MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a75a9ded208e0de9a02823fd2d40b2163cb152869e67e5bfe08388204d7e6d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	a75a9ded208e0de9a02823fd2d40b2163cb152869e67e5bfe08388204d7e6d6d
SHA3-384 hash:	8fa287d85f21e18419f821f8fe3ca720857343bbb1578886037cb0e7738d116e451f3d2b07d0c7df017a005124c5d2be
SHA1 hash:	f79f1f705065c2659a04f4cbda422dbd261d5dd4
MD5 hash:	bd0e1d539cf4fb629c481cc8be1672f5
humanhash:	sink-november-wyoming-wisconsin
File name:	bd0e1d539cf4fb629c481cc8be1672f5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'620'992 bytes
First seen:	2023-10-26 18:05:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:OyHkfO4qH0F8e8SUQVkw7r9YOWjSk0awVRcUeaVfqwzcLOGVK8dXDAMDia0:dHt50jFVkwn9pW2k0oUTAhAi
TLSH	T159752302FFD96532E8E527327CF513C35B3A3A129E76259F2359691F88322851C6632F
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://31.192.237.75/

Intelligence

File Origin

# of uploads :

# of downloads :

381

Origin country :

Vendor Threat Intelligence

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/456597/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Launching a service

Сreating synchronization primitives

Creating a file

Creating a window

Launching cmd.exe command interpreter

Searching for synchronization primitives

Running batch commands

Adding an access-denied ACE

Forced shutdown of a system process

Blocking the Windows Defender launch

Disabling the operating system update service

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32

Link:

https://www.filescan.io/uploads/653aaa8aa6fa5eab9367c76f/reports/5140e6ad-84ea-49bf-b7d2-ee7fa74de0ed/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a75a9ded208e0de9a02823fd2d40b2163cb152869e67e5bfe08388204d7e6d6d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7810a6e9-2adb-4c2a-9ae6-684ad46dc275

Result

Threat name:

Amadey, Babadeda, Mystic Stealer, RedLin

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1332881

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies windows update settings

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Amadey bot

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected Mystic Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a75a9ded208e0de9a02823fd2d40b2163cb152869e67e5bfe08388204d7e6d6d

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/a75a9ded208e0de9a02823fd2d40b2163cb152869e67e5bfe08388204d7e6d6d/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-26 18:06:05 UTC

File Type:

PE (Exe)

Extracted files:

227

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5nj33jaryg6tibiep6s2qfscy6lcuugtzt6lp7aqoecatl6nvwq._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:amadey family:dcrat family:glupteba family:raccoon family:redline family:smokeloader family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 botnet:grome botnet:kinza botnet:up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

Link:

https://tria.ge/reports/231026-wpq28sdf9x/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Launches sc.exe

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Amadey

DcRat

Detect ZGRat V1

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Raccoon

Raccoon Stealer payload

RedLine

RedLine payload

SmokeLoader

ZGRat

Malware Config

C2 Extraction:

http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://195.123.218.98:80
http://31.192.23