MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
SHA3-384 hash: 925c7043db3eb7dc71f1878b32d8d5364b66fec8131013508f459c84573d42c6f432a5e126e964fa3627f80b6f32cb7b
SHA1 hash: a4ec51de741561de402934f6082c3690aeb484a8
MD5 hash: 7e79f5e299d76555b1cf554e2d9b7e83
humanhash: gee-foxtrot-failed-louisiana
File name:7e79f5e299d76555b1cf554e2d9b7e83
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'171'968 bytes
First seen:2023-10-15 21:09:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:lyoq99XnNePFopLizcnTY0hcXCjMO9tQkbfHgnnId:Aoq9FsPF9on809MO9ttbYnI
Threatray 1'271 similar samples on MalwareBazaar
TLSH T12A452396A9D894B2FDF86F7018F713830637BD108E75C2673684D8670CA368541BAB6F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7e79f5e299d76555b1cf554e2d9b7e83
Verdict:
Malicious activity
Analysis date:
2023-10-15 21:12:05 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/0616c6cb-b4c1-43b7-8ca3-8ba6c40e3fd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454621/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Modifying a system executable file
Delayed writing of the file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Infecting executable files
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/652c54f05da218a42f505b7f/reports/88475777-08eb-466c-9f98-c8f35bea5d64/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af9ab9ae-22e8-4bde-8641-aa568895599d
Result
Threat name:
Amadey, Babadeda, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326018
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1326018 Sample: fvjOr2DAVX.exe Startdate: 15/10/2023 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 11 other signatures 2->90 11 fvjOr2DAVX.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 72 C:\Users\user\AppData\Local\...\Xn3YH6JX.exe, PE32 11->72 dropped 74 C:\Users\user\AppData\Local\...\6Kn53md.exe, PE32 11->74 dropped 20 Xn3YH6JX.exe 1 4 11->20         started        process5 file6 64 C:\Users\user\AppData\Local\...\vh4gz1Qr.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\Local\...\5FN29tg.exe, PE32 20->66 dropped 98 Antivirus detection for dropped file 20->98 100 Machine Learning detection for dropped file 20->100 24 vh4gz1Qr.exe 1 4 20->24         started        signatures7 process8 file9 68 C:\Users\user\AppData\Local\...\ca0OK1ia.exe, PE32 24->68 dropped 70 C:\Users\user\AppData\Local\...\4Yl759Pa.exe, PE32 24->70 dropped 106 Antivirus detection for dropped file 24->106 108 Machine Learning detection for dropped file 24->108 28 ca0OK1ia.exe 1 4 24->28         started        32 4Yl759Pa.exe 24->32         started        signatures10 process11 file12 76 C:\Users\user\AppData\Local\...\Yf0HL4dv.exe, PE32 28->76 dropped 78 C:\Users\user\AppData\Local\...\3eH7AG02.exe, PE32 28->78 dropped 110 Antivirus detection for dropped file 28->110 112 Machine Learning detection for dropped file 28->112 34 Yf0HL4dv.exe 1 4 28->34         started        38 3eH7AG02.exe 28->38         started        114 Multi AV Scanner detection for dropped file 32->114 116 Writes to foreign memory regions 32->116 118 Allocates memory in foreign processes 32->118 120 Injects a PE file into a foreign processes 32->120 40 AppLaunch.exe 32->40         started        42 conhost.exe 32->42         started        44 WerFault.exe 32->44         started        signatures13 process14 file15 60 C:\Users\user\AppData\Local\...\2tV635EI.exe, PE32 34->60 dropped 62 C:\Users\user\AppData\Local\...