MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
SHA3-384 hash: 77f344a14ef10be405fc5fe3c9635b93ad6d6ae92cc842c879bbb90a75cbfff756f49bb252ae49a75ccdc7a627654986
SHA1 hash: 3e5d9a820779d9366a4fe09d3290532f55408f21
MD5 hash: 78afc132e33fad6f0f92fc12bf22eb3e
humanhash: hamper-one-spaghetti-low
File name:78afc132e33fad6f0f92fc12bf22eb3e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'369'600 bytes
First seen:2023-09-06 22:26:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:NyxYmYy1lP+0zTLK8PS0iYTnzqfn75YVG/2iDMZqw04QEiYTxTpm7bJuwJm:oqo7+qnHi4uf75Yo/o0FEVSgw
Threatray 1'872 similar samples on MalwareBazaar
TLSH T1B255232267E49123DCB463B0A5FA03732E377C639D25D24F334AD84A6EB3585A572336
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://77.91.68.78/help/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
78afc132e33fad6f0f92fc12bf22eb3e.exe
Verdict:
Malicious activity
Analysis date:
2023-09-06 22:28:47 UTC
Tags:
stealc stealer redline amadey botnet trojan opendir loader
Link:
https://app.any.run/tasks/9e45fca9-2240-47ab-a0fc-254848893cca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446766/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Sending an HTTP POST request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64f8fcb867511af1a1b599e3/reports/5a313253-35e9-4808-bb9a-959fbed899f1/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05fe8c2d-2e98-4e67-956f-75ccd49d6734
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304782
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304782 Sample: fCEYzNFT7F.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 95 Snort IDS alert for network traffic 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 14 other signatures 2->101 12 fCEYzNFT7F.exe 1 4 2->12         started        15 explonde.exe 2->15         started        17 rundll32.exe 2->17         started        19 4 other processes 2->19 process3 file4 75 C:\Users\user\AppData\Local\...\y9946112.exe, PE32 12->75 dropped 77 C:\Users\user\AppData\Local\...\p7696450.exe, PE32+ 12->77 dropped 21 y9946112.exe 1 4 12->21         started        process5 file6 67 C:\Users\user\AppData\Local\...\y5073244.exe, PE32 21->67 dropped 69 C:\Users\user\AppData\Local\...\o7011552.exe, PE32 21->69 dropped 111 Antivirus detection for dropped file 21->111 113 Multi AV Scanner detection for dropped file 21->113 115 Machine Learning detection for dropped file 21->115 25 y5073244.exe 1 4 21->25         started        signatures7 process8 file9 71 C:\Users\user\AppData\Local\...\y0375162.exe, PE32 25->71 dropped 73 C:\Users\user\AppData\Local\...\n4678839.exe, PE32 25->73 dropped 117 Antivirus detection for dropped file 25->117 119 Multi AV Scanner detection for dropped file 25->119 121 Machine Learning detection for dropped file 25->121 29 y0375162.exe 1 4 25->29         started        33 n4678839.exe 4 25->33         started        signatures10 process11 dnsIp12 83 C:\Users\user\AppData\Local\...\m8775402.exe, PE32 29->83 dropped 85 C:\Users\user\AppData\Local\...\l0101201.exe, PE32 29->85 dropped 131 Antivirus detection for dropped file 29->131 133 Multi AV Scanner detection for dropped file 29->133 135 Machine Learning detection for dropped file 29->135 36 l0101201.exe 3 29->36         started        40 m8775402.exe 13 29->40         started        87 77.91.124.82, 19071, 49713 ECOTEL-ASRU Russian Federation 33->87 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->137 139 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->139 141 Tries to harvest and steal browser information (history, passwords, etc) 33->141 file13 signatures14 process15 dnsIp16 65 C:\Users\user\AppData\Local\...