MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
SHA3-384 hash: 51de716393b4363706cacf9a73735912765b14243c72f4c9f430ea6098635e8bfd566f3ae971264bc0732b0c91c0fcb8
SHA1 hash: 0e8fe8ba1da6f90382fa3b080d1a21a7dea043ed
MD5 hash: 6c679ced6d6dce1f6b67b4098981cf58
humanhash: march-johnny-item-zebra
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'636'160 bytes
First seen:2024-01-15 16:46:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:0OrdAu1CQnuQdrHNbmfTolBD+hb5OsUQNJGcZcUUo9W+Vsk:0OrL1CwhdrHw82dUoGcZnUo9PVs
TLSH T119263383E6C008A1D5AB77B11DFB634B5734B8464D2602A332B1CC1F49623A5627EFB7
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://109.107.182.40/core/done.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470978/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009289-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer installer lolbin lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a5618794d1aebfb2a19c78/reports/5ca66284-47e0-48fe-8410-6fca255e88f7/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55491765-687d-4e86-b2e0-ca959abffd35
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374917
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
PE file has nameless sections
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374917 Sample: file.exe Startdate: 15/01/2024 Architecture: WINDOWS Score: 100 108 telemetry-incoming.r53-2.services.mozilla.com 2->108 110 services.addons.mozilla.org 2->110 112 10 other IPs or domains 2->112 140 Antivirus / Scanner detection for submitted sample 2->140 142 Multi AV Scanner detection for dropped file 2->142 144 Yara detected RisePro Stealer 2->144 146 5 other signatures 2->146 12 file.exe 1 4 2->12         started        15 msedge.exe 2->15         started        17 firefox.exe 1 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 92 C:\Users\user\AppData\Local\...\Ay3MF91.exe, PE32 12->92 dropped 94 C:\Users\user\AppData\Local\...\6jW9WL4.exe, PE32 12->94 dropped 21 Ay3MF91.exe 1 4 12->21         started        96 C:\Users\user\...\page_embed_script.js, ASCII 15->96 dropped 98 C:\Users\user\...\eventpage_bin_prod.js, ASCII 15->98 dropped 100 C:\Users\user\AppData\...\content_new.js, Unicode 15->100 dropped 102 C:\Users\user\AppData\Local\...\content.js, Unicode 15->102 dropped 25 msedge.exe 15->25         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        34 4 other processes 15->34 32 firefox.exe 3 86 17->32         started        process6 dnsIp7 84 C:\Users\user\AppData\Local\...\HW2wl86.exe, PE32 21->84 dropped 86 C:\Users\user\AppData\Local\...\5eN5xV2.exe, PE32 21->86 dropped 160 Multi AV Scanner detection for dropped file 21->160 36 HW2wl86.exe 1 4 21->36         started        120 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->120 122 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->122 128 14 other IPs or domains 25->128 124 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->124 126 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 32->126 130 4 other IPs or domains 32->130 88 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->88 dropped 90 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->90 dropped 39 firefox.exe 32->39         started        41 firefox.exe 32->41         started        43 firefox.exe 32->43         started        45 4 other processes 32->45 file8 signatures9 process10 file11 80 C:\Users\user\AppData\Local\...\ph6Uz44.exe, PE32 36->80 dropped 82 C:\Users\user\AppData\Local\...\4Fg614JV.exe, PE32 36->82 dropped 47 ph6Uz44.exe 1 4 36->47         started        51 4Fg614JV.exe 36->51         started        process12 file13 104 C:\Users\user\AppData\Local\...\2QB1301.exe, PE32 47->104 dropped 106 C:\Users\user\AppData\Local\...\1cF51QI3.exe, PE32 47->106 dropped 136 Multi AV Scanner detection for dropped file 47->136 138 Binary is likely a compiled AutoIt script file 47->138 53 2QB1301.exe 9 1 47->53         started        56 1cF51QI3.exe 13 47->56         started        signatures14 process15 signatures16 148 Multi AV Scanner detection for dropped file 53->148 150 Modifies windows update settings 53->150 152 Disables Windows Defender Tamper protection 53->152 158 2 other signatures 53->158 154 Binary is likely a compiled AutoIt script file 56->154 156 Found API chain indicative of sandbox detection 56->156 58 chrome.exe 9 56->58         started        61 msedge.exe 10 56->61         started        63 chrome.exe 56->63         started        65 3 other processes 56->65 process17 dnsIp18 132 192.168.2.5, 443, 49704, 49705 unknown unknown 58->132 134 239.255.255.250 unknown Reserved 58->134 67 chrome.exe 58->67         started        70 chrome.exe 58->70         started        72 chrome.exe 58->72         started        74 msedge.exe 61->74         started        76 chrome.exe 63->76         started        78 chrome.exe 65->78         started        process19 dnsIp20 114 www.google.com 142.250.31.105 GOOGLEUS United States 67->114 116 142.250.31.106 GOOGLEUS United States 67->116 118 27 other IPs or domains 67->118
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 16:47:06 UTC
File Type:
PE (Exe)
Extracted files:
185
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwi5z7rawwxcmxinpmc4s23dqq2yhxyvepzo2kc5pacnk5plolta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240115-vahxmsbdhk/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
4b0f536f26e040c85e3289c65e9a1268f7d08f33b51e9f5983fdc62bd2a011a6
MD5 hash:
d0d5042066404b405054ebccfe39d5f6
SHA1 hash:
f6fe196acc42cb975aa20d8a248848194530da97
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4fbe48b9-5576-406d-ae81-2a046a51d605/
SH256 hash:
e43ffd17c0690aee9d76198386c51edf23b4efb33c505efb38c39f85988d7898
MD5 hash:
a092736c001a867fc1aad9514089a7a7
SHA1 hash:
d464fd340b2d1547308f3dcbb93b41baa8baf2c0
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/4fbe48b9-5576-406d-ae81-2a046a51d605/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
SH256 hash:
b4708ad9eefb2ac6f31f209f72b6a4a00ee479d302cabf7cdae5c1fe88ccadba
MD5 hash:
f335c26f13de2e669bfd4b4d6db4b7d6
SHA1 hash:
0e9e8a2982c795efc5b2e6cceee1ec91a0b58b97
Link:
https://www.unpac.me/results/4fbe48b9-5576-406d-ae81-2a046a51d605/
SH256 hash:
2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
MD5 hash:
6c679ced6d6dce1f6b67b4098981cf58
SHA1 hash:
0e8fe8ba1da6f90382fa3b080d1a21a7dea043ed
Link:
https://www.unpac.me/results/4fbe48b9-5576-406d-ae81-2a046a51d605/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d91dcfe20b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2748901/
Cape
Cape
https://www.capesandbox.com/analysis/470978/

Comments