MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0
SHA3-384 hash: e970d8b8be523f23d7b9c5afad1a0a68a663c8843da6f10a1d22607a1f21607c49ecb91976b87aa4c6e26075b106b512
SHA1 hash: c5ba5cf7485b4e1273d8428c0f4acc4f97ad5cbe
MD5 hash: 10106349b19cb81713d6138c474b7769
humanhash: triple-kentucky-skylark-triple
File name:10106349b19cb81713d6138c474b7769.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:586'752 bytes
First seen:2023-06-18 18:36:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:NMryy90Oh5rZdKUb9ihiFB6JdJYHDzPy0tfxLP85hn5sxUG4X:nyHh5Vhihi7Q4DzTt5L05hn5sxi
TLSH T141C41253BBD88033DDB5277458FA12D30A367CB15EB9C62B2785AD6A0C726D09C3136B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.97.73.129:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
10106349b19cb81713d6138c474b7769.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 18:40:24 UTC
Tags:
rat redline amadey trojan loader
Link:
https://app.any.run/tasks/9c25366f-0f15-4100-b7ab-29da4b22e700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400213/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Launching a service
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91423/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB evasive installer killav lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/648f4ed2e00a7203a001d985/reports/224f31c2-2404-48b4-ae13-d8b2632a3a86/overview
Verdict:
Malicious
Labled as:
TR/Disabler.ocayi
Link:
https://www.hybrid-analysis.com/sample/7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15920408-61aa-4c27-b0e3-0b4f5a53cd14
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256947
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889967 Sample: 0gXcEkSEst.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 15 other signatures 2->84 11 0gXcEkSEst.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 6 other processes 2->18 process3 file4 68 C:\Users\user\AppData\Local\...\x5520230.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\i8024423.exe, PE32 11->70 dropped 20 x5520230.exe 1 4 11->20         started        process5 file6 56 C:\Users\user\AppData\Local\...\x2521529.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\h3967387.exe, PE32 20->58 dropped 86 Antivirus detection for dropped file 20->86 88 Multi AV Scanner detection for dropped file 20->88 90 Machine Learning detection for dropped file 20->90 24 x2521529.exe 1 4 20->24         started        signatures7 process8 file9 64 C:\Users\user\AppData\Local\...\g4198144.exe, PE32 24->64 dropped 66 C:\Users\user\AppData\Local\...\f5738799.exe, PE32 24->66 dropped 100 Antivirus detection for dropped file 24->100 102 Multi AV Scanner detection for dropped file 24->102 104 Machine Learning detection for dropped file 24->104 28 g4198144.exe 3 24->28         started        32 f5738799.exe 4 24->32         started        signatures10 process11 dnsIp12 72 C:\Users\user\AppData\Local\...\rugen.exe, PE32 28->72 dropped 106 Antivirus detection for dropped file 28->106 108 Multi AV Scanner detection for dropped file 28->108 110 Machine Learning detection for dropped file 28->110 112 Contains functionality to inject code into remote processes 28->112 35 rugen.exe 18 28->35         started        74 83.97.73.129, 19071, 49720 UNACS-AS-BG8000BurgasBG Germany 32->74 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->116 118 Tries to harvest and steal browser information (history, passwords, etc) 32->118 file13 signatures14 process15 dnsIp16 76 77.91.68.63, 49721, 49722, 49723 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 35->76 60 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 35->62 dropped 92 Antivirus detection for dropped file 35->92 94 Multi AV Scanner detection for dropped file 35->94 96 Creates an undocumented autostart registry key 35->96 98 2 other signatures 35->98 40 cmd.exe 35->40         started        42 schtasks.exe 1 35->42         started        44 rundll32.exe 35->44         started        file17 signatures18 process19 process20 46 conhost.exe 40->46         started        48 cmd.exe 40->48         started        50 cacls.exe 40->50         started        54 4 other processes 40->54 52 conhost.exe 42->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-18 17:10:18 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3257rtlwhte6grigevoo7uxk4uu2r2j3k2upce7xdcrkq75dcya._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:duza botnet:jason discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230618-w9gdjaha52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
83.97.73.129:19071
77.91.68.63/doma/net/index.php
Unpacked files
SH256 hash:
2e7859551a2369e581931c570929a0cfc1cda70ca5c34569c149ffb506f2ea6b
MD5 hash:
c6f6f4b214c16c26bf2677033a4048d7
SHA1 hash:
b265886e747570601309db7d74de49f7ff1ad712
Link:
https://www.unpac.me/results/117de854-2dd8-4671-8732-7dab132c99aa/
SH256 hash:
8f947b57ffc60726f55d4dda9e7811a718bba641cf7101afa905a05a6cc294f3
MD5 hash:
c7339c21df25b5e34cc462fecfd47f40
SHA1 hash:
e2f6fdcd790a79db4ebf861ae13f3fd95d66a760
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/117de854-2dd8-4671-8732-7dab132c99aa/
Parent samples :
5def806156638d2795eabe2316f883d7bedaa757fd63c27482a496e7c0ab2763
813f3255652fc8ac950a4611d9497badc1c1a621e4f271d5dcee883fa162f1f1
3d9df09517fe7c019744f8db097cbff2304983bf7bf849d6b0433d5bf375fb01
1e9bb027abe27d495031e8b42200127a77f1001718a21efdfc8a63c148bb77d2
4927b49cf1b8c574dce9dde9cc82ddadb3889379cc4d902f23a975bcb63ac137
73861fb9934dbb50980b122d09c40410b9d8647a41ea3e979ef2962548e443c6
f13f02aa849c05f3fe6138f313a724a5ceab956da51534cb758659d1eea65b29
bde084bd369527e5d9cc6e440307abc229bde84472f0f53badf35f6bd6103161
6eff779a6cb922aedf32da7fd302ee49c9510ae16b110265f925886ef4392d50
8f1dfae61cbfd98979fa45deebe12cc5209900cca48709461cd48a66e75119c0
2ac06f431e8eb09e79f49a8c48f8c78b48811cfad1bfc8596548fa914e7c9c2a
3e2a82c304b006daffacd795750d1840bea149c965c45af5d3b16850e59bdb62
b15849f6e2c98266566997447410049a88602146690ff11db43cdb2247c8b307
1a236f267968ab05825ba26696b3cf6d7206652e6270862b193e158f2b3b0cd9
3e4674a7852d5caaf91327eb30c4ef3203b4c9fdde5863d747a630204954c849
7288e1fcee7dc6d34283fbbafe62bd3acb2b298acbf7595a755f9be1e4f9a5d2
753632d55853829735e0474a7e4c25dc67028e13d7761d526c16996e12488ed4
43f645ae0a220821d90a577fdde150eb1703ec1d1f0dbb5ee4e9fe8f5003c57e
27a6305cc8f925ecab42667752af467c4a1fe5b3295c14b044139109816f500b
63329aea8ffc61e789d6c16c1a2c510b230a15f101e5561ab916cf71c11162fc
5cbdfaf9a2f3589457c73f25d7af4bcda6564194644045cf11f0702c6c6e7d74
1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15
cf5b027b9568681a634e2c0ce43707c23957e85ffa0d5d0fbd4b2666f7c0ad9d
1c979e42b2df7a2fbe8e12b3a01c4328efa1a5ac62a8d501fe2036387f238b47
b41ee2b1b8f70818f324289322e7f9f9953ef24f1453c58e5b60d62e4d42db50
978a82019c58fa07909c1a4db2f0abffadff34f2f6e54e01a7caa81543e5cd7f
f4cc43b0584990550de85c0b4ded078290795ef293138e53484c9e349d76c73f
1c5c57072fd5ae3b1682f8ee7419651e8f27f8b4904e8cbabb86d848feda1144
98b877762780e4dcf90dffb4c2cf70d3ebb158d5efde641d3a0efe04f1736803
4082d4f42bc590bedccf4dcf735a60df67e548241a2f355eda67b59c3a40e9f2
46d9a5ab93798bb3d94d4149cfb4ada12ab4e4c4ee142209138e3ed1d95d893a
4b76a9c249498aac4289699748d925a10c484a314060c0fe31e9e87a1761a20a
d2cefc6e6ca21d0ff729d103b0860a4d86edd2d6f5bdbf5f164ae7c9190560b6
d721510c9d42eec90daef64673b450b2c5b739bf521d8595bd64334e255dda0d
9a83b648c2d4db403eda4e057af19151fce73fe65aa5f894022f76e726fae853
a08b8647747252810ad2049bb03327a002da5b37dbba3670396d4910d07ff06c
4570b227d49bae33f0abaf7db904cec2612fa34cb1f62e7f1a5b82c5c37c0ec1
2d40b1a2404c6a22c5a67ca1115cd639a642fb355b25e67d7053f142b4b4404c
3201bcf371e8d4b7f81f0264bdb7c84aa0423b06d16ebd097c1c8a1003694dbf
498b9937ce745bf8eeca0180b5359b54ae8e475034e2c62c66c45a10523cf8b8
15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3
6c8b20be5076b051b407cd2bdb1c9d4248529560b18c61e0d405e11fa1cb29f4
5124284375d8cab0c059fb7b92b4bbb325983f8818ec895d4399cde4f0bcb1eb
cdae8e6a7da218ee7996f920b46b06c1f38b4f9d1a045b04ce513c0edd5610b1
012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85
ec71edee6e23a115e4ae9703efa5d7612c03756f6815b198ab1a96ac4fb2668d
d20e3fcae49369fe44fc26e89f31571cc43e0a81c6de49d337d1555ca0b138f4
2039a9367059b0285dacde7133f6b16320aeb72c9bf3c3b59c3d040384311f5d
f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206
9afd281bb487e496b33b3584195a5d1e29e526f4de466f9ce53f06e55fb4b0ad
57e3c368454172a98c6c1ab91c963d280fe472fe8dd4f230b527795babc012d7
184d8ed5b3a9975730423165b4f90b1e67ff7d7a58dd30d769afa9359e0da84a
7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0
c9ade4d2bd017046a824abd70d96afbd6ba37c63a0ab99c49b22610a3f5280ba
143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c
e7c32781fbc49afcf0c98a5ce2dbc8468a32aa24a8eb070d345b64bf32e22350
ac733f94761b6c54a238801ce3b36e92eca62d3725e823a9f8ae749c4ab8f3be
1dd27448fbca8cfeb823747f88230ba442ea67707393ae49d6a559f77b6e7eef
77dd0db7ee643998fda7b76cd75fb7da0348d00349a7b99a2212ca08e5e8eb3d
13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462
ac7753101d4e589a20c4e926e11b7d0fad8f145aa17c6843fe2d5ed65151eeab
7624ec18d269378960fbb0e3506d55493b1b02c89c148ffea4bba6343c71ef21
739ef5fbfd92fd4c257ac98794c66bc43489216efc3f1d18511fa04708ccc561
e3706009e5cb3bfa09a2f066a10ac37241f13316755cecccc111604e192d6543
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a
e5000f5825148ffb407a42205a7fc4834fd9cb996b26cb06ef9fa03b68f91b3f
0a25e00d0db3375f4d3a8fd25efdb4ac356402a3392103d1383b3cffb88463e8
SH256 hash:
f79d09b12b38ed7b15d08e01e055269c9558e97efab2dac7a49b5a206d11d259
MD5 hash:
8eaec0bb11f810fc8b556a695a086c57
SHA1 hash:
9f8f67b7cb2a701d9aa2cb50b8c64b53b7d113aa
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/117de854-2dd8-4671-8732-7dab132c99aa/
SH256 hash:
f396bbc444a545b4eac8e71526a695f74b78110ec88fde610ec2c083d10a3c5d
MD5 hash:
8cf948020c37c7b00d0e7218e2dbacd7
SHA1 hash:
b0b2099e3183ddc6cfbe43044387cb03e5feb054
Link:
https://www.unpac.me/results/117de854-2dd8-4671-8732-7dab132c99aa/
SH256 hash:
7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0
MD5 hash:
10106349b19cb81713d6138c474b7769
SHA1 hash:
c5ba5cf7485b4e1273d8428c0f4acc4f97ad5cbe
Link:
https://www.unpac.me/results/117de854-2dd8-4671-8732-7dab132c99aa/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ef5dfc66bb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2665318/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400213/

Comments