MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39
SHA3-384 hash: 5656b64f24c8bcdfbe94b13b56abe805b14971d9785790b0b82712971e664e1ef128d1ca2607e870b9bf75b4e7f4533b
SHA1 hash: f39143639b4ffd1931fb75a22dd655d4165ada43
MD5 hash: 0accfefd7d679a557605a48b0b7271fd
humanhash: gee-violet-south-oven
File name:0accfefd7d679a557605a48b0b7271fd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'495'040 bytes
First seen:2023-08-25 12:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:Hy7/9ypE79brARUV1EVCu/lar0GJKb2qRvOpSm9lboDKC8sUDz7+a:Sr92E79PARUV1UCu/YYgKbPR6SmzoDKY
Threatray 673 similar samples on MalwareBazaar
TLSH T111652309DBCC983AD8F51B70B5BB07930676BD924EB517AB2319640A4DF3288A835377
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0accfefd7d679a557605a48b0b7271fd.exe
Verdict:
Malicious activity
Analysis date:
2023-08-25 12:18:01 UTC
Tags:
stealc stealer redline amadey trojan opendir loader
Link:
https://app.any.run/tasks/a23f33b4-4985-4207-9029-09792627b15b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444755/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108576/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64e89a5ae52937d43d9fbc6e/reports/6e5d5cf5-921c-4cde-81c8-693491798158/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e769130-66af-42ca-a0ca-5cf1b5dc3ba4
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297373
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1297373 Sample: RFShkIYKBu.exe Startdate: 25/08/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 14 other signatures 2->98 12 RFShkIYKBu.exe 1 4 2->12         started        15 saves.exe 2->15         started        17 rundll32.exe 2->17         started        19 6 other processes 2->19 process3 file4 74 C:\Users\user\AppData\Local\...\y0757124.exe, PE32 12->74 dropped 76 C:\Users\user\AppData\Local\...\p5614876.exe, PE32+ 12->76 dropped 21 y0757124.exe 1 4 12->21         started        process5 file6 66 C:\Users\user\AppData\Local\...\y5624607.exe, PE32 21->66 dropped 68 C:\Users\user\AppData\Local\...\o4666269.exe, PE32 21->68 dropped 108 Antivirus detection for dropped file 21->108 110 Multi AV Scanner detection for dropped file 21->110 112 Machine Learning detection for dropped file 21->112 25 y5624607.exe 1 4 21->25         started        signatures7 process8 file9 70 C:\Users\user\AppData\Local\...\y0628332.exe, PE32 25->70 dropped 72 C:\Users\user\AppData\Local\...\n9998071.exe, PE32 25->72 dropped 114 Antivirus detection for dropped file 25->114 116 Multi AV Scanner detection for dropped file 25->116 118 Machine Learning detection for dropped file 25->118 29 y0628332.exe 1 4 25->29         started        33 n9998071.exe 4 25->33         started        signatures10 process11 dnsIp12 82 C:\Users\user\AppData\Local\...\m7930725.exe, PE32 29->82 dropped 84 C:\Users\user\AppData\Local\...\l8987665.exe, PE32 29->84 dropped 128 Antivirus detection for dropped file 29->128 130 Multi AV Scanner detection for dropped file 29->130 132 Machine Learning detection for dropped file 29->132 36 m7930725.exe 3 29->36         started        40 l8987665.exe 13 29->40         started        86 77.91.124.73, 19071, 49735 ECOTEL-ASRU Russian Federation 33->86 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->134 136 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->136 138 Tries to harvest and steal browser information (history, passwords, etc) 33->138 file13 signatures14 process15 dnsIp16 64 C:\Users\user\AppData\Local\...\saves.exe, PE32 36->64 dropped 100 Antivirus detection for dropped file 36->100 102 Multi AV Scanner detection for dropped file 36->102 104 Machine Learning detection for dropped file 36->104 106 Contains functionality to inject code into remote processes 36->106 43 saves.exe 17 36->43         started        88 193.233.254.61, 49726, 80 FREE-NET-ASFREEnetEU Russian Federation 40->88 file17 signatures18 process19 dnsIp20 90 77.91.68.18, 49727, 49728, 49729 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 43->90 78 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 43->78 dropped 80 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 43->80 dropped 120 Antivirus detection for dropped file 43->120 122 Multi AV Scanner detection for dropped file 43->122 124 Creates an undocumented autostart registry key 43->124 126 2 other signatures 43->126 48 cmd.exe 43->48         started        50 schtasks.exe 1 43->50         started        52 rundll32.exe 43->52         started        file21 signatures22 process23 process24 54 conhost.exe 48->54         started        56 cmd.exe 48->56         started        58 cacls.exe 48->58         started        62 4 other processes 48->62 60 conhost.exe 50->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 20:28:45 UTC
File Type:
PE (Exe)
Extracted files:
347
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwoamy2vgc254oud5yvdegmdhkbgi7yub4mjrtlpg3ymvi6ltm4q._file
Verdict:
malicious
Similar samples:
05cfe38fff2121049da63b1c655a040bc7091fe211f9f2cb1b4fc02646c08374
RedLineStealer
0dfc65d1747e97aa8f387bac127f1839359352cefc169e008f58de2ff06dc49b
RedLineStealer
3f460e8769892848fd5d404260eaa8909ac6b0f59bff2bc60c512f710ee15894
RedLineStealer
55835ee0d6831c4bfce2485d71b884881f5cfff7e66b4bd3c760b9a1fb9dd4d9
RedLineStealer
7f17bcf36912f93161771f2ef5ccb5450890f2732e972ac7a3086fdc13538742
RedLineStealer
889aa399b0ef267897b65a16b78e2184cb6bb7f8862f578c9758d784b3ec8446
RedLineStealer
a34fc3155fa14a46756b68477949b2653663604648c2d1f27833194cd498047f
RedLineStealer
b27a6d841380f2dc3e011b8dc60fd30524898675d5fe3f0070d594330b3ea5f4
RedLineStealer
cc69270c69925d35f72fadaae96a907097be7116882686c4e65b58831d12e586
RedLineStealer
f6fe747d4556c1ec20ce3d660acb836ed20ab56825287c334a206613295845e1
RedLineStealer
+ 663 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:rwan infostealer persistence trojan
Link:
https://tria.ge/reports/230825-pcltesbe63/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Amadey
RedLine
Malware Config
C2 Extraction:
77.91.68.18/nice/index.php
77.91.124.73:19071
Unpacked files
SH256 hash:
47dce4c83ce68ca621512308ba4fc44b325c33619b4d8365e48b731c1b8eee38
MD5 hash:
ccfdaaa130fbfe184a68051da15ff50e
SHA1 hash:
715dd02b14fb4e9737944ec12e896df1955ecb18
Link:
https://www.unpac.me/results/8d0443b2-beda-4937-babe-271d043de9e8/
SH256 hash:
425e1918f2eb9262857cad78e9c0fb38ba2e476c66a0c332a8fa9ecc6a85fed5
MD5 hash:
0e55909541a5457243036c6b47b238c7
SHA1 hash:
50a6fafb96a944610d10f1e128e96e4704ea8fd7
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/8d0443b2-beda-4937-babe-271d043de9e8/
SH256 hash:
dbd7bd168c59846c2435e499608c98e63b5fbddfcd9de41738a535663857d608
MD5 hash:
53545a2faaac6ceba1c6d17237e728a1
SHA1 hash:
9823b4a0dab2a42ceee1fa58d3b4d2e827f53352
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8d0443b2-beda-4937-babe-271d043de9e8/
SH256 hash:
59ec2d2d90e4160b880af5084155a5a7ab9a44faf8c8632b1426950b512b4556
MD5 hash:
6d2989addd24ebc3af4e67ff7b932e91
SHA1 hash:
f370595b1c4539077a283c0d799686771171ddf4
Link:
https://www.unpac.me/results/8d0443b2-beda-4937-babe-271d043de9e8/
SH256 hash:
a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39
MD5 hash:
0accfefd7d679a557605a48b0b7271fd
SHA1 hash:
f39143639b4ffd1931fb75a22dd655d4165ada43
Link:
https://www.unpac.me/results/8d0443b2-beda-4937-babe-271d043de9e8/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a59c06635530/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a59c06635530b5de3a83ee2a3219833a82647f140f1898cd6f36f0caa3cb9b39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2705160/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/444755/

Comments