MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
SHA3-384 hash: 955874ad64ed50ddad267098d891c8cbab00f4f5d3176ebc9bfb6c10f5fe89a5adcc10af06c42af800a1d0042edf7114
SHA1 hash: f882c4b68aac7366d434bfc7f2936d24e9ac0e21
MD5 hash: 1d3e10adc7685d83f72d99f44fe63a27
humanhash: uncle-quebec-high-georgia
File name:1d3e10adc7685d83f72d99f44fe63a27.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:176'640 bytes
First seen:2023-08-01 20:35:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:lAMV836sv0W7T/lwNrH3LJEpdqkOmcAiPxNAhYQH1bu9NuyKQJ9Q50GkRI8e8h+:aE+dmLenqkLchPxNHgyXxJ9Q5r8e8h+
TLSH T18904D568364B69BEC97F887D9C600CE0667CBC665246A7079C8EF0E43D3A7819F151F2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 10f0d4d0d4d4cc33 (299 x RedLineStealer, 1 x N-W0rm, 1 x LaplasClipper)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.209.3.10:11615

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1d3e10adc7685d83f72d99f44fe63a27.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 20:37:51 UTC
Tags:
rat redline loader amadey trojan laplasclipper
Link:
https://app.any.run/tasks/a58d33fc-6028-460a-bdf8-625fe9537838

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439683/
Detection(s):
Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
DNS request
Delayed reading of the file
Adding an access-denied ACE
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex lolbin packed packed redline replace stealer
Link:
https://www.filescan.io/uploads/64c96cb394fb102ea38bda30/reports/28b23c53-bd6e-4032-a06e-abb45966198a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df6b6067-89e1-4926-8981-ddbc8d92057d
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284032
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1284032 Sample: UXG9LpQYF2.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 98 second.amadgood.com 2->98 100 api.ip.sb 2->100 114 Snort IDS alert for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 15 other signatures 2->120 10 UXG9LpQYF2.exe 15 8 2->10         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 108 85.209.3.10, 11615, 49701 SQUITTER-NETWORKSNL Russian Federation 10->108 110 194.180.49.153, 49702, 49703, 49706 LVLT-10753US Germany 10->110 90 C:\Users\user\AppData\...\taskmaskamd.exe, PE32 10->90 dropped 92 C:\Users\user\AppData\Local\...\taskmask.exe, PE32 10->92 dropped 94 C:\Users\user\AppData\Local\...\rdpcllp.exe, PE32+ 10->94 dropped 96 C:\Users\user\AppData\...\UXG9LpQYF2.exe.log, ASCII 10->96 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->166 168 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->168 170 Tries to harvest and steal browser information (history, passwords, etc) 10->170 172 Tries to steal Crypto Currency Wallets 10->172 21 taskmaskamd.exe 3 10->21         started        25 rdpcllp.exe 10->25         started        27 taskmask.exe 10->27         started        174 Uses powercfg.exe to modify the power settings 15->174 176 Modifies power options to not sleep / hibernate 15->176 29 conhost.exe 15->29         started        31 sc.exe 15->31         started        35 4 other processes 15->35 37 5 other processes 17->37 178 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->178 33 conhost.exe 19->33         started        39 9 other processes 19->39 file6 signatures7 process8 file9 76 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 21->76 dropped 140 Multi AV Scanner detection for dropped file 21->140 142 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->142 41 oneetx.exe 25 21->41         started        78 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 25->78 dropped 80 C:\Windows\System32\drivers\etc\hosts, ASCII 25->80 dropped 144 Query firmware table information (likely to detect VMs) 25->144 146 Modifies the hosts file 25->146 148 Adds a directory exclusion to Windows Defender 25->148 156 2 other signatures 25->156 150 Writes to foreign memory regions 27->150 152 Allocates memory in foreign processes 27->152 154 Injects a PE file into a foreign processes 27->154 46 conhost.exe 27->46         started        48 AppLaunch.exe 27->48         started        50 WerFault.exe 27->50         started        signatures10 process11 dnsIp12 102 45.15.156.208, 49704, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->102 104 192.168.2.1 unknown unknown 41->104 106 second.amadgood.com 41->106 82 C:\Users\user\AppData\...\taskhostclp.exe, MS-DOS 41->82 dropped 84 C:\Users\user\AppData\Local\...\rdpcllp.exe, PE32+ 41->84 dropped 86 C:\Users\user\AppData\Local\...\taskmask.exe, PE32 41->86 dropped 88 3 other malicious files 41->88 dropped 158 Multi AV Scanner detection for dropped file 41->158 160 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->160 162 Creates an undocumented autostart registry key 41->162 164 Uses schtasks.exe or at.exe to add and modify task schedules 41->164 52 rdpcllp.exe 41->52         started        55 taskhostclp.exe 41->55         started        57 taskmask.exe 1 41->57         started        59 2 other processes 41->59 file13 signatures14 process15 signatures16 122 Multi AV Scanner detection for dropped file 52->122 124 Query firmware table information (likely to detect VMs) 52->124 126 Adds a directory exclusion to Windows Defender 52->126 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 55->128 130 Hides threads from debuggers 55->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 55->132 134 Writes to foreign memory regions 57->134 136 Allocates memory in foreign processes 57->136 138 Injects a PE file into a foreign processes 57->138 61 AppLaunch.exe 57->61         started        64 conhost.exe 57->64         started        66 WerFault.exe 57->66         started        68 conhost.exe 59->68         started        70 conhost.exe 59->70         started        72 cmd.exe 1 59->72         started        74 5 other processes 59->74 process17 dnsIp18 112 128.199.192.86 DIGITALOCEAN-ASNUS United Kingdom 61->112
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 03:21:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=or5ehsbmjijrldnhvxdggs5ook23pkx43equzpjgss7v2yezsnuq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:laplas family:redline botnet:280723_red_fox clipper evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/230801-zdj2bscb2z/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Amadey
Laplas Clipper
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
85.209.3.10:11615
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
http://206.189.229.43
Unpacked files
SH256 hash:
747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
MD5 hash:
1d3e10adc7685d83f72d99f44fe63a27
SHA1 hash:
f882c4b68aac7366d434bfc7f2936d24e9ac0e21
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/21056f1a-f639-4dbf-bc76-6eb8b5bdb4a4/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/747a43c82c4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439683/

Comments