MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a
SHA3-384 hash: 243c3d5bac5b3057cc431ad920c4233041bd951329c6723731c0f4eacd7e0f0deb5aca039c8f36a3a65ba0c118b1c33c
SHA1 hash: e893c50bf22da4a4153bd492536261dba9e4a95d
MD5 hash: b19fe476f4fd4be81746e50107301004
humanhash: cat-princess-winter-helium
File name:b19fe476f4fd4be81746e50107301004.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'936'896 bytes
First seen:2024-03-05 05:46:54 UTC
Last seen:2024-03-05 07:20:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:LHJrcZmUZotIKfuytRrnVFQ9vAbDn2D/pgYn:LprcZeGKfuytO9vAn2TZ
TLSH T103953328B3594CF6CB070E3E92CBBB6DBD3C69644EC958542D3E26748F23BD44B89941
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
410
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a.exe
Verdict:
Malicious activity
Analysis date:
2024-03-05 05:49:02 UTC
Tags:
amadey botnet stealer lumma loader redline stealc evasion exela python risepro generic
Link:
https://app.any.run/tasks/2f3e0dc2-0875-41c1-9ae6-517d73248932

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12469.11666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65e6b1d7d86c827370d06660/reports/07a06588-0107-4b1f-91ea-b8261576adc8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/96dab9b7-e57f-47e7-bc61-fae541cd589f
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1403172
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1403172 Sample: byGoj135nH.exe Startdate: 05/03/2024 Architecture: WINDOWS Score: 100 146 Multi AV Scanner detection for domain / URL 2->146 148 Found malware configuration 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 28 other signatures 2->152 9 explorgu.exe 1 60 2->9         started        14 byGoj135nH.exe 5 2->14         started        16 newsun.exe 2->16         started        process3 dnsIp4 126 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->126 128 185.215.113.45 WHOLESALECONNECTIONSNL Portugal 9->128 130 3 other IPs or domains 9->130 98 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->98 dropped 100 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->100 dropped 102 C:\Users\user\AppData\...\cryptotaeg.exe, PE32 9->102 dropped 106 29 other malicious files 9->106 dropped 174 Multi AV Scanner detection for dropped file 9->174 176 Detected unpacking (changes PE section rights) 9->176 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->178 186 3 other signatures 9->186 18 juditttt.exe 9->18         started        22 jokerpos.exe 9->22         started        24 osminog.exe 2 9->24         started        26 9 other processes 9->26 104 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 14->104 dropped 180 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->180 182 Tries to evade debugger and weak emulator (self modifying code) 14->182 184 Tries to detect virtualization through RDTSC time measurements 14->184 file5 signatures6 process7 file8 86 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 18->86 dropped 88 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 18->88 dropped 90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 18->90 dropped 94 32 other files (31 malicious) 18->94 dropped 154 Multi AV Scanner detection for dropped file 18->154 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->156 28 stub.exe 18->28         started        158 Writes to foreign memory regions 22->158 160 Allocates memory in foreign processes 22->160 162 Injects a PE file into a foreign processes 22->162 33 RegAsm.exe 22->33         started        45 2 other processes 22->45 164 Contains functionality to inject code into remote processes 24->164 166 LummaC encrypted strings found 24->166 35 RegAsm.exe 24->35         started        37 conhost.exe 24->37         started        92 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 26->92 dropped 168 System process connects to network (likely due to code injection or exploit) 26->168 170 Creates an undocumented autostart registry key 26->170 172 Uses schtasks.exe or at.exe to add and modify task schedules 26->172 39 RegAsm.exe 26->39         started        41 rundll32.exe 23 26->41         started        43 RegAsm.exe 26->43         started        47 10 other processes 26->47 signatures9 process10 dnsIp11 132 208.95.112.1 TUT-ASUS United States 28->132 142 3 other IPs or domains 28->142 108 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 28->108 dropped 110 C:\Users\user\AppData\...\system_info.txt, Algol 28->110 dropped 188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->188 210 3 other signatures 28->210 49 cmd.exe 28->49         started        51 cmd.exe 28->51         started        53 cmd.exe 28->53         started        66 14 other processes 28->66 134 94.156.8.100 NET1-ASBG Bulgaria 33->134 112 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->112 dropped 114 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->114 dropped 124 10 other files (6 malicious) 33->124 dropped 190 Tries to steal Mail credentials (via file / registry access) 33->190 192 Found many strings related to Crypto-Wallets (likely being stolen) 33->192 194 Tries to steal Crypto Currency Wallets 33->194 144 3 other IPs or domains 35->144 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->196 198 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->198 200 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 35->200 202 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 35->202 136 37.27.52.220 UNINETAZ Iran (ISLAMIC Republic Of) 39->136 116 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 39->116 dropped 118 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->118 dropped 120 C:\Users\user\AppData\...\freebl3[1].dll, PE32 39->120 dropped 122 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 39->122 dropped 212 2 other signatures 39->212 204 Tries to steal Instant Messenger accounts or passwords 41->204 206 Uses netsh to modify the Windows network and firewall settings 41->206 208 Tries to harvest and steal WLAN passwords 41->208 55 powershell.exe 41->55         started        58 netsh.exe 2 41->58         started        60 conhost.exe 45->60         started        62 WMIC.exe 45->62         started        138 20.218.68.91 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->138 140 104.21.69.250 CLOUDFLARENETUS United States 47->140 64 conhost.exe 47->64         started        file12 signatures13 process14 file15 82 3 other processes 49->82 68 conhost.exe 51->68         started        70 WMIC.exe 51->70         started        72 conhost.exe 53->72         started        74 WMIC.exe 53->74         started        96 C:\Users\user\...\246122658369_Desktop.zip, Zip 55->96 dropped 76 conhost.exe 55->76         started        78 conhost.exe 58->78         started        80 conhost.exe 66->80         started        84 20 other processes 66->84 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-03-05 00:11:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eywmtb6rmqq7ghrofhenkmw2l5xbj4iwwq5utldrmlhn32avznva._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:livetraffic discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240305-ggvywsfg8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://185.215.113.32
20.218.68.91:7690
Unpacked files
SH256 hash:
e54cf84c246db526698116fde4a2b690a7911dd2724a522061c2f8400f696bbe
MD5 hash:
8d87fb5899f72b138c5715a17a23b820
SHA1 hash:
91d03601d9e9e8f67fcfee7580ca225537fe473a
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/8bdf5147-8805-4507-bb36-bb21117df7d8/
SH256 hash:
262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a
MD5 hash:
b19fe476f4fd4be81746e50107301004
SHA1 hash:
e893c50bf22da4a4153bd492536261dba9e4a95d
Link:
https://www.unpac.me/results/8bdf5147-8805-4507-bb36-bb21117df7d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/262cc987d164/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 262cc987d16421f31e2e29c8d532da5f6e14f116b43b49ac7162cedde815cb6a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments