MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
SHA3-384 hash: bdca41102c9df2ad98b9e59b537c919d75a90176c2ed77a625848a3f9ca29f389f362bb0b98978c4376a576487387dae
SHA1 hash: 26fe46be1a3dd3b5196f68ecce7976c9f6c4808c
MD5 hash: 7295d8d574d6c6707a375f01567af110
humanhash: pip-august-zulu-carolina
File name:cdwx.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'488'320 bytes
First seen:2024-01-16 06:09:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:thl/4cr+uvE2l+7vAf0/KOBayPz4L3m0PDoDi0hNrAAlt+H1H3DVHxZ:N4Gprl+7B/KudKNACH1H3D5xZ
TLSH T151B5334253E45231E89177784AFB45435E3BFE829DBCC7A7226694B90D730C4A93B3B8
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RedLineStealer WEXTRACT

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471055/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control crypto explorer installer lolbin obfuscated packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65a61dbc898512c48eb14ff7/reports/9b5088ce-e959-44fa-a176-4a83a2ecf865/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/048baf8d-debd-4b36-ba5c-b083bfdff55f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375161
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Downloads suspicious files via Chrome
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375161 Sample: cdwx.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 97 us-west1.prod.sumo.prod.webservices.mozgcp.net 2->97 99 telemetry-incoming.r53-2.services.mozilla.com 2->99 101 19 other IPs or domains 2->101 127 Antivirus / Scanner detection for submitted sample 2->127 129 Multi AV Scanner detection for dropped file 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 5 other signatures 2->133 10 cdwx.exe 1 4 2->10         started        13 msedge.exe 62 501 2->13         started        17 firefox.exe 1 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 85 C:\Users\user\AppData\Local\...\cx2rh70.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Local\...\4lI143VQ.exe, PE32 10->87 dropped 21 cx2rh70.exe 1 4 10->21         started        119 192.168.2.6 unknown unknown 13->119 89 C:\Users\user\...\page_embed_script.js, ASCII 13->89 dropped 91 C:\Users\user\...\eventpage_bin_prod.js, ASCII 13->91 dropped 93 C:\Users\user\AppData\...\content_new.js, Unicode 13->93 dropped 95 C:\Users\user\AppData\Local\...\content.js, Unicode 13->95 dropped 151 Maps a DLL or memory area into another process 13->151 25 msedge.exe 13->25         started        28 msedge.exe 13->28         started        30 msedge.exe 13->30         started        38 3 other processes 13->38 32 firefox.exe 17->32         started        34 msedge.exe 19->34         started        36 msedge.exe 19->36         started        file6 signatures7 process8 dnsIp9 77 C:\Users\user\AppData\Local\...\2va7957.exe, PE32 21->77 dropped 79 C:\Users\user\AppData\Local\...\1cA50Vl4.exe, PE32 21->79 dropped 135 Multi AV Scanner detection for dropped file 21->135 137 Binary is likely a compiled AutoIt script file 21->137 40 2va7957.exe 9 1 21->40         started        43 1cA50Vl4.exe 13 21->43         started        107 13.107.213.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->107 109 142.251.163.139 GOOGLEUS United States 25->109 115 13 other IPs or domains 25->115 111 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->111 113 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 32->113 117 7 other IPs or domains 32->117 81 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 32->81 dropped 83 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 32->83 dropped 45 firefox.exe 32->45         started        47 firefox.exe 32->47         started        49 firefox.exe 32->49         started        51 6 other processes 32->51 file10 signatures11 process12 signatures13 139 Multi AV Scanner detection for dropped file 40->139 141 Modifies windows update settings 40->141 143 Disables Windows Defender Tamper protection 40->143 149 2 other signatures 40->149 145 Binary is likely a compiled AutoIt script file 43->145 147 Found API chain indicative of sandbox detection 43->147 53 chrome.exe 1 43->53         started        56 msedge.exe 15 43->56         started        58 chrome.exe 43->58         started        60 3 other processes 43->60 process14 dnsIp15 103 192.168.2.4, 443, 49729, 49730 unknown unknown 53->103 105 239.255.255.250 unknown Reserved 53->105 62 chrome.exe 53->62         started        65 chrome.exe 53->65         started        67 chrome.exe 53->67         started        69 msedge.exe 56->69         started        71 chrome.exe 58->71         started        73 chrome.exe 60->73         started        75 chrome.exe 60->75         started        process16 dnsIp17 121 142.250.31.113 GOOGLEUS United States 62->121 123 i.ytimg.com 142.251.111.119 GOOGLEUS United States 62->123 125 31 other IPs or domains 62->125
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-15 20:06:11 UTC
File Type:
PE (Exe)
Extracted files:
107
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzprco5zioqcmct47eukkftioe3va6jpzxejsuuuyggrrcmr4uoa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240116-gw2d8afde2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
f02f81b2054d707d6a586f678e0bff67983e2949a11c8ff4539581b62df849a9
MD5 hash:
05276d6d834de1e7686d08d9be31b26f
SHA1 hash:
e0811d7145b9e605f44321610e6887bd32cbb647
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/0a02c48d-dbf9-483f-9067-152317a26678/
SH256 hash:
e43ffd17c0690aee9d76198386c51edf23b4efb33c505efb38c39f85988d7898
MD5 hash:
a092736c001a867fc1aad9514089a7a7
SHA1 hash:
d464fd340b2d1547308f3dcbb93b41baa8baf2c0
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/0a02c48d-dbf9-483f-9067-152317a26678/
Parent samples :
8699461241ac4ceb9d3e27b23c1a681fe29b794542abde9dc6bb64e38868dcbb
2d91dcfe20b5ae265d0d7b05c96b63843583df1523f2ed285d7804d575eb72e6
837409c21abc5dbebc42c35bb852d15d7543865c361b88590a3c1b54040c59ad
a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
SH256 hash:
a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c
MD5 hash:
7295d8d574d6c6707a375f01567af110
SHA1 hash:
26fe46be1a3dd3b5196f68ecce7976c9f6c4808c
Link:
https://www.unpac.me/results/0a02c48d-dbf9-483f-9067-152317a26678/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a65f113bb943/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65f113bb943a0260a7cf928a51668713750792fcdc8995294c18d188991e51c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471055/

Comments