MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
SHA3-384 hash: 95ffbe5dcdf4ef690720ba9c41068267baef868e8d7c1d022fbbff0b7c3acd8caf3f8e5e8b763f377bce3e5323ff6be0
SHA1 hash: bce24476aad069b38a7ed982be64de9096b25eec
MD5 hash: 7de2b4b0ffc4d0cd1e794ae46221ba77
humanhash: orange-mirror-johnny-five
File name:7de2b4b0ffc4d0cd1e794ae46221ba77.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'067'520 bytes
First seen:2023-11-10 17:31:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:OyVNy4JP5hHQWReaeoIsdCxGDNTDrQamyNZC+e5nXAWg7:dT9JP5ZhBe/YEG1X++eVAWg
TLSH T1053523869ADCC432DCB567B01DFA01870B39BDA17D7C632E7346944B9E72AD4687033A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.92.51:19057

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control evasive explorer greyware installer installer lolbin lolbin packed remote rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/654e69123dd412119bf5af6d/reports/6fa507db-bf4e-46d8-8454-73708a0d2b72/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3eef622c-c85d-43e2-bc40-92640d60166d
Result
Threat name:
Glupteba, Mystic Stealer, Raccoon Steale
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340807
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1340807 Sample: o3ihm6ySxo.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 142 xmr-eu1.nanopool.org 2->142 144 pastebin.com 2->144 146 5 other IPs or domains 2->146 196 Snort IDS alert for network traffic 2->196 198 Found malware configuration 2->198 200 Malicious sample detected (through community Yara rule) 2->200 202 22 other signatures 2->202 13 o3ihm6ySxo.exe 1 4 2->13         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\Lj9gA12.exe, PE32 13->120 dropped 122 C:\Users\user\AppData\Local\...\7Jh0bl33.exe, PE32 13->122 dropped 20 Lj9gA12.exe 1 4 13->20         started        process6 file7 94 C:\Users\user\AppData\Local\...r0uW61.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\Local\...\3Nu60AU.exe, PE32 20->96 dropped 204 Antivirus detection for dropped file 20->204 206 Machine Learning detection for dropped file 20->206 24 3Nu60AU.exe 20->24         started        27 Er0uW61.exe 1 4 20->27         started        signatures8 process9 file10 208 Antivirus detection for dropped file 24->208 210 Multi AV Scanner detection for dropped file 24->210 212 Machine Learning detection for dropped file 24->212 216 5 other signatures 24->216 30 explorer.exe 24->30 injected 116 C:\Users\user\AppData\Local\...\2Cf5242.exe, PE32 27->116 dropped 118 C:\Users\user\AppData\Local\...\1gJ47Yq4.exe, PE32 27->118 dropped 214 Binary is likely a compiled AutoIt script file 27->214 35 2Cf5242.exe 1 27->35         started        37 1gJ47Yq4.exe 12 27->37         started        signatures11 process12 dnsIp13 148 185.229.66.214 SUPERSERVERSDATACENTERRU Russian Federation 30->148 150 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 30->150 152 7 other IPs or domains 30->152 124 C:\Users\user\AppData\Roaming\efevvdi, PE32 30->124 dropped 126 C:\Users\user\AppData\Local\Temp\CC2A.exe, PE32 30->126 dropped 128 C:\Users\user\AppData\Local\Temp\8184.exe, PE32 30->128 dropped 130 4 other malicious files 30->130 dropped 164 System process connects to network (likely due to code injection or exploit) 30->164 166 Benign windows process drops PE files 30->166 168 Adds a directory exclusion to Windows Defender 30->168 170 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->170 39 8184.exe 30->39         started        43 495A.exe 30->43         started        45 CC2A.exe 30->45         started        56 4 other processes 30->56 172 Machine Learning detection for dropped file 35->172 174 Contains functionality to inject code into remote processes 35->174 176 Writes to foreign memory regions 35->176 184 2 other signatures 35->184 47 AppLaunch.exe 12 35->47         started        50 conhost.exe 35->50         started        178 Binary is likely a compiled AutoIt script file 37->178 180 Found API chain indicative of sandbox detection 37->180 182 Contains functionality to modify clipboard data 37->182 52 chrome.exe 9 37->52         started        54 chrome.exe 37->54         started        58 8 other processes 37->58 file14 signatures15 process16 dnsIp17 104 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 39->104 dropped 106 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 39->106 dropped 108 C:\Users\user\AppData\...\InstallSetup5.exe, PE32 39->108 dropped 110 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 39->110 dropped 218 Antivirus detection for dropped file 39->218 220 Multi AV Scanner detection for dropped file 39->220 222 Machine Learning detection for dropped file 39->222 224 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->224 60 toolspub2.exe 39->60         started        63 31839b57a4f11171d6abc8bbc4451ee4.exe 39->63         started        70 4 other processes 39->70 112 C:\Users\user\...\muhbUYpfTWgJMLE.data, PE32 43->112 dropped 114 C:\Users\user\...\AWiwNApVXAvhSOw.data, PE32 43->114 dropped 226 Writes to foreign memory regions 43->226 228 Allocates memory in foreign processes 43->228 230 Injects a PE file into a foreign processes 43->230 65 jsc.exe 43->65         started        73 3 other processes 45->73 154 5.42.92.88 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 47->154 232 Tries to delay execution (extensive OutputDebugStringW loop) 47->232 156 192.168.2.5 unknown unknown 52->156 158 239.255.255.250 unknown Reserved 52->158 75 3 other processes 52->75 68 chrome.exe 54->68         started        160 194.49.94.80 EQUEST-ASNL unknown 56->160 162 194.49.94.11 EQUEST-ASNL unknown 56->162 234 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->234 236 Found many strings related to Crypto-Wallets (likely being stolen) 56->236 238 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->238 77 6 other processes 56->77 79 8 other processes 58->79 file18 signatures19 process20 dnsIp21 240 Multi AV Scanner detection for dropped file 60->240 242 Detected unpacking (changes PE section rights) 60->242 244 Machine Learning detection for dropped file 60->244 246 Injects a PE file into a foreign processes 60->246 81 toolspub2.exe 60->81         started        248 Detected unpacking (overwrites its own PE header) 63->248 250 Found Tor onion address 63->250 252 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 63->252 84 cmd.exe 63->84         started        132 194.169.175.235 CLOUDCOMPUTINGDE Germany 65->132 254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->254 256 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->256 258 Tries to harvest and steal browser information (history, passwords, etc) 65->258 98 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 70->98 dropped 100 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 70->100 dropped 102 C:\Windows\System32\drivers\etc\hosts, ASCII 70->102 dropped 260 Modifies the hosts file 70->260 262 Adds a directory exclusion to Windows Defender 70->262 86 Broom.exe 70->86         started        134 91.103.252.114 HOSTGLOBALPLUS-ASRU Russian Federation 73->134 136 twitter.com 104.244.42.129 TWITTERUS United States 75->136 138 tpop-api.twitter.com 104.244.42.130 TWITTERUS United States 75->138 140 90 other IPs or domains 75->140 file22 signatures23 process24 signatures25 186 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 81->186 188 Maps a DLL or memory area into another process 81->188 190 Checks if the current machine is a virtual machine (disk enumeration) 81->190 192 Creates a thread in another existing process (thread injection) 81->192 88 conhost.exe 84->88         started        90 fodhelper.exe 84->90         started        92 fodhelper.exe 84->92         started        194 Multi AV Scanner detection for dropped file 86->194 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 17:32:05 UTC
