MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
SHA3-384 hash: c5bf46fc45d7c26048a5d5c8679334474ac80a11c80b8b830c723cd98566c66a801ddbad97cd8fec392a9821c84f8352
SHA1 hash: ab3a3c814c4bf194ee45e071606025c8281bc612
MD5 hash: c399d561802271d65a57e75ad93f4f6b
humanhash: lithium-louisiana-failed-mountain
File name:c399d561802271d65a57e75ad93f4f6b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'441'280 bytes
First seen:2023-09-10 14:25:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 24576:JmyCWngNFXwfP2k8vfJnEAUBY3ReZzW7XEFnGl7yfzBVc4ktuHIEwd6oE1:oyCWgNFAf9At9U4gZzCXEamLBilBlrE1
TLSH T10A651260B4D3C072E6A606314AF1DBB20F7BB8211790E69B57A41EFF4EE43D046716B6
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://5.78.81.39:8088/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c399d561802271d65a57e75ad93f4f6b.exe
Verdict:
No threats detected
Analysis date:
2023-09-10 14:26:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63055996-b665-4a8d-b909-c5417d05a2f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447736/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25619.21988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64fdd1fbefe2af27e9cb0045/reports/7ceb77f6-9288-47e8-bd88-d246d409726e/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1e772772-79a6-485e-82d4-48b23ba3af06
Result
Threat name:
Amadey, Fabookie, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306869
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306869 Sample: 2nbFZbQ3Gn.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 134 amadapi.tuktuk.ug 2->134 176 Snort IDS alert for network traffic 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 16 other signatures 2->182 13 2nbFZbQ3Gn.exe 1 2->13         started        16 rundll32.exe 2->16         started        18 explonde.exe 2->18         started        signatures3 process4 signatures5 214 Contains functionality to inject code into remote processes 13->214 216 Writes to foreign memory regions 13->216 218 Allocates memory in foreign processes 13->218 220 Injects a PE file into a foreign processes 13->220 20 AppLaunch.exe 1 4 13->20         started        24 conhost.exe 13->24         started        26 WerFault.exe 21 9 13->26         started        process6 file7 100 C:\Users\user\AppData\Local\...\z7213320.exe, PE32 20->100 dropped 102 C:\Users\user\AppData\Local\...\w8438327.exe, PE32 20->102 dropped 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->184 186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->186 28 z7213320.exe 1 4 20->28         started        signatures8 process9 file10 122 C:\Users\user\AppData\Local\...\z6427170.exe, PE32 28->122 dropped 124 C:\Users\user\AppData\Local\...\u8133568.exe, PE32 28->124 dropped 222 Antivirus detection for dropped file 28->222 224 Machine Learning detection for dropped file 28->224 32 z6427170.exe 1 4 28->32         started        36 u8133568.exe 28->36         started        signatures11 process12 file13 96 C:\Users\user\AppData\Local\...\z6596951.exe, PE32 32->96 dropped 98 C:\Users\user\AppData\Local\...\t8693722.exe, PE32 32->98 dropped 152 Antivirus detection for dropped file 32->152 154 Machine Learning detection for dropped file 32->154 38 z6596951.exe 1 4 32->38         started        42 t8693722.exe 32->42         started        156 Writes to foreign memory regions 36->156 158 Allocates memory in foreign processes 36->158 160 Injects a PE file into a foreign processes 36->160 44 AppLaunch.exe 36->44         started        47 conhost.exe 36->47         started        signatures14 process15 dnsIp16 116 C:\Users\user\AppData\Local\...\z2139018.exe, PE32 38->116 dropped 118 C:\Users\user\AppData\Local\...\s8266807.exe, PE32 38->118 dropped 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->188 190 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->190 49 s8266807.exe 38->49         started        52 z2139018.exe 1 4 38->52         started        120 C:\Users\user\AppData\Local\...\explonde.exe, PE32 42->120 dropped 192 Multi AV Scanner detection for dropped file 42->192 55 explonde.exe 42->55         started        150 77.91.124.82, 19071, 49724, 49729 ECOTEL-ASRU Russian Federation 44->150 194 Tries to harvest and steal browser information (history, passwords, etc) 44->194 file17 signatures18 process19 dnsIp20 162 Writes to foreign memory regions 49->162 164 Allocates memory in foreign processes 49->164 166 Injects a PE file into a foreign processes 49->166 58 AppLaunch.exe 49->58         started        61 conhost.exe 49->61         started        63 WerFault.exe 49->63         started        104 C:\Users\user\AppData\Local\...\r9964901.exe, PE32 52->104 dropped 106 C:\Users\user\AppData\Local\...\q9345539.exe, PE32 52->106 dropped 65 q9345539.exe 1 52->65         started        67 r9964901.exe 1 52->67         started        136 77.91.68.52, 49717, 49718, 49720 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 55->136 138 77.91.124.231, 49719, 49721, 49730 ECOTEL-ASRU Russian Federation 55->138 140 2 other IPs or domains 55->140 108 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 55->108 dropped 110 C:\Users\user\AppData\Local\...\autorun.exe, PE32 55->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\zur.exe, PE32 55->112 dropped 114 7 other malicious files 55->114 dropped 168 Multi AV Scanner detection for dropped file 55->168 170 Creates an undocumented autostart registry key 55->170 172 Creates multiple autostart registry keys 55->172 174 Uses schtasks.exe or at.exe to add and modify task schedules 55->174 69 cmd.exe 55->69         started        71 schtasks.exe 55->71         started        73 rundll32.exe 55->73         started        file21 signatures22 process23 signatures24 196 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 58->196 198 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 58->198 200 Maps a DLL or memory area into another process 58->200 212 2 other signatures 58->212 75 explorer.exe 58->75 injected 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->202 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->204 206 Writes to foreign memory regions 65->206 80 AppLaunch.exe 9 1 65->80         started        82 WerFault.exe 19 9 65->82         started        84 conhost.exe 65->84         started        208 Allocates memory in foreign processes 67->208 210 Injects a PE file into a foreign processes 67->210 86 AppLaunch.exe 13 67->86         started        88 WerFault.exe 67->88         started        92 2 other processes 67->92 94 7 other processes 69->94 90 conhost.exe 71->90         started        process25 dnsIp26 142 79.137.192.18 PSKSET-ASRU Russian Federation 75->142 144 77.91.68.29, 49784, 49794, 49808 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 75->144 146 77.91.68.78, 49812, 49822, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 75->146 126 C:\Users\user\AppData\Roaming\sfhwfvg, PE32 75->126 dropped 128 C:\Users\user\AppData\Local\Temp\FDF1.exe, PE32+ 75->128 dropped 130 C:\Users\user\AppData\Local\Temp\A86F.exe, PE32 75->130 dropped 132 3 other malicious files 75->132 dropped 226 System process connects to network (likely due to code injection or exploit) 75->226 228 Benign windows process drops PE files 75->228 230 Hides that the sample has been downloaded from the Internet (zone.identifier) 75->230 232 Disable Windows Defender notifications (registry) 80->232 234 Disable Windows Defender real time protection (registry) 80->234 148 5.42.92.211, 49714, 49727, 49754 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 86->148 file27 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 14:26:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbwebnztn5qhjg3bonx5wims6mdzxkwpjcj75hkxfmmjdet3p33a._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:raccoon family:redline family:smokeloader botnet:1008 botnet:smokiez_build botnet:tuco backdoor dropper evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230910-rrve8ahg27/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
77.91.124.82:19071
http://77.91.68.29/fks/
194.169.175.232:45450
142.132.181.20:31080
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6
MD5 hash:
c399d561802271d65a57e75ad93f4f6b
SHA1 hash:
ab3a3c814c4bf194ee45e071606025c8281bc612
Link:
https://www.unpac.me/results/c7ce3ef5-683c-4888-a824-40d109808c3d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a86c40b7336f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710160/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447736/

Comments