MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6
SHA3-384 hash: bc9c20a3f8cad4fc36b6128f463a472a28b710914ea07b42cd96d6bc37e3d89449b4dc768a1cbd8553071ad78fd39ed8
SHA1 hash: a9215a0a56d6d7e927bd1ae6a8d7c86e06dcc890
MD5 hash: b3c78334055b541515621b762fe3944c
humanhash: berlin-two-bravo-lithium
File name:b3c78334055b541515621b762fe3944c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:219'915 bytes
First seen:2023-06-23 16:22:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8cc61ade86cb7277d0ab974de6323cb (32 x Amadey, 11 x RedLineStealer)
ssdeep 3072:meTRJ0kHbnpN23kQKp5XzutZXKGrpeN84LuZAIybiy3xEfbi:FTR2AnpN2wDurXBeBuZAIMEj
Threatray 1'376 similar samples on MalwareBazaar
TLSH T1C924F7257D12C032D56061B619F5BFF2C59C6828ABB049DB7B800F77DA122F73A61E39
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.97.73.131:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
b3c78334055b541515621b762fe3944c.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 16:23:25 UTC
Tags:
amadey trojan rat redline loader
Link:
https://app.any.run/tasks/48928ceb-8eaa-4664-9425-86d1df0bf790

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402263/
Detection(s):
Win.Malware.Doina-10001799-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92504/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey greyware lolbin overlay shell32.dll
Link:
https://www.filescan.io/uploads/6495ec5f76927ec2c0074b81/reports/23190cad-4c23-4785-af68-1cb6174a1b38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73305be7-8db4-4458-90e6-1c7e932b6682
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260668
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 893686 Sample: 7NjgWco71P.exe Startdate: 23/06/2023 Architecture: WINDOWS Score: 100 186 Multi AV Scanner detection for domain / URL 2->186 188 Malicious sample detected (through community Yara rule) 2->188 190 Antivirus detection for URL or domain 2->190 192 10 other signatures 2->192 10 7NjgWco71P.exe 4 2->10         started        14 fotod85.exe 2->14         started        16 foto166.exe 2->16         started        18 9 other processes 2->18 process3 file4 130 C:\Users\user\AppData\Local\...\metado.exe, PE32 10->130 dropped 132 C:\Users\user\...\metado.exe:Zone.Identifier, ASCII 10->132 dropped 216 Contains functionality to inject code into remote processes 10->216 20 metado.exe 2 27 10->20         started        134 C:\Users\user\AppData\Local\...\y8316872.exe, PE32 14->134 dropped 136 C:\Users\user\AppData\Local\...\n3470890.exe, PE32 14->136 dropped 25 y8316872.exe 14->25         started        27 n3470890.exe 14->27         started        29 conhost.exe 14->29         started        138 C:\Users\user\AppData\Local\...\x7780142.exe, PE32 16->138 dropped 140 C:\Users\user\AppData\Local\...\i8956672.exe, PE32 16->140 dropped 31 x7780142.exe 16->31         started        33 conhost.exe 16->33         started        142 C:\Users\user\AppData\Local\...\y8316872.exe, PE32 18->142 dropped 144 C:\Users\user\AppData\Local\...\n3470890.exe, PE32 18->144 dropped 35 y8316872.exe 18->35         started        37 conhost.exe 18->37         started        signatures5 process6 dnsIp7 154 77.91.68.16, 49697, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 20->154 156 77.91.68.62, 49693, 49694, 49695 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 20->156 104 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->104 dropped 106 C:\Users\user\AppData\Local\...\fotod85.exe, PE32 20->106 dropped 120 5 other malicious files 20->120 dropped 194 Antivirus detection for dropped file 20->194 196 Multi AV Scanner detection for dropped file 20->196 198 Creates an undocumented autostart registry key 20->198 202 4 other signatures 20->202 39 foto166.exe 1 5 20->39         started        43 fotod85.exe 1 5 20->43         started        57 4 other processes 20->57 108 C:\Users\user\AppData\Local\...\l0322620.exe, PE32 25->108 dropped 110 C:\Users\user\AppData\Local\...\k6072711.exe, PE32 25->110 dropped 45 l0322620.exe 25->45         started        47 k6072711.exe 25->47         started        112 C:\Users\user\AppData\Local\...\g2049128.exe, PE32 31->112 dropped 114 C:\Users\user\AppData\Local\...\f5330858.exe, PE32 31->114 dropped 200 Machine Learning detection for dropped file 31->200 49 f5330858.exe 31->49         started        51 g2049128.exe 31->51         started        116 C:\Users\user\AppData\Local\...\l0322620.exe, PE32 35->116 dropped 118 C:\Users\user\AppData\Local\...\k6072711.exe, PE32 35->118 dropped 53 l0322620.exe 35->53         started        55 k6072711.exe 35->55         started        file8 signatures9 process10 file11 122 C:\Users\user\AppData\Local\...\x7780142.exe, PE32 39->122 dropped 124 C:\Users\user\AppData\Local\...\i8956672.exe, PE32 39->124 dropped 204 Machine Learning detection for dropped file 39->204 59 x7780142.exe 1 4 39->59         started        63 conhost.exe 39->63         started        126 C:\Users\user\AppData\Local\...\y8316872.exe, PE32 43->126 dropped 128 C:\Users\user\AppData\Local\...\n3470890.exe, PE32 43->128 dropped 206 Multi AV Scanner detection for dropped file 43->206 75 2 other processes 43->75 65 conhost.exe 45->65         started        67 conhost.exe 47->67         started        69 conhost.exe 49->69         started        208 Antivirus detection for dropped file 51->208 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->210 212 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->212 214 Tries to harvest and steal browser information (history, passwords, etc) 53->214 71 conhost.exe 53->71         started        73 conhost.exe 55->73         started        77 9 other processes 57->77 signatures12 process13 dnsIp14 146 C:\Users\user\AppData\Local\...\g2049128.exe, PE32 59->146 dropped 148 C:\Users\user\AppData\Local\...\f5330858.exe, PE32 59->148 dropped 218 Antivirus detection for dropped file 59->218 220 Machine Learning detection for dropped file 59->220 80 g2049128.exe 59->80         started        84 f5330858.exe 4 59->84         started        150 C:\Users\user\AppData\Local\...\l0322620.exe, PE32 75->150 dropped 152 C:\Users\user\AppData\Local\...\k6072711.exe, PE32 75->152 dropped 87 k6072711.exe 75->87         started        89 l0322620.exe 75->89         started        166 192.168.2.1 unknown unknown 77->166 168 192.168.2.3 unknown unknown 77->168 170 239.255.255.250 unknown Reserved 77->170 91 chrome.exe 77->91         started        file15 signatures16 process17 dnsIp18 102 C:\Users\user\AppData\Local\...\rugen.exe, PE32 80->102 dropped 172 Antivirus detection for dropped file 80->172 174 Multi AV Scanner detection for dropped file 80->174 176 Machine Learning detection for dropped file 80->176 93 rugen.exe 80->93         started        158 83.97.73.131, 19071, 49765, 49912 UNACS-AS-BG8000BurgasBG Germany 84->158 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 84->178 180 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 84->180 96 conhost.exe 84->96         started        182 Disable Windows Defender notifications (registry) 87->182 184 Disable Windows Defender real time protection (registry) 87->184 98 conhost.exe 87->98         started        100 conhost.exe 89->100         started        160 accounts.google.com 142.251.36.237, 443, 49728 GOOGLEUS United States 91->160 162 172.217.16.164, 443, 49744, 49983 GOOGLEUS United States 91->162 164 3 other IPs or domains 91->164 file19 signatures20 process21 signatures22 222 Antivirus detection for dropped file 93->222 224 Multi AV Scanner detection for dropped file 93->224 226 Machine Learning detection for dropped file 93->226
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 12:17:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucdg2o4ivkamm5hbxwhuyuyujb323u7s5awmt3g3oxrzppukkpda._file
Verdict:
malicious
Similar samples:
06644e05bdf6c3cf8d8a436a9c0fd6e8957d9ef5f2e156205423cc128cf83cc1
RedLineStealer
1f01a5e39f97eaba82c33369fe7334787a263becd53d7a21077f9ba657fc0905
RedLineStealer
2e0a87bad886f18f58837a2a39a8ef709d54d1e6cda8e87d925efa9caafd2dd9
RedLineStealer
32e243c0cbc0b35f04ce16f414a5d4164839ee162263fac9d7804e9b3889a438
RedLineStealer
9d66863b767f55ad441239a3fd4635a4199b1bdf8e85c62ceb619616720f7aec
RedLineStealer
bb6b4ecd843e5233121f8aa1ef6b2c8433d1536dc3cbaabdcd0ecd23a4ba80ae
RedLineStealer
c9d9109ce23f4d10c6ddfc7fa1751521a153066a411d13a1ce7249ea1d198772
RedLineStealer
cc7f97de74cfadf4f415f83371c9f49d4b816d99828ef954d9b981d4b128b087
RedLineStealer
eb7924cb8392e363a2f4557905c414d0175eabe1e8c09a08e513346e9ac008be
RedLineStealer
eef774db6e994d00b8846a6cabbdeb9d3ba3259d017ce27ca3709abc601c5c2b
RedLineStealer
+ 1'366 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:drake brand:microsoft discovery evasion infostealer persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/230623-tvr6dafg78/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.68.62/wings/game/index.php
83.97.73.131:19071
77.91.68.63/doma/net/index.php
Unpacked files
SH256 hash:
a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6
MD5 hash:
b3c78334055b541515621b762fe3944c
SHA1 hash:
a9215a0a56d6d7e927bd1ae6a8d7c86e06dcc890
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/d4a4c3b1-7423-415c-8073-21a914811b45/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0866d3b88aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0866d3b88aa80c674e1bd8f4c53144877add3f2e82cc9ecdb75e397be8a53c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/402263/

Comments