MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments 1

SHA256 hash:	884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89
SHA3-384 hash:	f0d0bff98d0e64375ff3ee8f7baa3a17dbbdeb3c5c6099241e8158c12122760b8cc3c4685275539643a9b7704a8439ad
SHA1 hash:	6652b253b32d35b5162972b13a2c1158a106a536
MD5 hash:	e04f4435560f78707d402c06b8deb8dd
humanhash:	twelve-echo-uranus-utah
File name:	e04f4435560f78707d402c06b8deb8dd
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'718'272 bytes
First seen:	2023-09-14 02:29:05 UTC
Last seen:	2023-09-18 07:09:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:lWb9XTk00r/e+LPbHTbbK8HgneChMxHoi7QvsP8IizqifCmUXMV:lWbxTk0SPbK8HgnePxcOwuifC9Xq
Threatray	209 similar samples on MalwareBazaar
TLSH	T1DA85AF207F828D3DF9D632F64FBCB9B0516EE4B01B650AD7918847EEAB301E29735641
TrID	64.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 23.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 3.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	171-22-28-208 32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://171.22.28.208/download/

Verdict:

Malicious activity

Analysis date:

2023-09-13 19:20:44 UTC

Tags:

opendir loader privateloader evasion redline stealer fabookie amadey botnet trojan smoke risepro

Link:

https://app.any.run/tasks/c3fe217c-ddae-47e3-ab34-343cb7b517d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/448513/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop9.52626.11557.4967.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Launching a process

Creating a window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Reading critical registry keys

Creating a process with a hidden window

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin packed

Link:

https://www.filescan.io/uploads/6502702bda7b76f50a24c897/reports/e3ad50fd-083d-43ad-95da-a08c70c55de0/overview

Verdict:

Malicious

Labled as:

Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48280efe-587f-4753-86ce-7c9d1d263c8f

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1307764

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Amadey bot

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2023-09-14 02:01:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rbdjnpmtgwybcpht6lmovf2b4cpybii2fqplfta32p6yqnogf2eq._file

Verdict:

malicious

RedLineStealer

327fdd0215c36138e9865fff7ffdd8269a02e70dee9b1942cde57fe0a38d36ba

RedLineStealer

38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2

RedLineStealer

498ce4ddc627a2b95a11ab521c9314fbe975d5aa4de496792906fe7bb8ce64e0

RedLineStealer

49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347

RedLineStealer

6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7

RedLineStealer

801c2bd3ddf4cc21ea6d95eaf5e9bbba3b9f0ce256e4af670217754dd7473a1e

RedLineStealer

8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc

RedLineStealer

8932b9b1a6716b2c77235f2c0887308f8d691da0f731bb5a0abe5133983270e2

RedLineStealer

+ 199 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:amadey family:redline infostealer spyware trojan

Link:

https://tria.ge/reports/230914-cy5r7sgh8v/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Amadey

RedLine

RedLine payload

Malware Config

C2 Extraction:

http://185.215.113.35/bkd7djmsa/index.php

Unpacked files

SH256 hash:

0cc3a0f8b48ef8d8562b9cdf9c7cfe7f63faf43a5ac6dc6973dc8bf13b6c88cf

MD5 hash:

e57ea48172a6fe1b55ecb45f9bf659cf

SHA1 hash:

ad9f7fad57af3dfb6bad3d55828152aebf6ead34

Link:

https://www.unpac.me/results/0dbc6620-63ce-4ca1-aede-25902f263a1e/

SH256 hash:

0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de

MD5 hash:

9715d63d92cd5ebcc3f6c5cb50bd461f

SHA1 hash:

d35920fb066076b09bec255f4521aed4ab8918cc

Link:

https://www.unpac.me/results/0dbc6620-63ce-4ca1-aede-25902f263a1e/

SH256 hash:

b4a728f0e155bc3b5f99ab5877fb148aec422f0e03dbcee4a02f75263c6a5467

MD5 hash:

237262f3ce6c7fd7022e71169df4b438

SHA1 hash:

54c49c2aceb4fb7a45b726cff1a5fcef7b274a85

Link:

https://www.unpac.me/results/0dbc6620-63ce-4ca1-aede-25902f263a1e/

SH256 hash:

884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89

MD5 hash:

e04f4435560f78707d402c06b8deb8dd

SHA1 hash:

6652b253b32d35b5162972b13a2c1158a106a536

Link:

https://www.unpac.me/results/0dbc6620-63ce-4ca1-aede-25902f263a1e/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/884696bd9335/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Amadey Create hunting rule
Author:	kevoreilly
Description:	Amadey Payload

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_Amadey Create hunting rule
Author:	ditekSHen
Description:	Amadey downloader payload

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Amadey_7abb059b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

Rule name:	win_amadey_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.amadey.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/448513/

URLhaus

https://urlhaus.abuse.ch/url/2711597/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-09-14 02:29:06 UTC

url : hxxps://ptasoftware.com/Build.exe