MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8
SHA3-384 hash: bc49102d8d2a51d3c3e2214f2d6bb2dc70337f2527977652aaecab39e01c1815dc73581e4871e9e3e3a34e0b6d8e76b8
SHA1 hash: 2b40fb72b9b78c4380f852bfaa3e5844a1ee7a20
MD5 hash: 717c3c4059308740c0675826f7a75368
humanhash: uranus-bravo-golf-timing
File name:717c3c4059308740c0675826f7a75368.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:930'816 bytes
First seen:2023-10-25 02:30:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79fc9968a714a6b38909530fa0e5d530 (9 x RedLineStealer, 9 x RecordBreaker, 2 x Amadey)
ssdeep 12288:SH1F57Fa2dALbyZa5uHZ/jiaQZKmRuUDm2r+Wg5ukiSyFQ:kE2dALbyZa5uHZkQmRbVow
Threatray 3'007 similar samples on MalwareBazaar
TLSH T1DE156B2138809176EEF320B747ECFA2682ADE0B4071916DF06D857EED7606C17F36696
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.169.175.235:42691

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
717c3c4059308740c0675826f7a75368.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 02:35:36 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/a1e5ecac-f363-4f4d-b5ca-279ed41e9322

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456118/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/65387de72614136586eb0433/reports/26e2b6b3-e5db-4e13-8378-7d063346373d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21ed06a0-02e2-4547-bb1a-65935e484c05
Result
Threat name:
Amadey, Babadeda, Glupteba, Mystic Steal
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331642
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331642 Sample: 85XWulDpWm.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 172 www.google.com 2->172 174 datasheet.fun 2->174 176 3 other IPs or domains 2->176 222 Snort IDS alert for network traffic 2->222 224 Found malware configuration 2->224 226 Malicious sample detected (through community Yara rule) 2->226 228 20 other signatures 2->228 15 85XWulDpWm.exe 2->15         started        18 svchost.exe 2->18         started        21 utgsghf 2->21         started        23 2 other processes 2->23 signatures3 process4 dnsIp5 300 Contains functionality to inject code into remote processes 15->300 302 Writes to foreign memory regions 15->302 304 Allocates memory in foreign processes 15->304 306 Injects a PE file into a foreign processes 15->306 25 AppLaunch.exe 15->25         started        178 127.0.0.1 unknown unknown 18->178 signatures6 process7 signatures8 242 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->242 244 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->244 246 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->246 248 4 other signatures 25->248 28 explorer.exe 31 45 25->28 injected process9 dnsIp10 192 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 28->192 194 77.91.68.249 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 28->194 196 4 other IPs or domains 28->196 164 C:\Users\user\AppData\Local\Temp\C8B8.exe, PE32 28->164 dropped 166 C:\Users\user\AppData\Local\Temp\8BBB.exe, PE32+ 28->166 dropped 168 C:\Users\user\AppData\Local\Temp\63D3.exe, PE32 28->168 dropped 170 7 other files (6 malicious) 28->170 dropped 294 System process connects to network (likely due to code injection or exploit) 28->294 296 Benign windows process drops PE files 28->296 298 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->298 33 4433.exe 4 28->33         started        37 2022.exe 28->37         started        39 5FFE.exe 28->39         started        41 5 other processes 28->41 file11 signatures12 process13 dnsIp14 130 C:\Users\user\AppData\Local\...\gQ5sL9Nn.exe, PE32 33->130 dropped 132 C:\Users\user\AppData\Local\...\6uT78Ib.exe, PE32 33->132 dropped 204 Antivirus detection for dropped file 33->204 206 Multi AV Scanner detection for dropped file 33->206 208 Machine Learning detection for dropped file 33->208 44 gQ5sL9Nn.exe 4 33->44         started        48 6uT78Ib.exe 33->48         started        50 Conhost.exe 33->50         started        134 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 37->134 dropped 136 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 37->136 dropped 138 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 37->138 dropped 142 2 other malicious files 37->142 dropped 52 31839b57a4f11171d6abc8bbc4451ee4.exe 37->52         started        54 toolspub2.exe 37->54         started        56 Conhost.exe 37->56         started        140 C:\Users\user\AppData\Local\...\explothe.exe, PE32 39->140 dropped 58 explothe.exe 39->58         started        180 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 41->180 182 77.91.124.71 ECOTEL-ASRU Russian Federation 41->182 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->210 212 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->212 214 Creates autostart registry keys with suspicious values (likely registry only malware) 41->214 61 chrome.exe 41->61         started        63 4 other processes 41->63 file15 signatures16 process17 dnsIp18 156 C:\Users\user\AppData\Local\...\SV1gc6Wx.exe, PE32 44->156 dropped 158 C:\Users\user\AppData\Local\...\5cm95bV.exe, PE32 44->158 dropped 272 Antivirus detection for dropped file 44->272 274 Multi AV Scanner detection for dropped file 44->274 276 Machine Learning detection for dropped file 44->276 65 SV1gc6Wx.exe 4 44->65         started        69 5cm95bV.exe 44->69         started        71 cmd.exe 48->71         started        278 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->278 280 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->280 282 Detected unpacking (changes PE section rights) 52->282 284 Detected unpacking (overwrites its own PE header) 52->284 286 Sample uses process hollowing technique 54->286 288 Injects a PE file into a foreign processes 54->288 184 77.91.124.1 ECOTEL-ASRU Russian Federation 58->184 160 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 58->160 dropped 162 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 58->162 dropped 290 Creates an undocumented autostart registry key 58->290 292 Uses schtasks.exe or at.exe to add and modify task schedules 58->292 73 cmd.exe 58->73         started        75 schtasks.exe 58->75         started        77 rundll32.exe 58->77         started        186 192.168.2.4 unknown unknown 61->186 188 239.255.255.250 unknown Reserved 61->188 79 chrome.exe 61->79         started        84 2 other processes 61->84 82 chrome.exe 63->82         started        file19 signatures20 process21 dnsIp22 144 C:\Users\user\AppData\Local\...\cF2fG0Yz.exe, PE32 65->144 dropped 146 C:\Users\user\AppData\Local\...\4zt043Zk.exe, PE32 65->146 dropped 216 Antivirus detection for dropped file 65->216 218 Multi AV Scanner detection for dropped file 65->218 220 Machine Learning detection for dropped file 65->220 86 cF2fG0Yz.exe 4 65->86         started        90 4zt043Zk.exe 65->90         started        92 chrome.exe 71->92         started        94 chrome.exe 71->94         started        96 chrome.exe 71->96         started        98 conhost.exe 71->98         started        100 conhost.exe 73->100         started        104 6 other processes 73->104 102 conhost.exe 75->102         started        198 142.250.31.84 GOOGLEUS United States 79->198 200 clients.l.google.com 142.251.16.113 GOOGLEUS United States 79->200 202 12 other IPs or domains 79->202 file23 signatures24 process25 file26 148 C:\Users\user\AppData\Local\...\qu1jB4dd.exe, PE32 86->148 dropped 150 C:\Users\user\AppData\Local\...\3sC9gN55.exe, PE32 86->150 dropped 230 Antivirus detection for dropped file 86->230 232 Machine Learning detection for dropped file 86->232 106 qu1jB4dd.exe 4 86->106         started        110 3sC9gN55.exe 86->110         started        234 Multi AV Scanner detection for dropped file 90->234 236 Writes to foreign memory regions 90->236 238 Allocates memory in foreign processes 90->238 240 Injects a PE file into a foreign processes 90->240 112 AppLaunch.exe 90->112         started        114 AppLaunch.exe 90->114         started        116 chrome.exe 92->116         started        118 chrome.exe 94->118         started        120 chrome.exe 96->120         started        signatures27 process28 file29 152 C:\Users\user\AppData\Local\...\2xs041zH.exe, PE32 106->152 dropped 154 C:\Users\user\AppData\Local\...\1XI31tG0.exe, PE32 106->154 dropped 250 Antivirus detection for dropped file 106->250 252 Multi AV Scanner detection for dropped file 106->252 254 Machine Learning detection for dropped file 106->254 122 2xs041zH.exe 106->122         started        126 1XI31tG0.exe 106->126         started        256 Tries to harvest and steal browser information (history, passwords, etc) 112->256 signatures30 process31 dnsIp32 190 77.91.124.86 ECOTEL-ASRU Russian Federation 122->190 258 Antivirus detection for dropped file 122->258 260 Multi AV Scanner detection for dropped file 122->260 262 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 122->262 270 3 other signatures 122->270 264 Writes to foreign memory regions 126->264 266 Allocates memory in foreign processes 126->266 268 Injects a PE file into a foreign processes 126->268 128 AppLaunch.exe 126->128         started        signatures33 process34
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 02:31:06 UTC
File Type:
PE (Exe)
AV detection:
14 of 23 (60.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ty7bns7lwgwwftvr6zeftuxyvaibjbwgpivrguzjhbdwjyd4u3ua._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
RedLineStealer
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
RedLineStealer
64263a4ed1a6432b06bc1729d818182081babbe97f02fd6f61f2d09e3e657dc0
RedLineStealer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
RedLineStealer
a3738bb20fad0a7d07afc9fa0b666b10351da248ffc10d3f983282d27c8aacc1
RedLineStealer
c2a8183fc1a1d26a3e4f1116ce52abace67d9e30a29b6be1703ff355102eb05c
RedLineStealer
cdd2732dab9b93cef835ca681538205972a178fec406812be33889a4aa28b4d4
RedLineStealer
cfbd24a3ff45eb3d630bbe3fa9d8db4fc6c4e78da702a3e5f1aec08973b60c2a
RedLineStealer
eadfa96ccc8310d66e17163dca4825b97b5ca5d510faf53449a85caafdc66809
RedLineStealer
fd42fff03752fe763d0e90f0c164ad376edaf3c24b7bc872c70ecf236ebf9f10
RedLineStealer
+ 2'997 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:smokeloader botnet:@ytlogsbot botnet:grome botnet:kinza botnet:up3 backdoor brand:google dropper evasion infostealer loader persistence phishing rat trojan
Link:
https://tria.ge/reports/231025-czp35sde69/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
194.169.175.235:42691
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e3e16cbebb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9e3e16cbebb1ad62ceb1f64859d2f8a8101486c67a2b135329384764e07ca6e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2723293/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/456118/

Comments