MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA3-384 hash: ff8e8a5f5ac7b0ef2499c2afe498688cf314abfe425584f11f5586e0bfa265bcbcadc1c055799a049a96b9f929ccb410
SHA1 hash: f131d587578336651fd3e325b82b6c185a4b6429
MD5 hash: cd581d68ed550455444ee6e099c44266
humanhash: carpet-stairway-friend-mirror
File name:cd581d68ed550455444ee6e099c44266
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:304'128 bytes
First seen:2024-06-27 03:56:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:xqFFrqwIOGBHy9MGSwTc425F7dw4AhTiNhdSCTZifjIxcZqf7D34leqiOLCbBOu:QBIOGf4259dnTZcscZqf7DIvL
Threatray 1'896 similar samples on MalwareBazaar
TLSH T195545B1873E89910E53F4F799471D6B093B0EC12A857E31A5ED0AC7B3D36B40EA15BB2
TrID 53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
Verdict:
Malicious activity
Analysis date:
2024-06-27 03:58:24 UTC
Tags:
stealer redline meta metastealer
Link:
https://app.any.run/tasks/f3b0c5ac-4efd-4845-8245-8a504b878686

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667ce366c6541e8c57000a50win10vpnfull_triage
Tags:
Generic Network Stealth Redlinesteal
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for the browser window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger redline
Link:
https://www.filescan.io/uploads/667ce30feae3878d8f3b9b1d/reports/2f48013e-b5fb-4bb5-ab5d-86fc3214e715/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcda734a-0060-4a97-84fe-4081db00415d
Result
Threat name:
LummaC, Amadey, Mars Stealer, PureLog St
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1463420
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell downloading file from url shortener site
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1463420 Sample: 1Vkf7silOj.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 135 slammyslideplanntywks.xyz 2->135 137 proffyrobharborye.xyz 2->137 139 21 other IPs or domains 2->139 185 Snort IDS alert for network traffic 2->185 187 Multi AV Scanner detection for domain / URL 2->187 189 Found malware configuration 2->189 193 24 other signatures 2->193 11 axplong.exe 37 2->11         started        16 1Vkf7silOj.exe 19 19 2->16         started        18 svchost.exe 2->18         started        20 8 other processes 2->20 signatures3 191 Tries to resolve many domain names, but no domain seems valid 137->191 process4 dnsIp5 145 94.228.166.74, 49742, 80 PRANET-ASRU Russian Federation 11->145 147 185.172.128.116, 49732, 49739, 49749 NADYMSS-ASRU Russian Federation 11->147 157 3 other IPs or domains 11->157 99 C:\Users\user\AppData\...\TpWWMUpe0LEV.exe, PE32 11->99 dropped 101 C:\Users\user\AppData\...\O3B6wY7ZkFhh.exe, PE32+ 11->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\123.exe, PE32 11->103 dropped 111 13 other malicious files 11->111 dropped 225 Detected unpacking (changes PE section rights) 11->225 227 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->227 229 Tries to evade debugger and weak emulator (self modifying code) 11->229 239 4 other signatures 11->239 22 TpWWMUpe0LEV.exe 11->22         started        26 alex5555555.exe 11->26         started        28 NewLatest.exe 11->28         started        37 5 other processes 11->37 149 185.215.113.67, 40960, 49707 WHOLESALECONNECTIONSNL Portugal 16->149 151 77.91.77.81, 49726, 49729, 49730 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 16->151 153 moreapp4you.online 31.31.196.208, 443, 49709 AS-REGRU Russian Federation 16->153 105 C:\Users\user\AppData\Local\Temp\7.exe, PE32 16->105 dropped 107 C:\Users\user\AppData\Local\Temp\6.exe, PE32 16->107 dropped 109 C:\Users\user\AppData\...\1Vkf7silOj.exe.log, ASCII 16->109 dropped 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->231 233 Found many strings related to Crypto-Wallets (likely being stolen) 16->233 235 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->235 237 Tries to steal Crypto Currency Wallets 16->237 30 7.exe 4 16->30         started        32 6.exe 16->32         started        34 chrome.exe 16->34         started        39 2 other processes 18->39 155 127.0.0.1 unknown unknown 20->155 41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 91 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 22->91 dropped 199 Multi AV Scanner detection for dropped file 22->199 201 Writes to foreign memory regions 22->201 203 Allocates memory in foreign processes 22->203 43 aspnet_regiis.exe 22->43         started        48 conhost.exe 22->48         started        205 Found many strings related to Crypto-Wallets (likely being stolen) 26->205 207 Injects a PE file into a foreign processes 26->207 50 RegAsm.exe 26->50         started        52 WerFault.exe 26->52         started        93 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 28->93 dropped 54 Hkbsse.exe 28->54         started        95 C:\Users\user\AppData\Local\...\axplong.exe, PE32 30->95 dropped 209 Detected unpacking (changes PE section rights) 30->209 221 5 other signatures 30->221 56 axplong.exe 30->56         started        211 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->211 223 2 other signatures 32->223 141 192.168.2.7, 1110, 40960, 443 unknown unknown 34->141 143 239.255.255.250 unknown Reserved 34->143 58 chrome.exe 34->58         started        97 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 37->97 dropped 213 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->213 215 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->215 217 Contains functionality to inject code into remote processes 37->217 219 Tries to steal Crypto Currency Wallets 37->219 60 cmd.exe 37->60         started        62 3 other processes 37->62 file10 signatures11 process12 dnsIp13 159 65.21.175.0 CP-ASDE United States 43->159 113 C:\Users\user\AppData\...\softokn3[1].dll, PE32 43->113 dropped 115 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 43->115 dropped 117 C:\Users\user\AppData\...\mozglue[1].dll, PE32 43->117 dropped 127 9 other files (5 malicious) 43->127 dropped 241 Tries to steal Mail credentials (via file / registry access) 43->241 243 Found many strings related to Crypto-Wallets (likely being stolen) 43->243 245 Tries to harvest and steal ftp login credentials 43->245 259 3 other signatures 43->259 119 C:\Users\user\AppData\Roaming\...\svhosts.exe, PE32 50->119 dropped 121 C:\Users\user\AppData\...xplorers.exe, PE32 50->121 dropped 64 svhosts.exe 50->64         started        68 Explorers.exe 50->68         started        161 biancolevrin.com 103.28.36.182, 443, 49743 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN Viet Nam 54->161 123 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 54->123 dropped 125 C:\Users\user\AppData\Local\...\1[1].exe, PE32 54->125 dropped 247 Multi AV Scanner detection for dropped file 54->247 70 1.exe 54->70         started        249 Hides threads from debuggers 56->249 251 Tries to detect sandboxes / dynamic malware analysis system (registry check) 56->251 253 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 56->253 163 www.google.com 216.58.206.36, 443, 49725 GOOGLEUS United States 58->163 165 iplogger.co 172.67.167.249, 443, 49710, 49720 CLOUDFLARENETUS United States 58->165 255 Suspicious powershell command line found 60->255 257 Uses schtasks.exe or at.exe to add and modify task schedules 60->257 72 powershell.exe 60->72         started        74 powershell.exe 60->74         started        76 conhost.exe 60->76         started        78 2 other processes 60->78 167 4.184.236.127, 1110, 49731, 49744 LEVEL3US United States 62->167 file14 signatures15 process16 dnsIp17 129 185.172.128.33 NADYMSS-ASRU Russian Federation 64->129 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->169 171 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 64->171 173 Tries to harvest and steal browser information (history, passwords, etc) 64->173 175 Tries to steal Crypto Currency Wallets 64->175 80 conhost.exe 68->80         started        177 Multi AV Scanner detection for dropped file 70->177 179 Detected unpacking (changes PE section rights) 70->179 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 70->181 183 5 other signatures 70->183 82 cmd.exe 72->82         started        131 bit.ly 67.199.248.11, 443, 49745 GOOGLE-PRIVATE-CLOUDUS United States 74->131 133 pixel.com 54.67.42.145, 443, 49747 AMAZON-02US United States 74->133 signatures18 process19 process20 84 reg.exe 82->84         started        87 conhost.exe 82->87         started        89 schtasks.exe 82->89         started        signatures21 195 Disable Task Manager(disabletaskmgr) 84->195 197 Disables the Windows task manager (taskmgr) 84->197
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-06-26 17:29:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulv3jo7svzhxovntvnqetfxgy7sxbleig7ffiscu5vuwvamxeucq._file
Verdict:
malicious
Similar samples:
1e138764481a8a40f39038c55c98b1737437027b1cc2ac1680c93bd7d0846bd2
RedLineStealer
3835fe3e13b67d406cc7c1412098bbf2fcb28371c6628539ddf46d98aa716ef2
RedLineStealer
7d06266d2ba7653d4ea295fa3e1df7a89b3194735e3cc3b5cd2964a3f4d1f730
RedLineStealer
b1309d691e19475051caa2f1346d2f7a23706bca559852d8c420f3f8fbcb557f
RedLineStealer
bfad83fe5b7277309e29ae2c92258a9df03d0a4318f39ef588de9036fa316f6f
RedLineStealer
d8ca3cfa462dbf3e92ac8ca9e8fb6bd68c8074884a13a317b1bbb0f5f2618db8
RedLineStealer
f9f26f3c687120f93ab59220634acb9ce2f6e0094bd076da4870080590a2bb34
RedLineStealer
+ 1'886 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:123 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240627-ehxsrstfrp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.215.113.67:40960
Unpacked files
SH256 hash:
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
MD5 hash:
cd581d68ed550455444ee6e099c44266
SHA1 hash:
f131d587578336651fd3e325b82b6c185a4b6429
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/109d05a3-a210-4e1e-b16e-704febe2a256/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2ebb4bbf2ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2908695/
  
URLhaus
https://urlhaus.abuse.ch/url/2909125/
  
URLhaus
https://urlhaus.abuse.ch/url/2909126/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-06-27 03:56:44 UTC

url : hxxp://77.91.77.81/lend/123.exe