File Type:
PE (Exe)
Extracted files:
137
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fimpigcis7mx2vy3vyhg6jdoiwfxo47df376gnnqrpvxc7tedtqa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:mystic family:raccoon family:redline family:sectoprat family:smokeloader botnet:23545d68ee8b777ffd2f74f9eb99e145 botnet:@ytlogsbot botnet:pixelnew2.0 botnet:taiga botnet:up3 backdoor discovery dropper infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231110-v39wtsda34/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Mystic stealer payload
Glupteba
Glupteba payload
Mystic
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
http://5.42.92.190/fks/index.php
5.42.92.51:19057
194.49.94.11:80
194.169.175.235:42691
http://91.103.252.114:80/
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
6890b449c8af1d7a52fc7f7bc4165e92ba1117afff53d7b72fca54cdc4f69b7e
MD5 hash:
afbc75b2d7befe994189d27db31a3b45
SHA1 hash:
19f0ae0df2c306a668650c2934306b322a1228e1
Link:
https://www.unpac.me/results/99137a59-565d-4e11-b9f1-2c8921a11a46/
SH256 hash:
46d73000badea343d2cb0847c368847c37606303018f3c4978d01873e0b4fb82
MD5 hash:
91df744d778858b578e9e1200e3644ae
SHA1 hash:
0ad8bc6a8b89368b135918e95f1e6b49150192f1
Link:
https://www.unpac.me/results/99137a59-565d-4e11-b9f1-2c8921a11a46/
Parent samples :
dd49ae56ccd5824fe4f6b62ed6b3b3466a40e56163c23adee63b9b26d96b09c5
afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
3e7af42c2132ad7ca46675fcc364bbfff19ed9a9b6e7c1416215334bcc1e6a27
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
8ecb53e21239643477dbf5310c727cc6b84f1ea644d52da28ebc615a35d76af4
MD5 hash:
ee835361285a97c6a09826404d5d7285
SHA1 hash:
28598f6d0c9a94e29d989087fecc0ce90c62befc
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/99137a59-565d-4e11-b9f1-2c8921a11a46/
Parent samples :
68cdb9386a731d632b95fa312510d802ea16e1faad66411795e2b407c19809c0
71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4
2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
b830ed49662218ce0830fdd8018ef7730ff47a725c68c792b1199fad6f0a96db
d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
81b156ce5e3c46a2c484bb746dbb3e99265e26f94c64df933f4f27c6548ebe62
b5b6dfb221365b25f9343b8b1f7d5779eaa1cb489a15508852d5f9227a6a91de
a06acba515844903c5d524ea8ac8b1ea0115b1cf5c6516eabb4ecdd51934183f
981e42945b27742a2ef21acaeb4f0985ac83e484671e7bedd2dc071e0c4af62f
b13a42c56d5e32f437619f4331055b58d88da9d7ca85faeb55152ac349f23954
bf747d7d7e3824b80a05d2988b5163729fb1b8c280f4ea5e2d638ab421f5c9d4
72f29919f78f53956692e212fe8bbff32e153e88a93ec3aa72576e5b440a2f85
7c948da84e336ddde18db89ad5bd132002e9393abb5c614d1d74c2005e358b36
3455690561867bf0046352f788d3ff43673d0f093118f3de1c6e0f7bcfb8d3e6
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
c0f4ceaccd292768ff932a5cbbb2f928bbfa7be31ce9c0fee45c77467611314c
MD5 hash:
d3eeb5b89c232b7d06c8fa4e407820e9
SHA1 hash:
5b9895687d3d60a82200377871a06e2e170d3cff
Link:
https://www.unpac.me/results/99137a59-565d-4e11-b9f1-2c8921a11a46/
SH256 hash:
2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
MD5 hash:
7de2b4b0ffc4d0cd1e794ae46221ba77
SHA1 hash:
bce24476aad069b38a7ed982be64de9096b25eec
Link:
https://www.unpac.me/results/99137a59-565d-4e11-b9f1-2c8921a11a46/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a18f4184897/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729439/
  
Delivery method
Distributed via web download

Comments