MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd
SHA3-384 hash: f47bf33a136487e2971459e4d5a8c86b4c4de131e17912f4a3f24323879616a07715d095034dbba09f270e152d815419
SHA1 hash: d902fe8e91764167ee34b91de48c16a3d902a693
MD5 hash: d36106beb8038bdea6c1912aabd244f9
humanhash: louisiana-orange-vegan-don
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'437'184 bytes
First seen:2023-09-20 17:08:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:oyqu0ZFlhvGepBPyWtcocFyQcChJS4k0bMtUs0JSTL:vqFZF/eepBVr6yQTjk0bbsh
Threatray 1'229 similar samples on MalwareBazaar
TLSH T1F5652352F7E04631DC76677051FF03D30A397E217CB8932B2291984B9CE5A60BA7B35A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-20 17:12:03 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/c485fd24-53ba-48b0-b22d-6c9d0536d3d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450139/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/650b272f33582f234efd85da/reports/06c30f84-6577-4634-90ed-befb74e88add/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b2c25ea-a1ed-48b0-98bd-180fe53ee341
Result
Threat name:
Fabookie, Mystic Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311788
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1311788 Sample: file.exe Startdate: 20/09/2023 Architecture: WINDOWS Score: 100 141 www3.l.google.com 2->141 143 www.google.com 2->143 145 9 other IPs or domains 2->145 187 Snort IDS alert for network traffic 2->187 189 Found malware configuration 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 13 other signatures 2->193 15 file.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 2->21         started        24 5 other processes 2->24 signatures3 process4 dnsIp5 127 C:\Users\user\AppData\Local\...\v2756545.exe, PE32 15->127 dropped 129 C:\Users\user\AppData\Local\...\e9216088.exe, PE32 15->129 dropped 26 v2756545.exe 1 4 15->26         started        169 Changes security center settings (notifications, updates, antivirus, firewall) 18->169 147 127.0.0.1 unknown unknown 21->147 file6 signatures7 process8 file9 115 C:\Users\user\AppData\Local\...\v3565416.exe, PE32 26->115 dropped 117 C:\Users\user\AppData\Local\...\d2613082.exe, PE32 26->117 dropped 213 Antivirus detection for dropped file 26->213 215 Multi AV Scanner detection for dropped file 26->215 30 v3565416.exe 1 4 26->30         started        34 d2613082.exe 26->34         started        signatures10 process11 file12 123 C:\Users\user\AppData\Local\...\v2272691.exe, PE32 30->123 dropped 125 C:\Users\user\AppData\Local\...\c8235106.exe, PE32 30->125 dropped 221 Antivirus detection for dropped file 30->221 223 Multi AV Scanner detection for dropped file 30->223 36 v2272691.exe 1 4 30->36         started        40 c8235106.exe 1 30->40         started        225 Writes to foreign memory regions 34->225 227 Allocates memory in foreign processes 34->227 229 Injects a PE file into a foreign processes 34->229 42 AppLaunch.exe 34->42         started        44 conhost.exe 34->44         started        46 AppLaunch.exe 34->46         started        48 WerFault.exe 34->48         started        signatures13 process14 file15 107 C:\Users\user\AppData\Local\...\b4771530.exe, PE32 36->107 dropped 109 C:\Users\user\AppData\Local\...\a8092193.exe, PE32 36->109 dropped 195 Antivirus detection for dropped file 36->195 197 Multi AV Scanner detection for dropped file 36->197 50 b4771530.exe 1 36->50         started        53 a8092193.exe 1 36->53         started        199 Writes to foreign memory regions 40->199 201 Allocates memory in foreign processes 40->201 203 Injects a PE file into a foreign processes 40->203 55 AppLaunch.exe 4 40->55         started        58 conhost.exe 40->58         started        60 AppLaunch.exe 40->60         started        62 WerFault.exe 40->62         started        205 Disable Windows Defender notifications (registry) 42->205 207 Disable Windows Defender real time protection (registry) 42->207 signatures16 process17 dnsIp18 171 Multi AV Scanner detection for dropped file 50->171 173 Writes to foreign memory regions 50->173 175 Allocates memory in foreign processes 50->175 64 AppLaunch.exe 50->64         started        67 WerFault.exe 19 9 50->67         started        69 conhost.exe 50->69         started        71 SgrmBroker.exe 50->71         started        177 Injects a PE file into a foreign processes 53->177 73 AppLaunch.exe 13 53->73         started        76 WerFault.exe 23 9 53->76         started        78 conhost.exe 53->78         started        149 77.91.124.82, 19071, 49714, 49736 ECOTEL-ASRU Russian Federation 55->149 179 Tries to harvest and steal browser information (history, passwords, etc) 55->179 signatures19 process20 dnsIp21 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->153 155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 64->155 157 Maps a DLL or memory area into another process 64->157 163 2 other signatures 64->163 80 explorer.exe 64->80 injected 151 5.42.92.211, 49709, 49743, 49745 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 73->151 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->161 signatures22 process23 dnsIp24 135 5.42.65.80, 49747, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 80->135 137 77.91.68.29, 49727, 49733, 49738 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 80->137 139 4 other IPs or domains 80->139 99 C:\Users\user\AppData\Roaming\tdsutee, PE32 80->99 dropped 101 C:\Users\user\AppData\Local\Temp\D75D.exe, PE32 80->101 dropped 103 C:\Users\user\AppData\Local\Temp\C7B2.exe, PE32 80->103 dropped 105 4 other malicious files 80->105 dropped 181 System process connects to network (likely due to code injection or exploit) 80->181 183 Benign windows process drops PE files 80->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 80->185 85 5754.exe 80->85         started        89 rundll32.exe 80->89         started        file25 signatures26 process27 file28 111 C:\Users\user\AppData\Local\...\x6844808.exe, PE32 85->111 dropped 113 C:\Users\user\AppData\Local\...\k8855225.exe, PE32 85->113 dropped 209 Antivirus detection for dropped file 85->209 211 Machine Learning detection for dropped file 85->211 91 x6844808.exe 85->91         started        signatures29 process30 file31 119 C:\Users\user\AppData\Local\...\x2954931.exe, PE32 91->119 dropped 121 C:\Users\user\AppData\Local\...\j6397421.exe, PE32 91->121 dropped 217 Antivirus detection for dropped file 91->217 219 Machine Learning detection for dropped file 91->219 95 x2954931.exe 91->95         started        signatures32 process33 file34 131 C:\Users\user\AppData\Local\...\x6684022.exe, PE32 95->131 dropped 133 C:\Users\user\AppData\Local\...\i1515657.exe, PE32 95->133 dropped 165 Antivirus detection for dropped file 95->165 167 Machine Learning detection for dropped file 95->167 signatures35
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 17:09:06 UTC
File Type:
PE (Exe)
Extracted files:
149
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vb5ef2iltwmavtg3wtkxisefnlenfucoxcipzou5pwx3ht5wntoq._file
Verdict:
malicious
Similar samples:
003fb028b1957462e30e031f2fae39d689a244b0b611bc295c97ca4763049428
RedLineStealer
2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d
RedLineStealer
324674f0da8d1f18d94372a9d0ab0953cbfa3dfe7e05601d9dcb47efa80f8f5f
RedLineStealer
4409a49dcc9e50f5183fba01b2a6193042f889e24146ee31fe9b14bac060c4ab
RedLineStealer
6954873d28ea95a9c8a54a5ed0b7e08ebcd026d3f7c562369ca4c8ab5c517b12
RedLineStealer
6b7cb068d3f3d4e2b7e50f06cb3a58dccde129c91852914b62ee7a2720ed113b
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
9f1a717948c323c01d4b2ef9ed4e5b369faf64bd5582f1fb3719ff5a8c32c601
RedLineStealer
e111ee546fa43ec78c9aba327edfe3a042398ac6b54bdc650ebfe05d42a003b3
RedLineStealer
f05c8cf7049760c851264415b703d88202fd83fe3dc3905c004378175d07499f
RedLineStealer
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:healer family:mystic family:redline family:smokeloader family:xmrig botnet:trush botnet:up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/230920-vn422abf37/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
XMRig Miner payload
Detects Healer an antivirus disabler dropper
Glupteba
Glupteba payload
Healer
Modifies Windows Defender Real-time Protection settings
Mystic
RedLine
RedLine payload
SmokeLoader
xmrig
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
6a53ce3cc85b1b0eefe1499532756fdeb938954714725287941f3761592d4015
MD5 hash:
1948f5f154ac8749054f701bebf5a304
SHA1 hash:
a5e35ff085be48d9470c14874a6ce1774bebc9ee
Link:
https://www.unpac.me/results/9c7a0447-e3e8-4aa0-9225-58812f3ed7d8/
SH256 hash:
ccf2f25f4f87fcdf417ce9d96e5df9275f4ab76d61af335b480de5868a54ae81
MD5 hash:
cb419f9589201433fc4ae87c74750acc
SHA1 hash:
5010f2a462993768269e7d326521518a1aaa7fef
Link:
https://www.unpac.me/results/9c7a0447-e3e8-4aa0-9225-58812f3ed7d8/
SH256 hash:
47f1a7769d733ed1def8ced67d41386a425b2146e886a88e644861250118494a
MD5 hash:
cb6bd84ddb01f01fb09479f9e37685f1
SHA1 hash:
fa1cf4e70d1c1256f53635fea10ff19b136760a4
Link:
https://www.unpac.me/results/9c7a0447-e3e8-4aa0-9225-58812f3ed7d8/
SH256 hash:
a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd
MD5 hash:
d36106beb8038bdea6c1912aabd244f9
SHA1 hash:
d902fe8e91764167ee34b91de48c16a3d902a693
Link:
https://www.unpac.me/results/9c7a0447-e3e8-4aa0-9225-58812f3ed7d8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a87a42e90b9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a87a42e90b9d980accdbb4d57448856ac8d2d04eb890fcba9d7dafb3cfb66cdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450139/

Comments