MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
SHA3-384 hash: d8a8b88bd5ef8ac2ff73363a6190bc78446c5db7649ab7d140a29c9bcc7ac82d6e074ebebffd10b93c7ec16aead9d15b
SHA1 hash: a8243f4ebda420c755ae21b3561e6f940a3a4d6e
MD5 hash: 325b0d6b250977b7a1c06b64de4bd177
humanhash: alabama-island-violet-louisiana
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'632'064 bytes
First seen:2024-01-15 16:22:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:WrA8TvJKlFfI9CQe5MEM1jzu4Z/ke3E0wrFB7q8s9nDVMpbWounEvJRqr:Y0F2D1jy4ZceU0wpBXGm+Ev
Threatray 3'107 similar samples on MalwareBazaar
TLSH T14C263361F3EDD4A0E5E817F01DF12627C7246C639AA8509A3F87F4D41961297CA383BA
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://eventservice.rs/images/icon/bush.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470967/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer installer lolbin lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a55be6d1ae2d05b96b600d/reports/6876819d-5d34-4e3b-966b-1503e5c93dfa/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82056b90-04a4-4b76-acf2-a9ecd5cd9411
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374895
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374895 Sample: file.exe Startdate: 15/01/2024 Architecture: WINDOWS Score: 100 108 telemetry-incoming.r53-2.services.mozilla.com 2->108 110 services.addons.mozilla.org 2->110 112 11 other IPs or domains 2->112 140 Antivirus / Scanner detection for submitted sample 2->140 142 Multi AV Scanner detection for dropped file 2->142 144 Multi AV Scanner detection for submitted file 2->144 146 6 other signatures 2->146 12 file.exe 1 4 2->12         started        15 msedge.exe 61 404 2->15         started        17 firefox.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 92 C:\Users\user\AppData\Local\...\Sz0Av87.exe, PE32 12->92 dropped 94 C:\Users\user\AppData\Local\...\6Ef7ou4.exe, PE32 12->94 dropped 21 Sz0Av87.exe 1 4 12->21         started        96 C:\Users\user\...\page_embed_script.js, ASCII 15->96 dropped 98 C:\Users\user\...\eventpage_bin_prod.js, ASCII 15->98 dropped 100 C:\Users\user\AppData\...\content_new.js, Unicode 15->100 dropped 102 C:\Users\user\AppData\Local\...\content.js, Unicode 15->102 dropped 25 msedge.exe 15->25         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        34 4 other processes 15->34 32 firefox.exe 17->32         started        process6 dnsIp7 84 C:\Users\user\AppData\Local\...\nA8Qb76.exe, PE32 21->84 dropped 86 C:\Users\user\AppData\Local\...\5pf7nX6.exe, PE32 21->86 dropped 160 Multi AV Scanner detection for dropped file 21->160 36 nA8Qb76.exe 1 4 21->36         started        120 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->120 122 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->122 128 15 other IPs or domains 25->128 124 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->124 126 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 32->126 130 4 other IPs or domains 32->130 88 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->88 dropped 90 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->90 dropped 39 firefox.exe 32->39         started        41 firefox.exe 32->41         started        43 firefox.exe 32->43         started        45 4 other processes 32->45 file8 signatures9 process10 file11 80 C:\Users\user\AppData\Local\...\mg0Cr67.exe, PE32 36->80 dropped 82 C:\Users\user\AppData\Local\...\4QU302EM.exe, PE32 36->82 dropped 47 mg0Cr67.exe 1 4 36->47         started        51 4QU302EM.exe 36->51         started        process12 file13 104 C:\Users\user\AppData\Local\...\2jw2693.exe, PE32 47->104 dropped 106 C:\Users\user\AppData\Local\...\1An07CM0.exe, PE32 47->106 dropped 136 Multi AV Scanner detection for dropped file 47->136 138 Binary is likely a compiled AutoIt script file 47->138 53 2jw2693.exe 9 1 47->53         started        56 1An07CM0.exe 13 47->56         started        signatures14 process15 signatures16 148 Multi AV Scanner detection for dropped file 53->148 150 Modifies windows update settings 53->150 152 Disables Windows Defender Tamper protection 53->152 158 2 other signatures 53->158 154 Binary is likely a compiled AutoIt script file 56->154 156 Found API chain indicative of sandbox detection 56->156 58 chrome.exe 9 56->58         started        61 msedge.exe 11 56->61         started        63 chrome.exe 56->63         started        65 3 other processes 56->65 process17 dnsIp18 132 192.168.2.8 unknown unknown 58->132 134 239.255.255.250 unknown Reserved 58->134 67 chrome.exe 58->67         started        70 chrome.exe 58->70         started        72 chrome.exe 58->72         started        74 msedge.exe 61->74         started        76 chrome.exe 63->76         started        78 chrome.exe 65->78         started        process19 dnsIp20 114 youtube-ui.l.google.com 142.250.31.190 GOOGLEUS United States 67->114 116 142.250.31.84 GOOGLEUS United States 67->116 118 26 other IPs or domains 67->118
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 16:23:06 UTC
File Type:
PE (Exe)
Extracted files:
185
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2mumesbvrgoxhj6e6zdygtid7rjw6kfikv55hogxnsohcdi3s5q._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
RedLineStealer
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
RedLineStealer
42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef
RedLineStealer
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce
RedLineStealer
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
RedLineStealer
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
RedLineStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RedLineStealer
+ 3'097 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240115-tvsf5scbb6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
acf43a1bd1652bda632e309c77bed67bd9eb16cfdcf6e87378f634778dba7d24
MD5 hash:
faded705c01bf205c65d2f653ce27576
SHA1 hash:
e593506e84ccff1f0c851d00689a84019cdde374
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/51b61419-77b2-4ebf-a71a-ddea2f67f036/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
SH256 hash:
e43ffd17c0690aee9d76198386c51edf23b4efb33c505efb38c39f85988d7898
MD5 hash:
a092736c001a867fc1aad9514089a7a7
SHA1 hash:
d464fd340b2d1547308f3dcbb93b41baa8baf2c0
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/51b61419-77b2-4ebf-a71a-ddea2f67f036/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
SH256 hash:
b4708ad9eefb2ac6f31f209f72b6a4a00ee479d302cabf7cdae5c1fe88ccadba
MD5 hash:
f335c26f13de2e669bfd4b4d6db4b7d6
SHA1 hash:
0e9e8a2982c795efc5b2e6cceee1ec91a0b58b97
Link:
https://www.unpac.me/results/51b61419-77b2-4ebf-a71a-ddea2f67f036/
SH256 hash:
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
MD5 hash:
325b0d6b250977b7a1c06b64de4bd177
SHA1 hash:
a8243f4ebda420c755ae21b3561e6f940a3a4d6e
Link:
https://www.unpac.me/results/51b61419-77b2-4ebf-a71a-ddea2f67f036/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8699461241ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2748891/
Cape
Cape
https://www.capesandbox.com/analysis/470967/

Comments