppData\Local\...\x9854880.exe, PE32 33->89 dropped 91 C:\Users\user\AppData\Local\...\k2854949.exe, PE32 33->91 dropped 151 Antivirus detection for dropped file 33->151 153 Machine Learning detection for dropped file 33->153 44 x9854880.exe 4 33->44         started        93 C:\Users\user\AppData\Local\...\y7082179.exe, PE32 37->93 dropped 95 C:\Users\user\AppData\Local\...\p5572459.exe, PE32 37->95 dropped 48 y7082179.exe 37->48         started        97 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 39->97 dropped 155 Multi AV Scanner detection for dropped file 39->155 50 oneetx.exe 39->50         started        131 162.33.179.91, 49735, 80 CORENETUS United States 41->131 133 192.168.2.1 unknown unknown 41->133 135 api.ip.sb 41->135 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 41->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->161 163 7 other signatures 41->163 53 vbc.exe 41->53         started        file13 signatures14 process15 dnsIp16 107 C:\Users\user\AppData\Local\...\x4418309.exe, PE32 44->107 dropped 109 C:\Users\user\AppData\Local\...\j4474817.exe, PE32 44->109 dropped 201 Antivirus detection for dropped file 44->201 203 Machine Learning detection for dropped file 44->203 55 x4418309.exe 4 44->55         started        111 C:\Users\user\AppData\Local\...\y7996034.exe, PE32 48->111 dropped 113 C:\Users\user\AppData\Local\...\o2167904.exe, PE32 48->113 dropped 59 y7996034.exe 48->59         started        127 5.42.65.80, 49733, 49734, 49736 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 50->127 205 Multi AV Scanner detection for dropped file 50->205 207 Creates an undocumented autostart registry key 50->207 209 Uses schtasks.exe or at.exe to add and modify task schedules 50->209 61 cmd.exe 50->61         started        63 schtasks.exe 50->63         started        129 176.123.9.85, 16482, 49728 ALEXHOSTMD Moldova Republic of 53->129 211 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->211 213 Found many strings related to Crypto-Wallets (likely being stolen) 53->213 215 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->215 217 Tries to steal Crypto Currency Wallets 53->217 file17 signatures18 process19 file20 99 C:\Users\user\AppData\Local\...\i0181364.exe, PE32 55->99 dropped 101 C:\Users\user\AppData\Local\...\g4407486.exe, PE32 55->101 dropped 189 Antivirus detection for dropped file 55->189 191 Machine Learning detection for dropped file 55->191 65 i0181364.exe 4 55->65         started        69 g4407486.exe 1 55->69         started        103 C:\Users\user\AppData\Local\...\n8502733.exe, PE32 59->103 dropped 105 C:\Users\user\AppData\Local\...\m8151025.exe, PE32 59->105 dropped 71 n8502733.exe 59->71         started        73 m8151025.exe 59->73         started        75 conhost.exe 61->75         started        77 cmd.exe 61->77         started        79 cacls.exe 61->79         started        81 conhost.exe 63->81         started        signatures21 process22 dnsIp23 123 77.91.124.82, 19071, 49723, 49725 ECOTEL-ASRU Russian Federation 65->123 165 Antivirus detection for dropped file 65->165 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->167 169 Machine Learning detection for dropped file 65->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 65->171 173 Writes to foreign memory regions 69->173 175 Allocates memory in foreign processes 69->175 177 Injects a PE file into a foreign processes 69->177 83 WerFault.exe 10 69->83         started        85 AppLaunch.exe 1 69->85         started        87 conhost.exe 69->87         started        179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 71->179 125 5.42.92.211, 49724, 49741, 49755 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 73->125 signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 15:21:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eti5wbywqll5f72yswhvyf35ofvrol7r6goeft4v6tbiorhs6s5q._file
Verdict:
unknown
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
RedLineStealer
0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
RedLineStealer
752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
RedLineStealer
806d1d42b45adf8a3ecd7fb0797ee658b207e5338efca502541dd2f91d6b2413
RedLineStealer
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
RedLineStealer
a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
RedLineStealer
b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6
RedLineStealer
c3de8f808b7c5b3b37549bb8b6bea11463eed6a74532797f9a4214c1b5ea747f
RedLineStealer
ca54c6e3edac0185342ae18baa70ba469bdafa338fc67fba81fad6796e963ff6
RedLineStealer
d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
RedLineStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230910-sra71saa83/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb
MD5 hash:
b2d73546341a9fd03730f097240800f2
SHA1 hash:
148cf2b38d90a0710b187b47fefe7f6918fd9e4e
Link:
https://www.unpac.me/results/70756f45-a89d-44dd-a1f0-96a1eeec04e6/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24d1db071682/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 24d1db071682d7d2ff58958f5c177d716b172ff1f19c42cf95f4c28744f2f4bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447743/

Comments