MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b
SHA3-384 hash: 4e56268003a141336b4f2729f1d694d300d88b6e48864da2d9636f49c6a7783b82255433fd5bbcce6be4cd5a11bc3c59
SHA1 hash: dac73148c5ee4176574c51e7429f482a21c0dde6
MD5 hash: f4e05067b330b3af02bcbe478c14dc70
humanhash: cardinal-charlie-illinois-lamp
File name:F4E05067B330B3AF02BCBE478C14DC70.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:668'160 bytes
First seen:2023-11-04 06:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:EMray90Q5kgF6ABsLF4lZV1xX4dZdXprV8qT7zSrawUGcE3b6QfYBctEQ48:+yb5ku6m6YDvX4dZxJV3v2awUO3b6gt
TLSH T1D3E41206B7D55032E9B527B05CF203D30A3ABC62EDB89367339999954CB3258A93173F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.10.205.17:8122

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32 smokeloader xpack
Link:
https://www.filescan.io/uploads/6545e3fcb50c9557591df94d/reports/0308a0fc-246f-4373-a62e-5ff70f30c675/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2915b918-d3da-4864-a24a-af0246692aa6
Result
Threat name:
Amadey, Glupteba, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337057
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337057 Sample: UEMDMCdwip.exe Startdate: 04/11/2023 Architecture: WINDOWS Score: 100 214 Multi AV Scanner detection for domain / URL 2->214 216 Found malware configuration 2->216 218 Malicious sample detected (through community Yara rule) 2->218 220 19 other signatures 2->220 14 UEMDMCdwip.exe 1 4 2->14         started        17 svchost.exe 2->17         started        process3 dnsIp4 170 C:\Users\user\AppData\Local\...\XP3ZS95.exe, PE32 14->170 dropped 172 C:\Users\user\AppData\Local\...\3LC43Hg.exe, PE32 14->172 dropped 20 3LC43Hg.exe 14->20         started        23 XP3ZS95.exe 1 4 14->23         started        174 23.62.164.112 GTT-BACKBONEGTTDE United States 17->174 176 127.0.0.1 unknown unknown 17->176 file5 process6 file7 246 Antivirus detection for dropped file 20->246 248 Multi AV Scanner detection for dropped file 20->248 250 Machine Learning detection for dropped file 20->250 252 5 other signatures 20->252 26 explorer.exe 16 29 20->26 injected 128 C:\Users\user\AppData\Local\...\2Uo6408.exe, PE32 23->128 dropped 130 C:\Users\user\AppData\Local\...\1Ct04Vl5.exe, PE32 23->130 dropped 31 1Ct04Vl5.exe 23->31         started        33 2Uo6408.exe 23->33         started        signatures8 process9 dnsIp10 190 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 26->190 192 185.196.9.171 SIMPLECARRIERCH Switzerland 26->192 194 7 other IPs or domains 26->194 158 C:\Users\user\AppData\Roaming\fwbjjff, PE32 26->158 dropped 160 C:\Users\user\AppData\Local\Temp\F998.exe, PE32 26->160 dropped 162 C:\Users\user\AppData\Local\Temp\F65D.exe, PE32 26->162 dropped 164 8 other malicious files 26->164 dropped 298 System process connects to network (likely due to code injection or exploit) 26->298 300 Benign windows process drops PE files 26->300 302 Adds a directory exclusion to Windows Defender 26->302 304 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->304 35 F998.exe 26->35         started        39 AE23.exe 4 26->39         started        41 2128.exe 26->41         started        48 7 other processes 26->48 306 Contains functionality to inject code into remote processes 31->306 308 Writes to foreign memory regions 31->308 310 Allocates memory in foreign processes 31->310 43 AppLaunch.exe 9 1 31->43         started        312 Antivirus detection for dropped file 33->312 314 Injects a PE file into a foreign processes 33->314 45 AppLaunch.exe 12 33->45         started        file11 signatures12 process13 dnsIp14 114 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 35->114 dropped 116 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 35->116 dropped 118 C:\Users\user\AppData\Local\Temp\kos4.exe, PE32 35->118 dropped 126 2 other malicious files 35->126 dropped 254 Antivirus detection for dropped file 35->254 256 Multi AV Scanner detection for dropped file 35->256 258 Machine Learning detection for dropped file 35->258 260 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->260 50 31839b57a4f11171d6abc8bbc4451ee4.exe 35->50         started        53 toolspub2.exe 35->53         started        55 latestX.exe 35->55         started        67 4 other processes 35->67 120 C:\Users\user\AppData\Local\...\Je3yt5xb.exe, PE32 39->120 dropped 122 C:\Users\user\AppData\Local\...\6OO85At.exe, PE32 39->122 dropped 58 Je3yt5xb.exe 4 39->58         started        124 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 41->124 dropped 60 Utsysc.exe 41->60         started        262 Modifies windows update settings 43->262 264 Disable Windows Defender notifications (registry) 43->264 266 Disable Windows Defender real time protection (registry) 43->266 206 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 45->206 208 194.49.94.11 EQUEST-ASNL unknown 48->208 210 171.22.28.239 CMCSUS Germany 48->210 212 104.26.13.31 CLOUDFLARENETUS United States 48->212 268 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->268 270 Found many strings related to Crypto-Wallets (likely being stolen) 48->270 272 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->272 274 2 other signatures 48->274 63 chrome.exe 48->63         started        65 chrome.exe 48->65         started        69 11 other processes 48->69 file15 signatures16 process17 dnsIp18 222 Multi AV Scanner detection for dropped file 50->222 224 Detected unpacking (changes PE section rights) 50->224 226 Detected unpacking (overwrites its own PE header) 50->226 244 2 other signatures 50->244 228 Injects a PE file into a foreign processes 53->228 71 toolspub2.exe 53->71         started        148 2 other malicious files 55->148 dropped 230 Modifies the hosts file 55->230 232 Adds a directory exclusion to Windows Defender 55->232 132 C:\Users\user\AppData\Local\...behaviorgraphs5gf6dq.exe, PE32 58->132 dropped 134 C:\Users\user\AppData\Local\...