MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5
SHA3-384 hash: accf4790150aaaaccf67e76f3a9ff1df8ba28fd112a68003742d39edc9213063432f6aff590cf4faf6c6fd49ec455826
SHA1 hash: 4cea143bfd583e1c76260d147e75ecdb729e19d9
MD5 hash: e836fa8b8a11f4dfea767d8def8ee3c1
humanhash: west-hydrogen-lion-uranus
File name:e836fa8b8a11f4dfea767d8def8ee3c1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'722'368 bytes
First seen:2023-10-06 07:54:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:GAl5dLC3IeW2qMQoRQQlltqQE/6Qr0UJQU0Dn:19SIURGZSQr0d5
Threatray 1'767 similar samples on MalwareBazaar
TLSH T189852316B6D8C077CDB9AB7155FB62875A31FDA08A24E39B3345A44E4CBB9C19231333
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
73cf59fddb613a5381995e640546dada.exe
Verdict:
Malicious activity
Analysis date:
2023-10-05 17:46:41 UTC
Tags:
loader smoke opendir stealc stealer amadey botnet trojan redline
Link:
https://app.any.run/tasks/4d06265b-049d-4425-8301-8b05fbae0ced

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed redline rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/651fbd581e07d7e1e9b44da5/reports/a1c7dbd3-e6bb-4ee7-890e-d8ccb4c8eba9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffed36ef-292e-4ad3-b632-a875c6b78518
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320772
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320772 Sample: cA5KnRUPbZ.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Found malware configuration 2->86 88 14 other signatures 2->88 11 cA5KnRUPbZ.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 70 C:\Users\user\AppData\Local\...\wL4Cq6DC.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\Local\...\6JT39Vi.exe, PE32 11->72 dropped 20 wL4Cq6DC.exe 1 4 11->20         started        process5 file6 62 C:\Users\user\AppData\Local\...\Yc1ZU3uM.exe, PE32 20->62 dropped 64 C:\Users\user\AppData\Local\...\5bR22vA.exe, PE32 20->64 dropped 98 Antivirus detection for dropped file 20->98 100 Multi AV Scanner detection for dropped file 20->100 102 Machine Learning detection for dropped file 20->102 24 Yc1ZU3uM.exe 1 4 20->24         started        signatures7 process8 file9 66 C:\Users\user\AppData\Local\...\rI9XI0oc.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\...\4MO321Qx.exe, PE32 24->68 dropped 108 Antivirus detection for dropped file 24->108 110 Multi AV Scanner detection for dropped file 24->110 112 Machine Learning detection for dropped file 24->112 28 rI9XI0oc.exe 1 4 24->28         started        32 4MO321Qx.exe 24->32         started        signatures10 process11 file12 74 C:\Users\user\AppData\Local\...\Tr5pU3PI.exe, PE32 28->74 dropped 76 C:\Users\user\AppData\Local\...\3wT8MK79.exe, PE32 28->76 dropped 114 Antivirus detection for dropped file 28->114 116 Multi AV Scanner detection for dropped file 28->116 118 Machine Learning detection for dropped file 28->118 34 Tr5pU3PI.exe 1 4 28->34         started        38 3wT8MK79.exe 28->38         started        120 Writes to foreign memory regions 32->120 122 Allocates memory in foreign processes 32->122 124 Injects a PE file into a foreign processes 32->124 40 AppLaunch.exe 32->40         started        42 AppLaunch.exe 32->42         started        44 WerFault.exe 32->44         started        signatures13 process14 file15 58 C:\Users\user\AppData\Local\...\2SD430rm.exe, PE32 34->58 dropped 60 C:\Users\user\AppData\Local\...\1jP63wW9.exe, PE32 34->60 dropped 90 Antivirus detection for dropped file 34->90 92 Multi AV Scanner detection for dropped file 34->92 94 Machine Learning detection for dropped file 34->94 46 1jP63wW9.exe 34->46         started        49 2SD430rm.exe 4 34->49         started        96 Tries to harvest and steal browser information (history, passwords, etc) 40->96 signatures16 process17 dnsIp18 126 Multi AV Scanner detection for dropped file 46->126 128 Contains functionality to inject code into remote processes 46->128 130 Writes to foreign memory regions 46->130 140 2 other signatures 46->140 52 AppLaunch.exe 13 46->52         started        56 WerFault.exe 22 16 46->56         started        78 77.91.124.55, 19071, 49694, 49698 ECOTEL-ASRU Russian Federation 49->78 132 Antivirus detection for dropped file 49->132 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->134 136 Machine Learning detection for dropped file 49->136 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->138 signatures19 process20 dnsIp21 80 5.42.92.211, 49689, 49697, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 52->80 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->106 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 13:22:28 UTC
File Type:
PE (Exe)
Extracted files:
194
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j25kqmvzllvzi7kw7vanacjebmna2um72comqj5kjvzfgnlvrpsq._file
Verdict:
malicious
Similar samples:
3189e5fd5c5ad071968b0966525581bdab5ca86d16af194d9a38452279c60543
RedLineStealer
38e769addc2d07c0aaba3bf8fa9044da97ca1723b9efc3dd8ceb166d7f811cde
RedLineStealer
502714051f40a9ad7faf861e43514769da5c61da47005ac4ac3dd8883fb9e916
RedLineStealer
9cde09a53bc455b9f22d8e8a3f54460fee58adfe365e85f7cc3f7bbe96947b46
RedLineStealer
9f78f23917333e4e4ee095e36f159d24d29117296c458b748831d4c0ede6b938
RedLineStealer
dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0
RedLineStealer
ef35bb50d1328df4526a49ef3e02e2bf2a52629508ad6d767944a614606c36bc
RedLineStealer
fb490bbd9f7d9b7365486282fdc05fe808535f1277a3fbfac50c35130b9e2620
RedLineStealer
fe08452040cf960e4d27560e18d8a8d6148301fb12ffb3024e5b33ff98f807ab
RedLineStealer
fe182a0706aa566412d2278ad6910720e7bc8dc5f3a411ba41472e013a24fa1e
RedLineStealer
+ 1'757 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:mystic family:redline botnet:gigant infostealer persistence stealer
Link:
https://tria.ge/reports/231006-jr5beshg8t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect Mystic stealer payload
Mystic
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
3a3ab1c82b1ef95263ab2cb67aef22d53be899074a549543ba0f4a1a32a4dc11
MD5 hash:
4e489b25714f8f332dcd0c3e718cbaa7
SHA1 hash:
c0e46974529ef2db0c09e54bffde805619234d2b
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
SH256 hash:
23a298c2288bca81ae2c34d4294aac3c5629bf22238e2a2a43c51eb0847f1a04
MD5 hash:
5b5c08918dc0ab7dcb7c8239a16d54ac
SHA1 hash:
7ed33f61000684a197388d267fd30709af644321
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
Parent samples :
edc49849947a973a3f5657673e3a650901671d91b6ce04dff732211a5ebf0550
4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5
524c542d86becde4151b471d53c1c443ec4d3b6d241b78bbb517bf0f7acee684
SH256 hash:
38d470859bfa0447b4ae9a81606e1120109e6a88a1c633f2ac547d1662928df2
MD5 hash:
2822b15ab45d6aa1c952d18ceca7d9d0
SHA1 hash:
ebb43db67768fa42dcaf34d1212d069171e995ed
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
SH256 hash:
b0f782bd9a911e301fdc03c275f29758f4c321727675d9f3023335437e341b48
MD5 hash:
186c98624bee4eb1dce71ca2feb0a8d4
SHA1 hash:
243399e8db69cbcf9362ec78eb525c81447e961d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
SH256 hash:
7a126d09cd3f4ce95a2c54b3d4072fd6865df6d2ff2c71f4cc571ff2cab60bfe
MD5 hash:
2431c81d35de6ea933ef50b8f289617f
SHA1 hash:
b5eb3948c1f2e061799877b74bbd37f350c65a44
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
SH256 hash:
4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5
MD5 hash:
e836fa8b8a11f4dfea767d8def8ee3c1
SHA1 hash:
4cea143bfd583e1c76260d147e75ecdb729e19d9
Link:
https://www.unpac.me/results/15952096-4aa3-45ad-be0f-edb66084e231/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ebaa832b95aeb947d56fd40d009240b1a0d519fd09cc827aa4d725335758be5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments