MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b
SHA3-384 hash: cdde02e7703efe7aabaecc31e55b7e68ef2f43055b646589c17f204976d6cf485a21990602e23bbeec30b80a0b48254f
SHA1 hash: 8cc949fb81939a0d1b66246c859f8a04e26fe0fc
MD5 hash: 9bd7b73254811f7180bde59df0521ffe
humanhash: ten-violet-cardinal-juliet
File name:231210-12-RisePro-aa35d9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'803'712 bytes
First seen:2024-07-24 12:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:8EPJi6PIs6mU+ygzfEJNveiQRQHceofAkYeLob13vH+tTxjF6:nABhgzi3WSvofAkYeIHoT2
Threatray 1'142 similar samples on MalwareBazaar
TLSH T13DD53377D6E5C9A6E8B167B024F302472E2EBF602D34D7E7AB018D5A18B3245D572233
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Anonymous
Tags:exe RedLineStealer


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0efd56f74caeb2f89b6a1
Tags:
Execution Generic Network Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
90%
Tags:
advpack CAB explorer fingerprint installer keylogger lolbin microsoft_visual_cc packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/66a0efd19149fd55f98fd806/reports/5434434e-07f0-4faf-a0b4-a3790fa19b13/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e390c48-b44a-4d1e-88ca-5d3f6f135c15
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1480040
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 12:13:15 UTC
File Type:
PE (Exe)
Extracted files:
221
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqbsndvbk5iihwvszh43yr6brwszafdtembl53kanifepz2khwnq._file
Verdict:
malicious
Similar samples:
02aa4888eac637168f1b0c1aef99ed0703d15fd9cc419103f328d36f225f482f
RedLineStealer
5e1c1fe206f1a77acc98ab7256c10c1477924786d96d8b079ac2218f20ac582c
RedLineStealer
7c0ac5d1c9d4be8b901475a65521d770e14487c2a993ecf8bc432ee3dfbf9d1c
RedLineStealer
c4a844e31520ffff519cc4aea8acce0eff61cf4f54566964febbde1be29a8712
RedLineStealer
+ 1'132 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro aspackv2 discovery loader persistence stealer
Link:
https://tria.ge/reports/240724-pdr2tsycjf/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
ASPack v2.12-2.42
Checks computer location settings
Drops startup file
Executes dropped EXE
PrivateLoader
RisePro
Malware Config
C2 Extraction:
193.233.132.51
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eef0d091-a222-4cee-bb86-2db1091bd8f6
Unpacked files
SH256 hash:
4b51c393104af7970c54b872bc91f1af6b89457e49f6d6df2c917e0111a18738
MD5 hash:
392cf6ddab6eced22a91245e612c777c
SHA1 hash:
8920bcee1bda44af19aa6a6f0373311dcceac6b1
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
SH256 hash:
3860bed5cf0c3cdd4fee286fce5ab7e9d294dc38af7b89b6a6d98ae9e914f59a
MD5 hash:
d2c1edfa4bdc409bad5f8d8e76cf943a
SHA1 hash:
9f358c61da5810a1505b51cf4b8265a4a0fc63cb
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
SH256 hash:
75942bf4b23a5a6ab7f2d8d4f9b750f95a00ea0c95de128606dbfd7bd4831e34
MD5 hash:
9cd0b677b4ca37ec6aa66ff0b57743cf
SHA1 hash:
40978f1f91608c43dc8910fffdca5316d9ab904b
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
Parent samples :
5e1c1fe206f1a77acc98ab7256c10c1477924786d96d8b079ac2218f20ac582c
c4a844e31520ffff519cc4aea8acce0eff61cf4f54566964febbde1be29a8712
5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b
SH256 hash:
76af3240214dd83aba41c953adb0fa8df7b1bd48941a31f95397762201da42f0
MD5 hash:
32d15b3f4912d6cebe40122ae2e55973
SHA1 hash:
088345f7479fe0e62ae33f9ee7e4dab08dbbc067
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
SH256 hash:
378de44fde3443538363d70fe9240ff19eef5f92393ddbfcb4cb856691d775d0
MD5 hash:
c72f666e37ca22664038a674f7205829
SHA1 hash:
dfe3ca004f12daa3303e9aaef9d221d0e68aa606
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
SH256 hash:
73ca36c20fbeb4562c8e9613b592b927661b1985acf59d6a16b0c12501d3c7ee
MD5 hash:
c00088c8e74b61be995331c78ec9857d
SHA1 hash:
559262297692e8208e3fa54019609af892bb96c2
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
SH256 hash:
5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b
MD5 hash:
9bd7b73254811f7180bde59df0521ffe
SHA1 hash:
8cc949fb81939a0d1b66246c859f8a04e26fe0fc
Link:
https://www.unpac.me/results/6173c509-7ecb-4f60-9d28-500c04b60339/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 5403268ea1575083dab2c9f9bc47c18da59014732302beed406a0a47e74a3d9b

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments