MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300
SHA3-384 hash: 890c59a1808343305df9cd6989725f18b2c5c52578968ce235cfa419f5549da42259b14dec9714138d6af5b5181656c0
SHA1 hash: 31e713544572d9fad99b66c68f5baafe7fbe9a13
MD5 hash: 9006dfc9dca37def82876328b3b27eac
humanhash: failed-nuts-ceiling-one
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:759'296 bytes
First seen:2023-02-10 17:31:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:PMrsy90DQQmAMwHOA4fmEHj0HBFLinumNNOZoqQfgKDjTmzz03R:nyPQmDMUmEH28uH/QDUAR
TLSH T1D3F41217E7E99132E8B027B06EF617C30632BD716738824B624F6D5919322B0F6357A7
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://62.204.41.245/mi/lenta.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-10 17:33:26 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/b5e163fb-2bcb-45ec-82c8-b36cc4cb9106

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/363481/
Detection(s):
Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/67714/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63e67f96ae0d2eea07d4a00f/reports/f3b0b9a5-a1e8-4b88-afbf-7b2d474aed20/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f1e1d59-f4ed-44fc-9e00-e31c78c7f966
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1171376
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804166 Sample: file.exe Startdate: 10/02/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 11 other signatures 2->84 11 file.exe 1 4 2->11         started        14 mnolyk.exe 2->14         started        16 rundll32.exe 2->16         started        18 6 other processes 2->18 process3 file4 68 C:\Users\user\AppData\Local\...\fxZ09LR.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\dFu87.exe, PE32 11->70 dropped 20 fxZ09LR.exe 1 4 11->20         started        process5 file6 56 C:\Users\user\AppData\Local\...\fLv50Mb.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\cDZ4144.exe, PE32 20->58 dropped 86 Antivirus detection for dropped file 20->86 88 Multi AV Scanner detection for dropped file 20->88 90 Machine Learning detection for dropped file 20->90 24 fLv50Mb.exe 1 4 20->24         started        signatures7 process8 file9 64 C:\Users\user\AppData\Local\...\bLv98tS.exe, PE32 24->64 dropped 66 C:\Users\user\AppData\Local\...\aUO17oI.exe, PE32 24->66 dropped 100 Antivirus detection for dropped file 24->100 102 Multi AV Scanner detection for dropped file 24->102 104 Machine Learning detection for dropped file 24->104 28 aUO17oI.exe 3 24->28         started        32 bLv98tS.exe 5 24->32         started        signatures10 process11 dnsIp12 72 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 28->72 dropped 106 Multi AV Scanner detection for dropped file 28->106 108 Machine Learning detection for dropped file 28->108 110 Contains functionality to inject code into remote processes 28->110 35 mnolyk.exe 18 28->35         started        74 193.233.20.12, 4132, 49756 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 32->74 112 Antivirus detection for dropped file 32->112 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->116 118 2 other signatures 32->118 file13 signatures14 process15 dnsIp16 76 62.204.41.4, 49701, 49702, 49703 TNNET-ASTNNetOyMainnetworkFI United Kingdom 35->76 60 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 35->62 dropped 92 Multi AV Scanner detection for dropped file 35->92 94 Creates an undocumented autostart registry key 35->94 96 Machine Learning detection for dropped file 35->96 98 2 other signatures 35->98 40 cmd.exe 1 35->40         started        42 schtasks.exe 1 35->42         started        44 rundll32.exe 35->44         started        file17 signatures18 process19 process20 46 conhost.exe 40->46         started        48 cmd.exe 1 40->48         started        50 cmd.exe 1 40->50         started        54 4 other processes 40->54 52 conhost.exe 42->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-10 17:32:11 UTC
File Type:
PE (Exe)
Extracted files:
216
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fy5bxjzlvu3ftn3a6rkqhlrziky2bkmotqwf77mvqxaaagmo4maa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:dunm discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230210-v4as5acd6z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
62.204.41.4/Gol478Ns/index.php
193.233.20.12:4132
Unpacked files
SH256 hash:
48e805e7de66d2ea246960298be00d8f5a54d5f816025131572ae3b573a08549
MD5 hash:
0b627d9e0b922c530d1d394162364009
SHA1 hash:
553512c3639595e565577dc0b8cf330c949becfa
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/96cbcee9-6a49-43fe-8def-c1af04881ead/
Parent samples :
d488d76826f39688db7c688a0a6ad7d413bff12240e4e572f9483007b09879e6
6863f034de7544d9906f8b578dcf20cbb637c83fb66387010385fdcae800fa98
570814314f7a7d1954572d157aa5dc0d2265c1957f4846dbd19877de3cf5fec2
31768808550e02b8bedd2914000701f1f28ddb8e2b5ca372478e2459926d2644
020023d03b4441dacd304b5dd1cd75f38dfdd1725cf8b088e73c04872032784b
735218299dc5ab1c9974c43935ad615215b9ca15d9d6d4e05de97867916d2edb
9aaa98d81e26111aca6fdba78459fc58522bc4c7db50df775cd21dead591c8c1
b9fc8655c4dc2bb7aeae6cb3f94bf559a8d08183e092864f1229e7a1beb2b023
20b220f80ca15218b5b585eda0b6bf4d282f19875ffc3d2de209aae668ef77a3
621cf3d55bf38c93ee6ba6874418c4c9382514c6251d130be40213e9076f319a
46659e8c5e44214ffc4225987ab25af07b247d011e30c9cc3139980a34889604
a3f16bd8aaa323a4960145bd6e03a0451d5a5a71d6c54b6021c0ce55788b4d3f
b4105f95d17dfe5ff4413d557500ef0d0f36becd2ca9ef5863f3621b1d686c5d
3e9f80572c387f795a42a40bf120921706926aea28c7b81a49f86ecacb63a612
f04fe039123aad3702b48051ba6aa9439a7f2bc81bd9a73d32886708f280f67d
23c473882ccb328912508c4c683cd81103833aaa228241e3241d3915bd86fd70
dd3e7f94cb0b64c6679cad2ec91df34396e5361d1ee2c9a47aa4b6aab3cfa7f2
2424a39238bc5355d80a6d99c35bc13616a26029bad9802c4b9cd97d94d59078
99f61bff52accd3739a40daddcce2e20bed4baa5d9f42100e2551cb9bce3c9bf
fe6c6d2b299c316bf0eff5ce41d8fe5747adb99cab5e1ab80f63d39ec0d94faf
fdbd5a9a02813edf01a16e762ea6af075edc2ba4667219909dc053dfb0dd3d50
5df039faf4891909eceeb268f3fca7437eaa88c6d9c88a6d44a93d5cf7ea54ed
445407d0aa241e594b2eb1c1fc14163dbdbade98a469a39e85a1729299483312
2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300
24347fdbf8f16820564871e5e3087cdb6dda3ee7f2638b38105946ea288b81b7
079d68590f4d27dcea19388f18af233a958707f78a957915f0d3e0ff0b8deafd
b9dd67c9977c87a2d6e1e737c595785ae4c814934199bfb3c7ac82ef196ad679
3c576550571cd35ce187301c7a1fe8f66f0a3f5f4dd39175829cfc6c3fbf7953
ae8a8d2f4dc050b271277d59c21b51c7457b5ecdf8e0f6554907798a9de990d4
e6ef17361d8d6bb01db7ee004b8362e15b3c360ce139155b072ee255b3051c6b
1e1d5232bd369680aee4bf1d557bdfb5ba4f775497e57c7d6f4dfef7d048193b
3fc08fc508152977be942bdad56440b433508e70da76e87c3cddce0a580d941f
a9e428a3c643fa99f21701e5e4969a718c8a542140a764faf8ccc2d80ec3760a
f7ddfb199ec667089e2b9d3d47a99bcbfb9d25e015b0015f2d53aa5636ec21ce
28534a3910ad01ae211a7fe20314418160948a757e1e6e0a0d6319eb91d56bda
cbe1bea34ef521b34b6310fc2c1f34d91302686e390cecd3e2049bd7c9f61418
1d8fa605881898875d595ce2a273ad9fc680bad9078245ff53ed92afe2c8d694
79904c04c922b0869495265d6ac112d304a215d7284c6fe0fd64439e839227c8
41316a2965ba1a07d976c691dca74bf802bd05b288481cbeb2687efab39f42ad
a4da90e27a5762ab822c720018f9aa98db6e02e45c4689cdb9b87099a69021e0
2d73f303fff8e2c675acb3c3f544cf17a592549b662c95db52fcb50647c4db70
117cacafcc61ca60b6c531789d0a8e34a2a29f90ca667776ae8bebc7a99fe22a
e1b3356c3d46671e5552b19b3d332215a5e29da3c1228cce46cd41c52ddb8c7a
23847d735b899cd73b2af1a02bd9eef81aa341dc599157c3014bf38c687a6410
1b3946993e476492857c0651d83ad4b70368e56e44cb5bef009b384d13f88151
2c20173b3ed7976f5a8d3f12b299337c123557d4c142a29e0b05e4ca8a0d2b1a
b64c0af97dd38f66b629456feba2b8761bc1e0d44b9c004bc2ae09016f6ef360
6509ef9d3d0f59c8df5d7077b7ff5a5c909b0225091292e7118ffb818f4edf65
b5fcfc4b0efabbc1f29d09484dfa3fb7134a147f7256afc112d7e98446f8870f
f7f4b9e876897503a2c2b4f8112b4ef19ec4ade9b98e0df7358bb63ebd6102b7
f06f90bde96158739bd12aa7c65030d976d44ed1d581c5af99f24b6783c7f099
8d144b2d6e3def56a97555bb0a85059dd5e469b01ecd9da21b57f4682cca3883
c2250391f85af09baae1ac8aef87ab06dde544466cb8a5db617d57a63f2ca290
c089b46a8b4f99a363b65124cb133575e414577e0b3becb0c67f930922dccdef
0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05
debfb39ede0ec99bfb3247e31a0c57ff938fb382c074ef0b13ce5e4718916e24
80cd3126035b9901c066dbdb60fa6922d80f04a974ed4e996c97582426a10acc
baff47748b592a0e472ea4ca22d329d82e7673d876199825f94dc1cda0428a06
b728e2f5eb2e2343f55960b15c9e466cf462e67e59fe9664d7f97ebcf0da4731
46e16d9ae7a987406358fcab26924ab0adc1f6d5fd33f1b26e86e8d12512085f
c61bf951fdde4ffce5f859205bff496b2818e1b4cdebb22572267319239145ba
0a8ed0072692932604a5c06bade31d2766e648ce28df4712e9d4eb215c3c1c69
79173d12639ea5b927447d7de12923fde859131c0839d70c7a59cf3675583347
351b6dc65510dbd19bfb662c08ce83f22075c0e1774b6c804cc2006d2086f4fc
2fc17dde23b90cde577dd38ab2bd7a30c9450215809e95072eff25a11a01f8cc
25deb96ffcec72fe980019afa29570eded1cb1ef019e50ef347de31681b8bcea
ec70bb9bb0ffc33c514ba6fefdaa2f5dc0a55faf4041e427fdae2e5bf2a70eec
18bf76a7da1ca9127c927871caecca53f6c0c35b286ae7dbc80139bd86a6c54d
2ffbc9bbeb62929e7d6476d4cedd81a3fbba91cd2f3af1576921323ad415bf6e
6370f37fd93811840cb059233dd64e9ed2bede220b64bf27283d9ad8f913e6be
90fa06d26f9737a9e1b0d205c754e6f1aa60fd5fbc172db4e109056fb95a5ed2
d17134847ffcbe3ce00497a4f54667d66baf1e317871694748daee4174286272
SH256 hash:
e962f4e3c0ada08a0fc8ca74970fff0b33a1e98df1f120557aa160d4238d3f2c
MD5 hash:
89740a3e5661a67e59ff68abc2069c4b
SHA1 hash:
2692c3bff7dfb0ca1090b5445fcc9f8e47e5a40b
Link:
https://www.unpac.me/results/96cbcee9-6a49-43fe-8def-c1af04881ead/
SH256 hash:
3852f52b84e93fdd0d595e96283177555fb5a05a17383a8e41e5dbb25fe61464
MD5 hash:
aed379a11d390906ebd27980191a4241
SHA1 hash:
b14d87cdb2e13b308f123ea123c2eda7611b9967
Link:
https://www.unpac.me/results/96cbcee9-6a49-43fe-8def-c1af04881ead/
SH256 hash:
18e85fc15c1962628ecf92f84dbcfd5118537664f7a0b2c4a367bdfaa6f2bd9e
MD5 hash:
519273651efcff11e9be517d9bfc40cf
SHA1 hash:
72915b5f805be0f9a1b93fe0346e87f9f54e558b
Link:
https://www.unpac.me/results/96cbcee9-6a49-43fe-8def-c1af04881ead/
SH256 hash:
2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300
MD5 hash:
9006dfc9dca37def82876328b3b27eac
SHA1 hash:
31e713544572d9fad99b66c68f5baafe7fbe9a13
Link:
https://www.unpac.me/results/96cbcee9-6a49-43fe-8def-c1af04881ead/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e3a1ba72bad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e3a1ba72bad3659b760f45503ae3942b1a0a98e9c2c5ffd9585c000198ee300

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/363481/

Comments