\1ZU41Tq8.exe, PE32 34->62 dropped 92 Antivirus detection for dropped file 34->92 94 Machine Learning detection for dropped file 34->94 46 1ZU41Tq8.exe 1 34->46         started        49 2tV635EI.exe 4 34->49         started        96 Tries to harvest and steal browser information (history, passwords, etc) 40->96 signatures16 process17 dnsIp18 122 Contains functionality to inject code into remote processes 46->122 124 Writes to foreign memory regions 46->124 126 Allocates memory in foreign processes 46->126 128 Injects a PE file into a foreign processes 46->128 52 AppLaunch.exe 12 46->52         started        56 WerFault.exe 21 16 46->56         started        58 conhost.exe 46->58         started        80 77.91.124.55, 19071, 49748, 49751 ECOTEL-ASRU Russian Federation 49->80 130 Antivirus detection for dropped file 49->130 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->132 134 Machine Learning detection for dropped file 49->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->136 signatures19 process20 dnsIp21 82 5.42.92.88, 49745, 49750, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 52->82 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->104 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 21:10:06 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtzmviemokijam7pz44er7ngozvwphmzkrizhx6nemybva4kggaq._file
Verdict:
malicious
Similar samples:
1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1
RedLineStealer
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
RedLineStealer
238f4644ee51e1b5452aa80a901eca5dbd075f57348f7eec0267d12bc9385630
RedLineStealer
37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
RedLineStealer
524c542d86becde4151b471d53c1c443ec4d3b6d241b78bbb517bf0f7acee684
RedLineStealer
7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520
RedLineStealer
841379ff18e00852295cd883bb4143e17b7a3b5f6808b70bdd65c67686b1f0b9
RedLineStealer
c7e3c26c461f5736cb5c01e09d0ccc66b02905aa94bc87750b3929db58b0c3ff
RedLineStealer
edc49849947a973a3f5657673e3a650901671d91b6ce04dff732211a5ebf0550
RedLineStealer
+ 1'261 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kukish infostealer persistence
Link:
https://tria.ge/reports/231015-zze99sab9w/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
c359cad2d4b0cb214d0e84d78cc648637cb3f09e3ac774b97d1b50175752706e
MD5 hash:
2da2d4908005e48f676c9b1310aca54c
SHA1 hash:
964698d411f778c036fe13913e915d641b2908e8
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
SH256 hash:
c986afb1155397df822a4a5bb9b3a7ebdffdaba3a6f1951266cbe9ec51ad4353
MD5 hash:
3587978f2ea866e7dd8771ae4e4ccadd
SHA1 hash:
bb205476a899eb0d7fde1e2a4f51f263126eb92f
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
SH256 hash:
89e08cf4af85b8f761078c830a50a2710c5bba96611e854743c3d5f3eac3436a
MD5 hash:
e179fc24031360ff9638f4a90e6477fb
SHA1 hash:
4eef3044d91cc57f822a8db0d152a4afc30ea3d5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
Parent samples :
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
f6ecf026ba3bfb6c5221d65a255a5bd2cc0dc8a8d7373a0dcaef5499ee6b534a
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
SH256 hash:
0572bd8fc2d7853cfaf2199c4b4bdd9e6f1e125e5abc5fd286bd36acdb37d4b6
MD5 hash:
b0acdfa122683bb788ab945816dc8e29
SHA1 hash:
2faf1c010dca8824ffd22138608bfc9a5d2e347e
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
SH256 hash:
dea196bae6a20b2fce3cd68e9f2b91a70032c27bd06cf84d04a19c88c113ee22
MD5 hash:
0f2d6a00e67ae2404dc65718a5fe5a79
SHA1 hash:
16fb04cb3cd9a5272fc73656167b4cb703e810f2
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
SH256 hash:
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
MD5 hash:
7e79f5e299d76555b1cf554e2d9b7e83
SHA1 hash:
a4ec51de741561de402934f6082c3690aeb484a8
Link:
https://www.unpac.me/results/e5ad4e1a-e40d-4f8c-9a0d-bd9919c0c7f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/454621/

Comments


Avatar
zbet commented on 2023-10-15 21:09:01 UTC

url : hxxp://77.91.68.52/fuza/foto2552.exe