MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826
SHA3-384 hash: ad6c8535da6598f08a808ab3fdd7e996718f6aea5cd8338b6d51924d73eac6e3b6adff5163608e69e1a70fb7384fcef9
SHA1 hash: 0e92e6601ff2892c2f874dc3b7bc5025d0417237
MD5 hash: 906ecdf76e4523afdfc8bc963bd4f160
humanhash: chicken-cola-nine-ten
File name:906ecdf76e4523afdfc8bc963bd4f160
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'831'296 bytes
First seen:2024-01-15 19:01:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:oMfCKXo/ZPGpERQ9e6IXJ8LfRJql6SCmR7OSB0xa3:z7qe9G6LKHRSSB0xa
Threatray 1'003 similar samples on MalwareBazaar
TLSH T1F006339B9ED5D157D8B8337119D706930732BD826CB4966E3DA0A9C30D22E8CE93D31B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470987/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin obfuscated packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a5812b784d3498d73fc895/reports/d22649e7-ad2e-4097-89d4-ba9aa91d2407/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/608d09ce-13a1-44eb-a9d1-f70e9de1f319
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1374963
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Machine Learning detection for sample
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374963 Sample: tWfizSwnIO.exe Startdate: 15/01/2024 Architecture: WINDOWS Score: 68 89 us-west1.prod.sumo.prod.webservices.mozgcp.net 2->89 91 telemetry-incoming.r53-2.services.mozilla.com 2->91 93 25 other IPs or domains 2->93 121 Antivirus / Scanner detection for submitted sample 2->121 123 Binary is likely a compiled AutoIt script file 2->123 125 Machine Learning detection for sample 2->125 127 2 other signatures 2->127 10 tWfizSwnIO.exe 1 4 2->10         started        13 msedge.exe 61 407 2->13         started        15 firefox.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 77 C:\Users\user\AppData\Local\...\Hg6ij78.exe, PE32 10->77 dropped 79 C:\Users\user\AppData\Local\...\5Nf4tE2.exe, PE32 10->79 dropped 19 Hg6ij78.exe 1 4 10->19         started        81 C:\Users\user\AppData\...\content_new.js, Unicode 13->81 dropped 83 C:\Users\user\AppData\Local\...\content.js, Unicode 13->83 dropped 85 C:\Users\user\...\page_embed_script.js, ASCII 13->85 dropped 87 C:\Users\user\...\eventpage_bin_prod.js, ASCII 13->87 dropped 23 msedge.exe 13->23         started        26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        32 4 other processes 13->32 30 firefox.exe 15->30         started        process6 dnsIp7 69 C:\Users\user\AppData\Local\...\1CY65Oj8.exe, PE32 19->69 dropped 71 C:\Users\user\AppData\Local\...\4nu470VS.exe, PE32 19->71 dropped 129 Binary is likely a compiled AutoIt script file 19->129 34 1CY65Oj8.exe 13 19->34         started        37 4nu470VS.exe 19->37         started        95 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->95 97 ssl.bingadsedgeextension-prod.azurewebsites.net 138.91.254.96 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->97 103 14 other IPs or domains 23->103 99 142.250.31.84 GOOGLEUS United States 30->99 101 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 30->101 105 9 other IPs or domains 30->105 73 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 30->73 dropped 75 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 30->75 dropped 39 firefox.exe 30->39         started        41 firefox.exe 30->41         started        43 firefox.exe 30->43         started        45 6 other processes 30->45 file8 signatures9 process10 signatures11 117 Binary is likely a compiled AutoIt script file 34->117 119 Found API chain indicative of sandbox detection 34->119 47 chrome.exe 9 34->47         started        50 msedge.exe 10 34->50         started        52 chrome.exe 34->52         started        54 3 other processes 34->54 process12 dnsIp13 113 192.168.2.5, 443, 49705, 49706 unknown unknown 47->113 115 239.255.255.250 unknown Reserved 47->115 56 chrome.exe 47->56         started        59 chrome.exe 47->59         started        61 chrome.exe 47->61         started        63 msedge.exe 50->63         started        65 chrome.exe 52->65         started        67 chrome.exe 54->67         started        process14 dnsIp15 107 142.251.16.106 GOOGLEUS United States 56->107 109 142.251.16.113 GOOGLEUS United States 56->109 111 26 other IPs or domains 56->111
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 19:02:07 UTC
File Type:
PE (Exe)
Extracted files:
104
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uziqchn3yb64x7w5apdsonzy47kfguealapsdktyt2uwcd6fdata._file
Verdict:
malicious
Similar samples:
0f3d5594200f4cd0b3945bb7cc68ca39a73c0afbc5c443e585bd0fbafafe230c
RedLineStealer
42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef
RedLineStealer
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
RedLineStealer
550e893759da573a62c1c16144f5e8fa65e6df3eabd53c60648b9ac6748c1b8c
RedLineStealer
99d96ff0355fdbfa9a1633f5d2dfde806238bc50f0cf452ef58924679c584f3c
RedLineStealer
c6f8ab2ae2bfff6591d4950f292d04e997e8342e84c4631ee01df43b26745155
RedLineStealer
d11dbe59e05a1104b99aebac58e06bebfd85cf9b269082184cbc67e28f57b2b7
RedLineStealer
f33b1524393661b11f128366a0e0bbae8c6b340b651b2178a0f9847aeef933ee
RedLineStealer
+ 993 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google persistence phishing
Link:
https://tria.ge/reports/240115-xpr5zaeeb8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected google phishing page
Unpacked files
SH256 hash:
b89cca870bb38d635b8292cd58c3b40edd8d08f6f0c75db8e3f49557941680c3
MD5 hash:
e5656fa3f5b609a2789584a6586eabd2
SHA1 hash:
2f3b16ff1a4857401110d052347a9ac6505b7495
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4300718d-0bdd-49b9-b51c-e9d7e965c222/
SH256 hash:
a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826
MD5 hash:
906ecdf76e4523afdfc8bc963bd4f160
SHA1 hash:
0e92e6601ff2892c2f874dc3b7bc5025d0417237
Link:
https://www.unpac.me/results/4300718d-0bdd-49b9-b51c-e9d7e965c222/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a651011dbbc07dcbfedd03c7273738e7d4535080581f21aa789ea9610fc51826

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470987/
  
URLhaus
https://urlhaus.abuse.ch/url/2748901/

Comments


Avatar
zbet commented on 2024-01-15 19:02:00 UTC

url : hxxp://109.107.182.40/core/done.exe