MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520
SHA3-384 hash: 10b21401f2dbe07edd2a0316eb9d3705f86c81951458bdc3df375ebd6ebe3e72f822b67a99eadcd380630a550aa21310
SHA1 hash: 6bb2ee92e0bef07cfd4bb84803db817f460fb75e
MD5 hash: 69a0c8483f66f38d0069de1f04fc3c86
humanhash: indigo-tango-winner-jupiter
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'742'792 bytes
First seen:2023-10-05 19:47:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:D88vvGd55cYiPvRh7impPbY7rLUPxNhiRKkjT:l855lYDmmUUPJiYkH
TLSH T10C852323F6DC8A62CD355BB828FB295304B0FD6257A086677652ED846D13BC0B879337
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TR/Spy.RedLine
Link:
https://www.hybrid-analysis.com/sample/7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a01f2f8e-5312-44e6-be0b-4fc086882582
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320554
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320554 Sample: file.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 13 other signatures 2->86 11 file.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 68 C:\Users\user\AppData\Local\...\ue8xe0It.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\6kG60zM.exe, PE32 11->70 dropped 20 ue8xe0It.exe 1 4 11->20         started        process5 file6 60 C:\Users\user\AppData\Local\...\gk9Bm5GW.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\...\5HR32Rr.exe, PE32 20->62 dropped 100 Antivirus detection for dropped file 20->100 102 Multi AV Scanner detection for dropped file 20->102 104 Machine Learning detection for dropped file 20->104 24 gk9Bm5GW.exe 1 4 20->24         started        signatures7 process8 file9 64 C:\Users\user\AppData\Local\...\oC8vW7Nd.exe, PE32 24->64 dropped 66 C:\Users\user\AppData\Local\...\4Zo841OB.exe, PE32 24->66 dropped 106 Antivirus detection for dropped file 24->106 108 Multi AV Scanner detection for dropped file 24->108 110 Machine Learning detection for dropped file 24->110 28 oC8vW7Nd.exe 1 4 24->28         started        32 4Zo841OB.exe 24->32         started        signatures10 process11 file12 72 C:\Users\user\AppData\Local\...\pN6LS6Vq.exe, PE32 28->72 dropped 74 C:\Users\user\AppData\Local\...\3ar7QO74.exe, PE32 28->74 dropped 128 Antivirus detection for dropped file 28->128 130 Multi AV Scanner detection for dropped file 28->130 132 Machine Learning detection for dropped file 28->132 34 pN6LS6Vq.exe 1 4 28->34         started        38 3ar7QO74.exe 28->38         started        134 Writes to foreign memory regions 32->134 136 Allocates memory in foreign processes 32->136 138 Injects a PE file into a foreign processes 32->138 40 AppLaunch.exe 32->40         started        42 WerFault.exe 32->42         started        signatures13 process14 file15 56 C:\Users\user\AppData\Local\...\2bM057RN.exe, PE32 34->56 dropped 58 C:\Users\user\AppData\Local\...\1GB03tY8.exe, PE32 34->58 dropped 88 Antivirus detection for dropped file 34->88 90 Multi AV Scanner detection for dropped file 34->90 92 Machine Learning detection for dropped file 34->92 44 1GB03tY8.exe 34->44         started        47 2bM057RN.exe 4 34->47         started        94 Tries to harvest and steal browser information (history, passwords, etc) 40->94 signatures16 process17 dnsIp18 112 Multi AV Scanner detection for dropped file 44->112 114 Contains functionality to inject code into remote processes 44->114 116 Writes to foreign memory regions 44->116 126 2 other signatures 44->126 50 AppLaunch.exe 13 44->50         started        54 WerFault.exe 22 16 44->54         started        78 77.91.124.55, 19071, 49702, 49705 ECOTEL-ASRU Russian Federation 47->78 118 Antivirus detection for dropped file 47->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->120 122 Machine Learning detection for dropped file 47->122 124 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->124 signatures19 process20 dnsIp21 76 5.42.92.211, 49695, 49704, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 50->76 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->96 98 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->98 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 11:10:32 UTC
File Type:
PE (Exe)
Extracted files:
194
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pyzosgjx6lt7utpx2dhbc22kjx4g62efogvitxrw27i4vpz6guqa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:mystic family:redline botnet:gigant infostealer persistence stealer
Link:
https://tria.ge/reports/231005-yh4e4aha25/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect Mystic stealer payload
Mystic
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb771c072bc7bbf60e
MD5 hash:
9550b6022fcadfa9c2b6ed54f716b5eb
SHA1 hash:
0f2056f10af352f7c96cd0be0ab10538688512c2
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
SH256 hash:
4711bba0fa56186b719405e61a532c74266b34d43f20c14c28323179c79b0689
MD5 hash:
f59984800b8b6604e65704bf0fba016d
SHA1 hash:
e7e655a0572c8c80600b86350b7b1967d60a4a98
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
Parent samples :
9baa84d8a0ac0238874f12b2e8033d18b42fd1f20684a02c52cdfbc6fed19e14
c7e3c26c461f5736cb5c01e09d0ccc66b02905aa94bc87750b3929db58b0c3ff
841379ff18e00852295cd883bb4143e17b7a3b5f6808b70bdd65c67686b1f0b9
7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520
SH256 hash:
385b3d020ff4a835686a73cc7036abc29fc830c6fe0b2b023fa4b3fc497c5049
MD5 hash:
344f568ca31be77fa6a50129d69a99fa
SHA1 hash:
5216d68dcc3094d915a29bff0339435e59feb59a
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
SH256 hash:
80dcb3870c7ebd121de6636b66f734794fe207b98e08bb2728afe1b3b6b39030
MD5 hash:
1f052283f0a39d5a92c600d5099732c9
SHA1 hash:
7527f40b741e4b0aa17107aefd3bc69df9f907e4
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
SH256 hash:
594381b5ad16bf7caf90ced19a0b3c8226712ee25598f62a744085f7e345cf62
MD5 hash:
f59cd270b1039ff42818b33bc751e016
SHA1 hash:
59425fe79177d5b2de8f1511cca9aab9aa24f5a6
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
SH256 hash:
7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520
MD5 hash:
69a0c8483f66f38d0069de1f04fc3c86
SHA1 hash:
6bb2ee92e0bef07cfd4bb84803db817f460fb75e
Link:
https://www.unpac.me/results/927190cb-2137-4c64-8768-661e5f6971ff/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e32e91937f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7e32e91937f2e7fa4df7d0ce116b4a4df86f688571aa89de36d7d1cabf3e3520

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715138/

Comments