MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
SHA3-384 hash: 5b23de0697adf977a1d8acc9634779b9e41d2490110995b7cbd82e25397a21000041a06bab1457554dc28c0d5d7a5df7
SHA1 hash: 35fa46a82edba147fdd4a2751f7f1a7ea203a4d9
MD5 hash: 751b48d719e1fca2bda5f16480e8bc85
humanhash: queen-crazy-video-steak
File name:wextract.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'390'080 bytes
First seen:2023-10-27 00:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:fyqFuPWBmN2mqv+h3gigW8KT5ISsQV3JRiroQVUOeUSedULa+:qqFwVJ6w3gIT5JPVZ4xebtW
Threatray 2'224 similar samples on MalwareBazaar
TLSH T19A552311B3DC613BE9F127B084F60A930A3BBCA11C65CB4B1B59D0986C73AD5B532B67
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:Amadey exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456624/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653b0412bc703e36b08f9136/reports/fe2cceea-ba16-47c5-8202-c9e60b33edef/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40eb0b7a-abea-4b8b-b62c-a4ec49c1e686
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333044
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333044 Sample: wextract.exe Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 14 other signatures 2->70 10 wextract.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 52 C:\Users\user\AppData\Local\...\UR4jf4pv.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\5Tl19rh.exe, PE32 10->54 dropped 19 UR4jf4pv.exe 1 4 10->19         started        process5 file6 44 C:\Users\user\AppData\Local\...\Cm6LD8uU.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\4QD330tD.exe, PE32 19->46 dropped 88 Antivirus detection for dropped file 19->88 90 Multi AV Scanner detection for dropped file 19->90 92 Machine Learning detection for dropped file 19->92 23 Cm6LD8uU.exe 1 4 19->23         started        signatures7 process8 file9 48 C:\Users\user\AppData\Local\...behaviorgraphU4bi5we.exe, PE32 23->48 dropped 50 C:\Users\user\AppData\Local\...\3Bz6tq00.exe, PE32 23->50 dropped 94 Antivirus detection for dropped file 23->94 96 Multi AV Scanner detection for dropped file 23->96 98 Machine Learning detection for dropped file 23->98 27 GU4bi5we.exe 1 4 23->27         started        31 3Bz6tq00.exe 12 23->31         started        signatures10 process11 file12 56 C:\Users\user\AppData\Local\...\2xV122Gv.exe, PE32 27->56 dropped 58 C:\Users\user\AppData\Local\...\1ep95yZ9.exe, PE32 27->58 dropped 100 Antivirus detection for dropped file 27->100 102 Multi AV Scanner detection for dropped file 27->102 104 Machine Learning detection for dropped file 27->104 33 2xV122Gv.exe 4 27->33         started        37 1ep95yZ9.exe 27->37         started        signatures13 process14 dnsIp15 60 77.91.124.86, 19084, 49714 ECOTEL-ASRU Russian Federation 33->60 72 Antivirus detection for dropped file 33->72 74 Multi AV Scanner detection for dropped file 33->74 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->76 84 2 other signatures 33->84 78 Machine Learning detection for dropped file 37->78 80 Contains functionality to inject code into remote processes 37->80 82 Writes to foreign memory regions 37->82 86 2 other signatures 37->86 39 AppLaunch.exe 12 37->39         started        42 AppLaunch.exe 37->42         started        signatures16 process17 dnsIp18 62 193.233.255.73, 49713, 49719, 80 FREE-NET-ASFREEnetEU Russian Federation 39->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 11:08:41 UTC
File Type:
PE (Exe)
Extracted files:
154
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmclj4smskb7vnhhnartujxcznvebtw2xpg3oekyr7xoanqwsk7q._file
Verdict:
malicious
Similar samples:
15cba6399670fb23e90939e012db772adc6922cd160d5dddcf6f4eed2c888d43
RedLineStealer
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
RedLineStealer
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
RedLineStealer
488b9084451ceb07b7b18b45ac27ba066d76d81aad5c484c5c13a692345c7bf6
RedLineStealer
68c52b5d06a02d8382c159de27eceb800d1c5f8ca21c03b00f17a9af11ee250d
RedLineStealer
6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4
RedLineStealer
6ecf835556c666d9c17c11473060876684c92536382867c591c66110ff225f7c
RedLineStealer
ba3ca45f59a351649b82a187dab6af4b79462528d2d5355dd85ff107a726e76c
RedLineStealer
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
RedLineStealer
fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b
RedLineStealer
+ 2'214 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231027-asbwtsab9y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
8394b174d1bda0535a811332764ebb855322867b9963ba6a08b80c895171888f
MD5 hash:
e2c052cd35d7fb18572db56928a503aa
SHA1 hash:
fa22fa3c290fe08c2c584d67dc81a57e32c27915
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a051560d-dd06-4518-9a5b-ec65a7ac68f1/
Parent samples :
3680ede6eabfe3bccd20d0ce40a5088667d190274da41859bc0a23992c8a52c1
63b9c85d5ca8b8c285086308c361b6a353758864593e489ae3711721dd5b89c9
5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
SH256 hash:
d46cceda7cce2b680a7942766045683379e87950320403c53b453afe7afa633e
MD5 hash:
c5412836d2c3d39d97ab8ab8d2ddb775
SHA1 hash:
d9a637fa9864f877c30ffcdcfede1bdda67a70eb
Link:
https://www.unpac.me/results/a051560d-dd06-4518-9a5b-ec65a7ac68f1/
SH256 hash:
c0e24d8bb7d379b16ddacb2b4aadbe0fb30d4e5e0d02ba363faafee02a1d7fe6
MD5 hash:
c18b3bf8b3c7e6571d3ca85e1c77aca9
SHA1 hash:
7284d7194b2ebc2cce7b87e088a0f75311c903e8
Link:
https://www.unpac.me/results/a051560d-dd06-4518-9a5b-ec65a7ac68f1/
SH256 hash:
5f17f18ca5a1b4f2191a940238243b780a7a0dfa97554e8b1a32cefc2f7d1c20
MD5 hash:
eeb25c33b5ae9171c98bf3540c282abc
SHA1 hash:
8aa7e92431c3d6bfb1bf4b03a513e9cf7eda8f09
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/a051560d-dd06-4518-9a5b-ec65a7ac68f1/
Parent samples :
5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
f5b56456c023f9abab5df3b60b4790a5541ddf8453769b6835ca43956770d423
SH256 hash:
5304b4f24c9283fab4e768233a26e2cb6a40cedabbcdb711588feee0361692bf
MD5 hash:
751b48d719e1fca2bda5f16480e8bc85
SHA1 hash:
35fa46a82edba147fdd4a2751f7f1a7ea203a4d9
Link:
https://www.unpac.me/results/a051560d-dd06-4518-9a5b-ec65a7ac68f1/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5304b4f24c92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/14ffce37-480c-4861-a9b6-f8ddaeef514c
Cape
Cape
https://www.capesandbox.com/analysis/456624/

Comments