\explonde.exe, PE32 36->65 dropped 103 Antivirus detection for dropped file 36->103 105 Multi AV Scanner detection for dropped file 36->105 107 Machine Learning detection for dropped file 36->107 109 Contains functionality to inject code into remote processes 36->109 43 explonde.exe 17 36->43         started        89 5.42.92.211, 49708, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 40->89 file17 signatures18 process19 dnsIp20 91 77.91.68.52, 49709, 49710, 49711 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 43->91 79 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 43->79 dropped 81 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 43->81 dropped 123 Antivirus detection for dropped file 43->123 125 Multi AV Scanner detection for dropped file 43->125 127 Creates an undocumented autostart registry key 43->127 129 2 other signatures 43->129 48 rundll32.exe 43->48         started        51 cmd.exe 1 43->51         started        53 schtasks.exe 1 43->53         started        file21 signatures22 process23 signatures24 93 Contains functionality to modify clipboard data 48->93 55 conhost.exe 51->55         started        57 cmd.exe 1 51->57         started        59 cacls.exe 1 51->59         started        63 4 other processes 51->63 61 conhost.exe 53->61         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 21:48:21 UTC
File Type:
PE (Exe)
Extracted files:
347
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdxx2km5zrnnqogqwkter2mxnzqb6qucbrsydby5nifi3564te6a._file
Verdict:
malicious
Similar samples:
0391a506cb7415cea3ce31589bd12a5c724eb16e8b4f923aa9fefc7eb48b1ccb
RedLineStealer
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
RedLineStealer
26918e9ba064d1103201e95f3365ce9fc0106b12f5faea3c5f0bbfbc226d2850
RedLineStealer
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
RedLineStealer
4b99a608a3e190a4198c2ef97805fe9af771df6c2e217e06b8e3f49c6daa2ef7
RedLineStealer
545b0788b07c9c9820390f0057e9830cf18a4b4ca2140b11c459509838a927bd
RedLineStealer
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
RedLineStealer
8dd2405699cf0e2054b82da7c5c986ddbcbfd175ac18ba72a3ddab5a24b21046
RedLineStealer
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
RedLineStealer
f793e51ce11573edeba45c9ae5c3d7257b6c40a271bc9c4dd15173af08719020
RedLineStealer
+ 1'862 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:mrak infostealer persistence trojan
Link:
https://tria.ge/reports/230906-2c3hdsce59/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
RedLine
Malware Config
C2 Extraction:
77.91.68.52/mac/index.php
77.91.124.82:19071
Unpacked files
SH256 hash:
81aa2e80fbceb1bafc1c88cba1286221edd837bede5f66a08fdf9f93b65b5931
MD5 hash:
4890b43792b80b0b585a198e76355db1
SHA1 hash:
fc2e70a931e6c4d4a9ab702bcca5dbe70e086130
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/7146b8f3-8fd0-4ec0-bf49-88af36c0b964/
Parent samples :
b80293318467bc0d3c8e676ef544ef9e973eb14150740338c2ddc0f5671494ee
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
SH256 hash:
23ab8940b2d77bac7caa36a34b763a34aedf6db448b0be3d1b6ae6b4e0f0e6fb
MD5 hash:
bc23924907da63cc009457d65303d256
SHA1 hash:
8a0db3b3e77be73192d1ca7fe20e2e18939929da
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7146b8f3-8fd0-4ec0-bf49-88af36c0b964/
Parent samples :
b80293318467bc0d3c8e676ef544ef9e973eb14150740338c2ddc0f5671494ee
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
SH256 hash:
729434e7582bea15ec03b2b2ff3b5f50effb2e1304d4f9648454a3b8ad1dc97c
MD5 hash:
cd91e02431fc5f29ff209feceb5fffec
SHA1 hash:
14f2a956476f814817045ca597a1b354ce924ce3
Link:
https://www.unpac.me/results/7146b8f3-8fd0-4ec0-bf49-88af36c0b964/
SH256 hash:
dfcfce97547279dce47d8851d10d3336fc2a3747d596d782cafce1c201a6115a
MD5 hash:
eeb875e60776eeab6779c1c60f1ca82c
SHA1 hash:
f76ccd78d3fc7663b7a974fe0d7a850ce7e3f450
Link:
https://www.unpac.me/results/7146b8f3-8fd0-4ec0-bf49-88af36c0b964/
SH256 hash:
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
MD5 hash:
78afc132e33fad6f0f92fc12bf22eb3e
SHA1 hash:
3e5d9a820779d9366a4fe09d3290532f55408f21
Link:
https://www.unpac.me/results/7146b8f3-8fd0-4ec0-bf49-88af36c0b964/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30ef7d299dcc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710046/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/446766/

Comments