MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
SHA3-384 hash: 883adced561b575b47708f3f29bab03ba0d03412b77091aa81efa182c02e09ea2eefb3815af712473f6dc65b74cf1e32
SHA1 hash: c59237284ab6d92ac00e73d46efa2ef4343083c1
MD5 hash: 28a9def50d122f93c4f0de259944e369
humanhash: jersey-oxygen-sodium-mars
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'632'768 bytes
First seen:2023-10-27 11:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:VQth1lTNNU/swP2hzgo+JxMqoFCdplmu:OtvlZCHP2t+JxdwCF
Threatray 2'641 similar samples on MalwareBazaar
TLSH T1DE753302DDD8D2B3D83B6B741DF6861B0E263C926938669F2B1188DD1DB346CD0297E6
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://109.107.182.2/race/bus50.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
US US
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456681/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Creating a window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Adding an access-denied ACE
Running batch commands
Using the Windows Management Instrumentation requests
Blocking the Windows Defender launch
Disabling the operating system update service
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653ba46234de31f579cc3454/reports/d152d587-c031-479e-bee9-00fbbc9bc6b1/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47fc1236-4dad-4948-ac93-43430482f4ce
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333240
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333240 Sample: file.exe Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 199 Multi AV Scanner detection for domain / URL 2->199 201 Found malware configuration 2->201 203 Malicious sample detected (through community Yara rule) 2->203 205 20 other signatures 2->205 14 file.exe 1 4 2->14         started        17 svchost.exe 2->17         started        20 explothe.exe 2->20         started        process3 dnsIp4 149 C:\Users\user\AppData\Local\...\rd1It35.exe, PE32 14->149 dropped 151 C:\Users\user\AppData\Local\...\7NS5dk09.exe, PE32 14->151 dropped 22 rd1It35.exe 1 4 14->22         started        161 23.62.164.112 GTT-BACKBONEGTTDE United States 17->161 163 127.0.0.1 unknown unknown 17->163 file5 process6 file7 129 C:\Users\user\AppData\Local\...\mW9LG30.exe, PE32 22->129 dropped 131 C:\Users\user\AppData\Local\...\6HL7wG2.exe, PE32 22->131 dropped 225 Antivirus detection for dropped file 22->225 227 Multi AV Scanner detection for dropped file 22->227 229 Machine Learning detection for dropped file 22->229 26 mW9LG30.exe 1 4 22->26         started        30 6HL7wG2.exe 22->30         started        signatures8 process9 file10 141 C:\Users\user\AppData\Local\...\wr5WT00.exe, PE32 26->141 dropped 143 C:\Users\user\AppData\Local\...\5cG1oc0.exe, PE32 26->143 dropped 243 Antivirus detection for dropped file 26->243 245 Multi AV Scanner detection for dropped file 26->245 247 Machine Learning detection for dropped file 26->247 32 wr5WT00.exe 1 4 26->32         started        36 5cG1oc0.exe 26->36         started        signatures11 process12 file13 111 C:\Users\user\AppData\Local\...\lD3ck38.exe, PE32 32->111 dropped 113 C:\Users\user\AppData\Local\...\4cP437bR.exe, PE32 32->113 dropped 191 Antivirus detection for dropped file 32->191 193 Machine Learning detection for dropped file 32->193 38 lD3ck38.exe 1 4 32->38         started        41 4cP437bR.exe 32->41         started        115 C:\Users\user\AppData\Local\...\explothe.exe, PE32 36->115 dropped 44 explothe.exe 36->44         started        signatures14 process15 dnsIp16 133 C:\Users\user\AppData\Local\...\ek3VB28.exe, PE32 38->133 dropped 135 C:\Users\user\AppData\Local\...\3Fw74xS.exe, PE32 38->135 dropped 47 3Fw74xS.exe 38->47         started        50 ek3VB28.exe 1 4 38->50         started        231 Antivirus detection for dropped file 41->231 233 Writes to foreign memory regions 41->233 235 Allocates memory in foreign processes 41->235 237 Injects a PE file into a foreign processes 41->237 53 AppLaunch.exe 41->53         started        171 77.91.124.1 ECOTEL-ASRU Russian Federation 44->171 137 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->137 dropped 139 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 44->139 dropped 239 Creates an undocumented autostart registry key 44->239 241 Uses schtasks.exe or at.exe to add and modify task schedules 44->241 56 cmd.exe 44->56         started        58 schtasks.exe 44->58         started        60 rundll32.exe 44->60         started        file17 signatures18 process19 dnsIp20 253 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->253 255 Maps a DLL or memory area into another process 47->255 257 Checks if the current machine is a virtual machine (disk enumeration) 47->257 259 Creates a thread in another existing process (thread injection) 47->259 62 explorer.exe 65 56 47->62 injected 125 C:\Users\user\AppData\Local\...\2VY8766.exe, PE32 50->125 dropped 127 C:\Users\user\AppData\Local\...\1ZB07Hb9.exe, PE32 50->127 dropped 67 1ZB07Hb9.exe 50->67         started        69 2VY8766.exe 50->69         started        167 77.91.124.86 ECOTEL-ASRU Russian Federation 53->167 261 Found many strings related to Crypto-Wallets (likely being stolen) 53->261 71 conhost.exe 56->71         started        73 cmd.exe 56->73         started        75 cacls.exe 56->75         started        79 4 other processes 56->79 77 conhost.exe 58->77         started        file21 signatures22 process23 dnsIp24 173 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 62->173 175 77.91.68.249 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 62->175 177 2 other IPs or domains 62->177 153 C:\Users\user\AppData\Local\Temp\FE16.exe, PE32 62->153 dropped 155 C:\Users\user\AppData\Local\Temp\F635.exe, PE32 62->155 dropped 157 C:\Users\user\AppData\Local\Temp\D752.exe, PE32 62->157 dropped 159 8 other malicious files 62->159 dropped 179 System process connects to network (likely due to code injection or exploit) 62->179 181 Benign windows process drops PE files 62->181 81 BBF4.exe 62->81         started        85 CC91.exe 62->85         started        87 BE18.exe 62->87         started        94 3 other processes 62->94 183 Contains functionality to inject code into remote processes 67->183 185 Writes to foreign memory regions 67->185 187 Allocates memory in foreign processes 67->187 89 AppLaunch.exe 9 1 67->89         started        189 Injects a PE file into a foreign processes 69->189 91 AppLaunch.exe 12 69->91         started        file25 signatures26 process27 dnsIp28 121 C:\Users\user\AppData\Local\...\Vz1kg9wD.exe, PE32 81->121 dropped 123 C:\Users\user\AppData\Local\...\6yS28BG.exe, PE32 81->123 dropped 207 Antivirus detection for dropped file 81->207 209 Machine Learning detection for dropped file 81->209 96 Vz1kg9wD.exe 81->96         started        211 Multi AV Scanner detection for dropped file 85->211 213 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 85->213 215 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 85->215 217 Tries to harvest and steal browser information (history, passwords, etc) 85->217 219 Modifies windows update settings 89->219 221 Disable Windows Defender notifications (registry) 89->221 223 Disable Windows Defender real time protection (registry) 89->223 169 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 91->169 100 chrome.exe 94->100         started        103 conhost.exe 94->103         started        105 chrome.exe 94->105         started        file29 signatures30 process31 dnsIp32 117 C:\Users\user\AppData\Local\...\sM1Vk9MN.exe, PE32 96->117 dropped 119 C:\Users\user\AppData\Local\...\5PW19dS.exe, PE32 96->119 dropped 195 Antivirus detection for dropped file 96->195 197 Machine Learning detection for dropped file 96->197 107 sM1Vk9MN.exe 96->107         started        165 239.255.255.250 unknown Reserved 100->165 file33 signatures34 process35 file36 145 C:\Users\user\AppData\Local\...\QC5xX5BA.exe, PE32 107->145 dropped 147 C:\Users\user\AppData\Local\...\4Vu835Sk.exe, PE32 107->147 dropped 249 Antivirus detection for dropped file 107->249 251 Machine Learning detection for dropped file 107->251 signatures37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-27 11:52:05 UTC
File Type:
PE (Exe)
Extracted files:
227
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slecj2aumgxcjziuyt7obu2kdb6n44bx2lwn3s72npej5d64lrga._file
Verdict:
unknown
Similar samples:
1919d938556e92e5bc7550a58904295056000bbc1c7ff9c39d778d810036d7cf
RedLineStealer
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
RedLineStealer
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce
RedLineStealer
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
RedLineStealer
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
RedLineStealer
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
RedLineStealer
bb1b75ca2b1cf87a535caf84537badae8ea32f9565c45a8eb955002d708cf258
RedLineStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RedLineStealer
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:raccoon family:redline family:smokeloader family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 botnet:@ytlogsbot botnet:grome botnet:kinza botnet:up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
Link:
https://tria.ge/reports/231027-n1qa3sfg55/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://195.123.218.98:80
http://31.192.23
194.169.175.235:42691
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
04e2098f114f388c304fb79286ab201074114cdbcf81f294698e5ab59e34f1b7
MD5 hash:
b5ac5cfac709ba84d8c28dfaeab1de9b
SHA1 hash:
56cbb75528ccab943d184a978b43f955459df5af
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
SH256 hash:
c216c7b4225b5ab6c2804316d1e601a3d3b9f651b26c23639d4f280b3bbc8272
MD5 hash:
e9abbd34ecfd42dc46bfdc46a382f5d9
SHA1 hash:
04b8b82a870a2cd1b150c0b6e13d18fbdd208e1e
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
Parent samples :
cfcf431cedf47ac61fb34db7b9c08811337cb85c856806d4ac917e1a550d625a
02603da7ecc81e650b835d325094d4ff9e75d1640f06eed634c09b77ee207b95
92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
SH256 hash:
588a7c4fab3003aa63ebead31e7241fe9e88c2acaec693fdc40982e355546230
MD5 hash:
bbf7f5ef100344e91e7854c9d032b649
SHA1 hash:
27f1af590958200c811dc18929ddb346b434e9bb
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
Parent samples :
a86d6cd6cba4a3dce4ad3fa2948f623831b181714dd945bbdde831f39229412d
16c4f6a6e4e30678ddabdaef1aa41bd268867cefabaf6ced9d97ec1a5faee2e6
92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
SH256 hash:
f9a2e1df2dfd669a6786662ef662326901978af94bf93942b7df8eba9afc9ae2
MD5 hash:
3d9c27ee14c254e46cf1977a6225c6c3
SHA1 hash:
5cc796dfebd2b4a7a5445cd3577ce6e30342caed
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
SH256 hash:
b19e21c26e5e0454ad01ace555fe4ab86685e6db1e85d09236111ea6d26e2e9d
MD5 hash:
786cf24e15488668a978cc01713b829a
SHA1 hash:
03305506e3ba27a45e94e9a0f66869b22caf5066
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
SH256 hash:
92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
MD5 hash:
28a9def50d122f93c4f0de259944e369
SHA1 hash:
c59237284ab6d92ac00e73d46efa2ef4343083c1
Link:
https://www.unpac.me/results/2693376a-3f0e-4824-90ea-78b690da9a29/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92c824e81461/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2722824/
Cape
Cape
https://www.capesandbox.com/analysis/456681/

Comments