MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02
SHA3-384 hash: 6414acf5acf602fbabea8437b8e3b0823cc7d42913dc50b1c9389f5ebd0298f948e78e4dc3ae7931718f57fcdd3998cf
SHA1 hash: 62af47f7194159697008675cb79e40c88aef1876
MD5 hash: 4739c10bc467fdd9ae56b5ebedd3abaf
humanhash: robert-connecticut-diet-mirror
File name:4739c10bc467fdd9ae56b5ebedd3abaf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:253'304 bytes
First seen:2023-09-11 02:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 6144:8KIUFz6DCGbAR/VeDC1tAOXcCik90GST5urBiIg:8YFzaC+Uji+0GST5urBiIg
Threatray 1'361 similar samples on MalwareBazaar
TLSH T11934AE1074D9C632D8F2153609FCFBB55A3EB9600BA259EF93A40F7E4F202C19B35A56
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4739c10bc467fdd9ae56b5ebedd3abaf.exe
Verdict:
No threats detected
Analysis date:
2023-09-11 02:12:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ee5d3fe-a6c8-4973-8370-f564c0163856

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447793/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.15551.31491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin mokes overlay packed
Link:
https://www.filescan.io/uploads/64fe7737503973c35697fc58/reports/a585e1e0-a81f-4133-91e4-1be8b4f34900/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d1603eae-99b1-4130-a7c5-d34a7304d913
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306981
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306981 Sample: fehIpw8dQA.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 160 Snort IDS alert for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 11 other signatures 2->166 12 fehIpw8dQA.exe 1 2->12         started        15 wjgibvs 2->15         started        17 oneetx.exe 2->17         started        process3 signatures4 200 Contains functionality to inject code into remote processes 12->200 202 Writes to foreign memory regions 12->202 204 Allocates memory in foreign processes 12->204 206 Injects a PE file into a foreign processes 12->206 19 AppLaunch.exe 12->19         started        22 WerFault.exe 21 9 12->22         started        25 conhost.exe 12->25         started        process5 dnsIp6 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->168 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->170 172 Maps a DLL or memory area into another process 19->172 174 2 other signatures 19->174 27 explorer.exe 4 12 19->27 injected 130 192.168.2.1 unknown unknown 22->130 signatures7 process8 dnsIp9 136 79.137.192.18, 49715, 80 PSKSET-ASRU Russian Federation 27->136 138 77.91.68.29, 49704, 49706, 49708 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 27->138 140 2 other IPs or domains 27->140 118 C:\Users\user\AppData\Roaming\wjgibvs, PE32 27->118 dropped 120 C:\Users\user\AppData\Local\Temp742.exe, PE32 27->120 dropped 122 C:\Users\user\AppData\Local\Temp\966D.exe, PE32 27->122 dropped 124 3 other malicious files 27->124 dropped 224 System process connects to network (likely due to code injection or exploit) 27->224 226 Benign windows process drops PE files 27->226 228 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->228 32 7A24.exe 4 27->32         started        36 E742.exe 4 27->36         started        38 2F3B.exe 27->38         started        40 2 other processes 27->40 file10 signatures11 process12 dnsIp13 96 C:\Users\user\AppData\Local\...\x3430751.exe, PE32 32->96 dropped 98 C:\Users\user\AppData\Local\...\k3221573.exe, PE32 32->98 dropped 146 Antivirus detection for dropped file 32->146 148 Machine Learning detection for dropped file 32->148 43 x3430751.exe 4 32->43         started        100 C:\Users\user\AppData\Local\...\y7543513.exe, PE32 36->100 dropped 102 C:\Users\user\AppData\Local\...\p7494660.exe, PE32 36->102 dropped 47 y7543513.exe 36->47         started        49 p7494660.exe 36->49         started        104 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 38->104 dropped 150 Multi AV Scanner detection for dropped file 38->150 51 oneetx.exe 38->51         started        132 162.33.179.91, 49721, 80 CORENETUS United States 40->132 134 api.ip.sb 40->134 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->152 154 Found many strings related to Crypto-Wallets (likely being stolen) 40->154 156 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->156 158 5 other signatures 40->158 54 vbc.exe 40->54         started        file14 signatures15 process16 dnsIp17 110 C:\Users\user\AppData\Local\...\x8852012.exe, PE32 43->110 dropped 112 C:\Users\user\AppData\Local\...\j3830880.exe, PE32 43->112 dropped 208 Antivirus detection for dropped file 43->208 210 Machine Learning detection for dropped file 43->210 56 x8852012.exe 4 43->56         started        60 j3830880.exe 43->60         started        114 C:\Users\user\AppData\Local\...\n5147766.exe, PE32 47->114 dropped 116 C:\Users\user\AppData\Local\...\m6980822.exe, PE32 47->116 dropped 62 n5147766.exe 47->62         started        65 m6980822.exe 47->65         started        67 conhost.exe 49->67         started        126 5.42.65.80, 49719, 49720, 49722 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 51->126 212 Multi AV Scanner detection for dropped file 51->212 214 Creates an undocumented autostart registry key 51->214 216 Uses schtasks.exe or at.exe to add and modify task schedules 51->216 69 cmd.exe 51->69         started        71 schtasks.exe 51->71         started        128 176.123.9.85, 16482, 49716 ALEXHOSTMD Moldova Republic of 54->128 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->218 220 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->220 222 Tries to steal Crypto Currency Wallets 54->222 file18 signatures19 process20 dnsIp21 106 C:\Users\user\AppData\Local\...\i5425630.exe, PE32 56->106 dropped 108 C:\Users\user\AppData\Local\...\g7862611.exe, PE32 56->108 dropped 176 Antivirus detection for dropped file 56->176 178 Machine Learning detection for dropped file 56->178 73 i5425630.exe 56->73         started        76 g7862611.exe 1 56->76         started        142 77.91.124.82, 19071, 49713, 49714 ECOTEL-ASRU Russian Federation 62->142 180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 62->182 184 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->184 144 5.42.92.211, 49710, 49747, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 65->144 78 conhost.exe 69->78         started        80 cmd.exe 69->80         started        82 cacls.exe 69->82         started        86 4 other processes 69->86 84 conhost.exe 71->84         started        file22 signatures23 process24 signatures25 186 Antivirus detection for dropped file 73->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->188 190 Machine Learning detection for dropped file 73->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->192 194 Writes to foreign memory regions 76->194 196 Allocates memory in foreign processes 76->196 198 Injects a PE file into a foreign processes 76->198 88 WerFault.exe 10 76->88         started        90 AppLaunch.exe 1 76->90         started        92 conhost.exe 76->92         started        94 2 other processes 76->94 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 01:01:15 UTC
File Type:
PE (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imhlbvris6k3xspn6zm3i6wpu2xql76d35d474saa2l63inyvmba._file
Verdict:
malicious
Similar samples:
0294faa68b618c5cb0869e7406143a0c88bff12f088c971c18c08f02402fc547
RedLineStealer
4f43c48c1df992655ef87a5175430373b1473b48ebd7f71daae5f9591d2845c4
RedLineStealer
5072ed5c16cbc6929b8d9ac82dba2a10f84e14530a11eb374141e630d722e261
RedLineStealer
50cc9cb7c31ef6c3986fd7e33e6614f8cfb2dd27cf2943fc31d1e10ee537407b
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
8a1640e3f411bfda8da2d5d864f540593c41522ae41fbd2d70c3604541833f69
RedLineStealer
9a9a05d1de3b25de07c0dc6f600f6654baf16df322e56f8d2fbdebb3cb9128cb
RedLineStealer
9e50dd42e96278ab98545d41a8ae9a6afe7377c76355ecf28f3c9415651feb31
RedLineStealer
b7c682b78e3d244d9eec10441d7fc1db9a95b448c512c323412b3f18c0419c53
RedLineStealer
d58dd05a91383a252099a172f8a8dae59042f3e817b3822c076652008c8ccdf7
RedLineStealer
+ 1'351 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230911-cl9wdsda3y/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02
MD5 hash:
4739c10bc467fdd9ae56b5ebedd3abaf
SHA1 hash:
62af47f7194159697008675cb79e40c88aef1876
Link:
https://www.unpac.me/results/91b96a22-8009-4fb8-a8c8-139e2867efa5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/430eb0d62897/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 430eb0d6289795bbc9edf659b47acfa6af05ffc3df47cff2400697eda1b8ab02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447793/

Comments