\5fz37pu.exe, PE32 58->134 dropped 234 Antivirus detection for dropped file 58->234 236 Machine Learning detection for dropped file 58->236 74 Gs5gf6dq.exe 4 58->74         started        198 167.235.20.126 ALBERTSONSUS United States 60->198 136 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 60->136 dropped 138 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 60->138 dropped 140 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 60->140 dropped 142 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 60->142 dropped 238 Creates an undocumented autostart registry key 60->238 240 Uses schtasks.exe or at.exe to add and modify task schedules 60->240 77 cmd.exe 60->77         started        79 schtasks.exe 60->79         started        242 Found many strings related to Crypto-Wallets (likely being stolen) 63->242 81 chrome.exe 63->81         started        200 239.255.255.250 unknown Reserved 65->200 84 chrome.exe 65->84         started        88 2 other processes 65->88 202 148.251.234.93 HETZNER-ASDE Germany 67->202 204 172.67.193.43 CLOUDFLARENETUS United States 67->204 144 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 67->144 dropped 146 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 67->146 dropped 86 Broom.exe 67->86         started        90 7 other processes 69->90 file19 signatures20 process21 dnsIp22 276 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 71->276 278 Maps a DLL or memory area into another process 71->278 280 Checks if the current machine is a virtual machine (disk enumeration) 71->280 282 Creates a thread in another existing process (thread injection) 71->282 154 C:\Users\user\AppData\Local\...\oT8ID0yW.exe, PE32 74->154 dropped 156 C:\Users\user\AppData\Local\...\4kn148ee.exe, PE32 74->156 dropped 92 oT8ID0yW.exe 74->92         started        95 conhost.exe 77->95         started        97 cmd.exe 77->97         started        99 conhost.exe 79->99         started        178 142.251.179.94 GOOGLEUS United States 81->178 180 172.253.115.138 GOOGLEUS United States 81->180 182 172.253.122.147 GOOGLEUS United States 81->182 184 104.244.42.193 TWITTERUS United States 84->184 186 104.244.42.194 TWITTERUS United States 84->186 188 34 other IPs or domains 84->188 284 Multi AV Scanner detection for dropped file 86->284 101 Conhost.exe 88->101         started        file23 signatures24 process25 file26 166 C:\Users\user\AppData\Local\...\zw0Lc3Nf.exe, PE32 92->166 dropped 168 C:\Users\user\AppData\Local\...\3uE6sI42.exe, PE32 92->168 dropped 103 zw0Lc3Nf.exe 92->103         started        process27 file28 150 C:\Users\user\AppData\Local\...\2xg227Hh.exe, PE32 103->150 dropped 152 C:\Users\user\AppData\Local\...\1Xw09Jw8.exe, PE32 103->152 dropped 106 2xg227Hh.exe 103->106         started        110 1Xw09Jw8.exe 103->110         started        process29 dnsIp30 196 77.91.124.86 ECOTEL-ASRU Russian Federation 106->196 286 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 106->286 288 Found many strings related to Crypto-Wallets (likely being stolen) 106->288 290 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 106->290 292 Writes to foreign memory regions 110->292 294 Allocates memory in foreign processes 110->294 296 Injects a PE file into a foreign processes 110->296 112 AppLaunch.exe 110->112         started        signatures31 process32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 01:11:53 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shgar2vc2ulp422i5t2hhwwgofdmgr7jhgqjmrxb4faqbducaa5q._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:kedru botnet:livetraffic botnet:pixelnew2.0 botnet:plost botnet:up3 backdoor dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231104-g663fseh86/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
194.49.94.11:80
http://host-file-host6.com/
http://host-host-file8.com/
195.10.205.17:8122
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/98daf43b-896b-426a-be4c-f5331e3fa92e/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
a946bfe45fbc58fc62ac3c57a8f0fd230ceab6632d60136ed4d8e320f660ed39
MD5 hash:
d7d6d001c40802184332a7b1623b368e
SHA1 hash:
dc2698c933c3527cad2b0395587ed0499b2b1970
Link:
https://www.unpac.me/results/98daf43b-896b-426a-be4c-f5331e3fa92e/
SH256 hash:
c6b1fd95308ad8156ad7e81d885f6ff3fb3be657825d329cc7c24d6583b4ef4e
MD5 hash:
68ab199d3c37bf49db04ec0bd91163ed
SHA1 hash:
b4986c8d950ba928d6300e4db17e9cf66e6ff835
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/98daf43b-896b-426a-be4c-f5331e3fa92e/
Parent samples :
2c0fb18b2e43ccfc041607fa3b09d9ed8d8e230be6bad2f3603bd0750c1c5fa6
b8b11519c16b53afd85061d74baef7f8809644639d75845a196eaf7522415b93
ede2ea768fa5ffe0d6b2d266914f8bc163624ce4d887600466aa6eb473da8947
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
7f9a67e0213810c8cfe971c3d5fbdf64f88d771563d6f82401cd43b1409543db
082ccc8b7a7c0490466c2889403b5d590b524ba46d8417419b38a7abc2c1c381
91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b
SH256 hash:
91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b
MD5 hash:
f4e05067b330b3af02bcbe478c14dc70
SHA1 hash:
dac73148c5ee4176574c51e7429f482a21c0dde6
Link:
https://www.unpac.me/results/98daf43b-896b-426a-be4c-f5331e3fa92e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91cc08eaa2d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments