MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
SHA3-384 hash: 9b04f2384bcf31f3054c4584ef5a90a8d5eb9b4f1f23dc86c22d5ceec1f0216d1d9dd8f91022e3d67269e5104bcb2f9b
SHA1 hash: 8b94aaa8002c4ab6665d86dd079783bcc15a78ee
MD5 hash: aab63c233da2acf54393ba50f92bf7f5
humanhash: carpet-connecticut-fruit-video
File name:aab63c233da2acf54393ba50f92bf7f5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'543'680 bytes
First seen:2023-10-05 08:35:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:ByVjLdwJ4tg3Sc27AXy6d2n5HXMXsASI2ghNRXcgEI++YQygNaApK2j/gCP:0VjGJ4ux27od+5H8X/TEI++DGC
Threatray 219 similar samples on MalwareBazaar
TLSH T166653342CEC8DA33DDB91BB059F9578B2531BC102979875F530DA64AAC330A5D63B32B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed redline rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/651e75751e07d7e1e9b19015/reports/11f93828-721c-45a6-b03c-280b8f5f2d89/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6345c150-dc18-42e8-adda-46868de6a42e
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320013
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320013 Sample: 4Iezizw9zw.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 13 other signatures 2->92 11 4Iezizw9zw.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 74 C:\Users\user\AppData\Local\...\fk7Pk7PQ.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\Local\...\6Lx14zd.exe, PE32 11->76 dropped 20 fk7Pk7PQ.exe 1 4 11->20         started        process5 file6 66 C:\Users\user\AppData\Local\...\Ft5lV6qZ.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\...\5LI84tk.exe, PE32 20->68 dropped 106 Antivirus detection for dropped file 20->106 108 Multi AV Scanner detection for dropped file 20->108 110 Machine Learning detection for dropped file 20->110 24 Ft5lV6qZ.exe 1 4 20->24         started        signatures7 process8 file9 70 C:\Users\user\AppData\Local\...\oK4Qc9bi.exe, PE32 24->70 dropped 72 C:\Users\user\AppData\Local\...\4wC820sy.exe, PE32 24->72 dropped 112 Antivirus detection for dropped file 24->112 114 Multi AV Scanner detection for dropped file 24->114 116 Machine Learning detection for dropped file 24->116 28 oK4Qc9bi.exe 1 4 24->28         started        32 4wC820sy.exe 24->32         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\Bg9VR0Pa.exe, PE32 28->78 dropped 80 C:\Users\user\AppData\Local\...\3nm6Jy04.exe, PE32 28->80 dropped 118 Antivirus detection for dropped file 28->118 120 Multi AV Scanner detection for dropped file 28->120 122 Machine Learning detection for dropped file 28->122 34 Bg9VR0Pa.exe 1 4 28->34         started        38 3nm6Jy04.exe 28->38         started        124 Writes to foreign memory regions 32->124 126 Allocates memory in foreign processes 32->126 128 Injects a PE file into a foreign processes 32->128 40 AppLaunch.exe 32->40         started        42 conhost.exe 32->42         started        44 WerFault.exe 32->44         started        signatures13 process14 file15 62 C:\Users\user\AppData\Local\...\2zU732PR.exe, PE32 34->62 dropped 64 C:\Users\user\AppData\Local\...\1Ds67zT4.exe, PE32 34->64 dropped 94 Antivirus detection for dropped file 34->94 96 Multi AV Scanner detection for dropped file 34->96 98 Machine Learning detection for dropped file 34->98 46 1Ds67zT4.exe 1 34->46         started        49 2zU732PR.exe 4 34->49         started        100 Tries to harvest and steal browser information (history, passwords, etc) 40->100 signatures16 process17 dnsIp18 130 Multi AV Scanner detection for dropped file 46->130 132 Machine Learning detection for dropped file 46->132 134 Contains functionality to inject code into remote processes 46->134 142 3 other signatures 46->142 52 AppLaunch.exe 46->52         started        55 AppLaunch.exe 13 46->55         started        58 WerFault.exe 21 9 46->58         started        60 conhost.exe 46->60         started        82 77.91.124.55, 19071, 49798, 49809 ECOTEL-ASRU Russian Federation 49->82 136 Antivirus detection for dropped file 49->136 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->138 140 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->140 signatures19 process20 dnsIp21 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->104 84 5.42.92.211, 49795, 49808, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 55->84 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-04 05:58:36 UTC
File Type:
PE (Exe)
Extracted files:
196
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6ubxuporyjqjd22og7ogh5bnmagl6clsbtqi5ge43m2hvp7wmxq._file
Verdict:
malicious
Similar samples:
12fb005f8400051a07486a0b93e1429ec4db0ac2575d9eb1630e7d804813d60f
RedLineStealer
216e2221b99ee5579841f6a626348a6a8db8df0e2eb844b2618dc0164ace6489
RedLineStealer
26c8b7f5d0f9a0138e5ac0cd5b9d7c4ab9e9e16fbaa221117d7bf6464e85eb69
RedLineStealer
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200
RedLineStealer
3c06b888fa64e1994ad92bda806599ea9cc2af64aaa33f7f77ba9f3e6f29c811
RedLineStealer
40e6462c4b45d7f081b00cdcd7c8106ee6fa786e4c06bcbaae181b19e20a994b
RedLineStealer
6914377ccb1e95eb5708d111909e5e3616f465303e246f5590a6d9d4b891089f
RedLineStealer
d69958c38bd04cd3b71d6e43032fb8466ffc5f7cf90d524120bfd23f9337cc8e
RedLineStealer
df005f88813d478d60f63d568c2dca197caa651e737408f1bc0a929ef9fccf86
RedLineStealer
ebb1f2b70c5a940af8c3d6065d3b1022d40f5cd48f3b5f88a9e41bdf35e20745
RedLineStealer
+ 209 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:mystic family:redline botnet:gigant infostealer persistence stealer
Link:
https://tria.ge/reports/231005-khk2vsbe95/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect Mystic stealer payload
Mystic
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
894b1a190c15f29e289f32e41746f16dc19e3601df15e6ba1adcf98da2d7f33a
MD5 hash:
f8e71cab06e9931f2b50ea349a71d798
SHA1 hash:
dea6ba1005fff9cd2a5f9041399483edb19bac4b
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
SH256 hash:
01850df2731617c0321bbf4cc223b3c9600d3e0909f51fd0d1621b53bbd71912
MD5 hash:
6c314fadafadfa3ad8a6f81c4d73d37f
SHA1 hash:
9499c20ef5c21e0f578afb2a5b71d78b5fe8794b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
SH256 hash:
9fd4e8338d20c7100b774817bbc54fba34ab4c619d73eaa86b1a6d45590cc11b
MD5 hash:
e35fa9f204c772b1fe9d41bc33cdcc61
SHA1 hash:
b58f8bc37f57f7a01e54f1725f29db95e30c6e61
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
SH256 hash:
1c3daf160e5e91e7395fda1013dda8d61c18fcbf5b5261b8108c68d18e7f9100
MD5 hash:
bb5eb3c40d8af2b136f2f4fdbf90137c
SHA1 hash:
bc318cb05128144a453059c12b66e6784192a43f
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
SH256 hash:
b921611452e2c8615c717a437d9de07eb6b6180e6e5a95fc4231edb4d25e411a
MD5 hash:
9cb2a87daee6e5b955520f42c74f4a04
SHA1 hash:
a52c8de0b7134c3beb2f074c36f2fd0b3fbf73cd
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
SH256 hash:
37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f
MD5 hash:
aab63c233da2acf54393ba50f92bf7f5
SHA1 hash:
8b94aaa8002c4ab6665d86dd079783bcc15a78ee
Link:
https://www.unpac.me/results/bd3ec8f1-9899-422d-b903-3385642bec82/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37a81bd1ee8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37a81bd1ee8e13048f5a71bee31fa16b0065f84b90670474c4e6d9a3d5ffb32f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments