MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
SHA3-384 hash: a3c5e0652fbd2fc19f5644d106936d7a57e084eb5404aca43e7ccc656278dac6cf57aae7a3278e8fa95c8346be358515
SHA1 hash: 4094a5f879348cb0dbba1137d6da346fd61e0b9a
MD5 hash: a2c2004e83c623b892ab19e3b817441e
humanhash: lima-ack-bacon-maryland
File name:boinkwx.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'487'808 bytes
First seen:2024-01-16 06:09:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:TKJ1xi/XyLgvUEI77QUsvhu+2b+UeKdNGMIF5D8mFyJQU3keHJmeGkvf:svi/Xycm7MUsB9KeMIF5f4N3keHJi
Threatray 857 similar samples on MalwareBazaar
TLSH T1A1B53322E6ECE531D4A537B01CF516934B387C919EA491AA3F07A98418F17D3CA34B7B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb.exe
Verdict:
Malicious activity
Analysis date:
2024-01-15 16:35:50 UTC
Tags:
risepro stealer evasion
Link:
https://app.any.run/tasks/3c2ae6e0-795e-43bc-89e9-06d849c83646

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471054/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
78%
Tags:
advpack anti-vm CAB control crypto explorer installer lolbin obfuscated packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a61dbb94d1aebfb2a26b8d/reports/edab8dc7-ac48-4418-967c-1ea733c72f1c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53b04e39-7f4a-4bc9-8dd1-697d3925c571
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375162
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375162 Sample: boinkwx.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 96 telemetry-incoming.r53-2.services.mozilla.com 2->96 98 services.addons.mozilla.org 2->98 100 10 other IPs or domains 2->100 122 Antivirus / Scanner detection for submitted sample 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 5 other signatures 2->128 10 boinkwx.exe 1 4 2->10         started        13 msedge.exe 60 408 2->13         started        16 firefox.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 80 C:\Users\user\AppData\Local\...\mg0Cr67.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\Local\...\4QU302EM.exe, PE32 10->82 dropped 20 mg0Cr67.exe 1 4 10->20         started        120 192.168.2.16 unknown unknown 13->120 84 C:\Users\user\...\page_embed_script.js, ASCII 13->84 dropped 86 C:\Users\user\...\eventpage_bin_prod.js, ASCII 13->86 dropped 88 C:\Users\user\AppData\...\content_new.js, Unicode 13->88 dropped 90 C:\Users\user\AppData\Local\...\content.js, Unicode 13->90 dropped 24 msedge.exe 13->24         started        27 msedge.exe 13->27         started        29 msedge.exe 13->29         started        33 4 other processes 13->33 31 firefox.exe 16->31         started        file6 process7 dnsIp8 72 C:\Users\user\AppData\Local\...\2jw2693.exe, PE32 20->72 dropped 74 C:\Users\user\AppData\Local\...\1An07CM0.exe, PE32 20->74 dropped 142 Multi AV Scanner detection for dropped file 20->142 144 Binary is likely a compiled AutoIt script file 20->144 35 2jw2693.exe 9 1 20->35         started        38 1An07CM0.exe 13 20->38         started        102 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->102 104 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->104 110 15 other IPs or domains 24->110 106 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 31->106 108 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 31->108 112 4 other IPs or domains 31->112 76 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 31->76 dropped 78 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 31->78 dropped 40 firefox.exe 31->40         started        42 firefox.exe 31->42         started        44 firefox.exe 31->44         started        46 4 other processes 31->46 file9 signatures10 process11 signatures12 130 Multi AV Scanner detection for dropped file 35->130 132 Modifies windows update settings 35->132 134 Disables Windows Defender Tamper protection 35->134 140 2 other signatures 35->140 136 Binary is likely a compiled AutoIt script file 38->136 138 Found API chain indicative of sandbox detection 38->138 48 chrome.exe 9 38->48         started        51 msedge.exe 10 38->51         started        53 chrome.exe 38->53         started        55 3 other processes 38->55 process13 dnsIp14 92 192.168.2.5, 443, 49704, 49705 unknown unknown 48->92 94 239.255.255.250 unknown Reserved 48->94 57 chrome.exe 48->57         started        60 chrome.exe 48->60         started        62 chrome.exe 48->62         started        64 msedge.exe 51->64         started        66 chrome.exe 53->66         started        68 chrome.exe 55->68         started        70 chrome.exe 55->70         started        process15 dnsIp16 114 i.ytimg.com 142.250.31.119, 443, 49718 GOOGLEUS United States 57->114 116 googleads.g.doubleclick.net 142.251.111.154 GOOGLEUS United States 57->116 118 25 other IPs or domains 57->118
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 16:23:06 UTC
File Type:
PE (Exe)
Extracted files:
107
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qn2atqq2xro35pccynn3quwrlv2uhbs4gynyqwikhqnvibamlgwq._file
Verdict:
malicious
Similar samples:
1201bf878caa54aca39c6973c193210786509f098f5b9da23a03258cc278f5e3
RedLineStealer
34651d44c15017bddd3fe67dfade46637267be4f3ec660797432f0e23f9b7fab
RedLineStealer
61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4
RedLineStealer
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
RedLineStealer
bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6
RedLineStealer
dfac5e31b117e359591781d0e6614b49226d3ef3461f2d020133f5044be3befc
RedLineStealer
eafa77494da616f73dcd8f49eed5d044a1880decfff1206fb58cc7e2983613f0
RedLineStealer
f865504f075fc498d14904055734c4c5e70d9a852e9362414b1fff6a46fc9123
RedLineStealer
fb5e0a41602403a20017973b3e0af1b742e32ecfbbf6f565b4ddc271e0c0350a
RedLineStealer
fdf9b8a9bb4b5c3c05290c2687a22b05c3f3ce41800194ffc0a9485fdad307bc
RedLineStealer
+ 847 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240116-gw2d8afdd9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
acf43a1bd1652bda632e309c77bed67bd9eb16cfdcf6e87378f634778dba7d24
MD5 hash:
faded705c01bf205c65d2f653ce27576
SHA1 hash:
e593506e84ccff1f0c851d00689a84019cdde374
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/89577a00-f0a9-4db5-89ce-9b2409330e32/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
SH256 hash:
e43ffd17c0690aee9d76198386c51edf23b4efb33c505efb38c39f85988d7898
MD5 hash:
a092736c001a867fc1aad9514089a7a7
SHA1 hash:
d464fd340b2d1547308f3dcbb93b41baa8baf2c0
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/89577a00-f0a9-4db5-89ce-9b2409330e32/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
SH256 hash:
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
MD5 hash:
a2c2004e83c623b892ab19e3b817441e
SHA1 hash:
4094a5f879348cb0dbba1137d6da346fd61e0b9a
Link:
https://www.unpac.me/results/89577a00-f0a9-4db5-89ce-9b2409330e32/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/837409c21abc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471054/

Comments