MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
SHA3-384 hash: 9c450dd01d9608a78b11ea6ab876df3cbbe7272f544d27ae061a1adb802dd0b4fe2fe208cd92b3f2ddc6fc38014650e9
SHA1 hash: 6ef655cf11ea5dba5e48f7dba969cbda82a48795
MD5 hash: 9f55390934317f9d308b0e8d509c8c5d
humanhash: timing-helium-arkansas-dakota
File name:9f55390934317f9d308b0e8d509c8c5d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'869'824 bytes
First seen:2023-11-03 20:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:DzSXpv9E7ywHNZ71NEau+y02RZDfw8CFUHaZEizC8:fSXnmyKNZ7XEaxsrf9K7z5
TLSH T17A8533A2AFE48873E5722BB048F7594315763CA04C78927F225BAF562D73AD07931732
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.10.205.17:8122

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Steal.zip
Verdict:
Malicious activity
Analysis date:
2023-11-03 23:59:57 UTC
Tags:
stealc stealer redline amadey botnet trojan opendir loader
Link:
https://app.any.run/tasks/615010f4-771f-4e1a-bb40-7819cd1b97c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Сreating synchronization primitives
Creating a file
Creating a window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Running batch commands
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65455ae33dd412119bebaf9d/reports/f6ae1652-fdce-4b2b-8e0c-ef71b11ea236/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10c26c2c-26b2-4db5-a904-d286655f0a13
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336915
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1336915 Sample: RdHeDCQH65.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 221 Found malware configuration 2->221 223 Malicious sample detected (through community Yara rule) 2->223 225 Antivirus detection for URL or domain 2->225 227 18 other signatures 2->227 14 RdHeDCQH65.exe 1 4 2->14         started        17 svchost.exe 2->17         started        20 explothe.exe 2->20         started        process3 dnsIp4 157 C:\Users\user\AppData\Local\...\qJ0Hi40.exe, PE32 14->157 dropped 159 C:\Users\user\AppData\Local\...\7Gg1YH81.exe, PE32 14->159 dropped 22 qJ0Hi40.exe 1 4 14->22         started        173 69.192.108.161 AKAMAI-ASUS United States 17->173 175 127.0.0.1 unknown unknown 17->175 file5 process6 file7 141 C:\Users\user\AppData\Local\...\qe3sp23.exe, PE32 22->141 dropped 143 C:\Users\user\AppData\Local\...\6jF5iW0.exe, PE32 22->143 dropped 253 Antivirus detection for dropped file 22->253 255 Multi AV Scanner detection for dropped file 22->255 257 Machine Learning detection for dropped file 22->257 26 qe3sp23.exe 1 4 22->26         started        30 6jF5iW0.exe 22->30         started        signatures8 process9 file10 153 C:\Users\user\AppData\Local\...\Qb3tR91.exe, PE32 26->153 dropped 155 C:\Users\user\AppData\Local\...\5Kb9Sb9.exe, PE32 26->155 dropped 275 Antivirus detection for dropped file 26->275 277 Multi AV Scanner detection for dropped file 26->277 279 Machine Learning detection for dropped file 26->279 32 Qb3tR91.exe 1 4 26->32         started        36 5Kb9Sb9.exe 26->36         started        signatures11 process12 file13 115 C:\Users\user\AppData\Local\...\ea3AS44.exe, PE32 32->115 dropped 117 C:\Users\user\AppData\Local\...\4Ef304Ch.exe, PE32 32->117 dropped 215 Antivirus detection for dropped file 32->215 217 Multi AV Scanner detection for dropped file 32->217 219 Machine Learning detection for dropped file 32->219 38 ea3AS44.exe 1 4 32->38         started        42 4Ef304Ch.exe 32->42         started        119 C:\Users\user\AppData\Local\...\explothe.exe, PE32 36->119 dropped 44 explothe.exe 36->44         started        signatures14 process15 dnsIp16 145 C:\Users\user\AppData\Local\...\Fa0tP02.exe, PE32 38->145 dropped 147 C:\Users\user\AppData\Local\...\3rh86cl.exe, PE32 38->147 dropped 259 Antivirus detection for dropped file 38->259 261 Multi AV Scanner detection for dropped file 38->261 263 Machine Learning detection for dropped file 38->263 47 3rh86cl.exe 38->47         started        50 Fa0tP02.exe 1 4 38->50         started        265 Writes to foreign memory regions 42->265 267 Allocates memory in foreign processes 42->267 269 Injects a PE file into a foreign processes 42->269 53 AppLaunch.exe 42->53         started        185 77.91.124.1 ECOTEL-ASRU Russian Federation 44->185 149 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->149 dropped 151 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 44->151 dropped 271 Creates an undocumented autostart registry key 44->271 273 Uses schtasks.exe or at.exe to add and modify task schedules 44->273 56 cmd.exe 44->56         started        58 schtasks.exe 44->58         started        60 rundll32.exe 44->60         started        file17 signatures18 process19 dnsIp20 281 Multi AV Scanner detection for dropped file 47->281 283 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->283 285 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->285 289 3 other signatures 47->289 62 explorer.exe 23 20 47->62 injected 133 C:\Users\user\AppData\Local\...\2HJ2789.exe, PE32 50->133 dropped 135 C:\Users\user\AppData\Local\...\1zC25KT6.exe, PE32 50->135 dropped 67 1zC25KT6.exe 50->67         started        69 2HJ2789.exe 50->69         started        177 77.91.124.86 ECOTEL-ASRU Russian Federation 53->177 287 Found many strings related to Crypto-Wallets (likely being stolen) 53->287 71 cacls.exe 56->71         started        73 cacls.exe 56->73         started        75 conhost.exe 56->75         started        79 4 other processes 56->79 77 conhost.exe 58->77         started        file21 signatures22 process23 dnsIp24 187 185.196.9.171 SIMPLECARRIERCH Switzerland 62->187 189 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 62->189 191 4 other IPs or domains 62->191 161 C:\Users\user\AppData\Local\Temp\D480.exe, PE32 62->161 dropped 163 C:\Users\user\AppData\Local\Temp\CCFD.exe, PE32 62->163 dropped 165 C:\Users\user\AppData\Local\Temp\C868.exe, PE32 62->165 dropped 167 5 other malicious files 62->167 dropped 193 System process connects to network (likely due to code injection or exploit) 62->193 195 Benign windows process drops PE files 62->195 81 857E.exe 62->81         started        85 B992.exe 62->85         started        87 8D70.exe 62->87         started        96 4 other processes 62->96 197 Multi AV Scanner detection for dropped file 67->197 199 Contains functionality to inject code into remote processes 67->199 201 Writes to foreign memory regions 67->201 89 AppLaunch.exe 9 1 67->89         started        203 Allocates memory in foreign processes 69->203 205 Injects a PE file into a foreign processes 69->205 91 AppLaunch.exe 12 69->91         started        207 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 71->207 209 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 71->209 94 Conhost.exe 73->94         started        file25 signatures26 process27 dnsIp28 121 C:\Users\user\AppData\Local\...\ix0pp9ow.exe, PE32 81->121 dropped 123 C:\Users\user\AppData\Local\...\6cJ48DI.exe, PE32 81->123 dropped 229 Antivirus detection for dropped file 81->229 231 Machine Learning detection for dropped file 81->231 98 ix0pp9ow.exe 81->98         started        125 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 85->125 dropped 127 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 85->127 dropped 129 C:\Users\user\AppData\Local\Temp\kos4.exe, PE32 85->129 dropped 131 2 other malicious files 85->131 dropped 233 Multi AV Scanner detection for dropped file 85->233 235 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 85->235 237 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 87->237 239 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 87->239 241 Tries to harvest and steal browser information (history, passwords, etc) 87->241 243 Modifies windows update settings 89->243 245 Disable Windows Defender notifications (registry) 89->245 247 Disable Windows Defender real time protection (registry) 89->247 183 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 91->183 102 chrome.exe 96->102         started        105 chrome.exe 96->105         started        107 chrome.exe 96->107         started        109 6 other processes 96->109 file29 signatures30 process31 dnsIp32 137 C:\Users\user\AppData\Local\...\Ln7EU3HK.exe, PE32 98->137 dropped 139 C:\Users\user\AppData\Local\...\5mK76Jt.exe, PE32 98->139 dropped 249 Antivirus detection for dropped file 98->249 251 Machine Learning detection for dropped file 98->251 111 Ln7EU3HK.exe 98->111         started        179 192.168.2.4 unknown unknown 102->179 181 239.255.255.250 unknown Reserved 102->181 file33 signatures34 process35 file36 169 C:\Users\user\AppData\Local\...\bZ8jQ2xz.exe, PE32 111->169 dropped 171 C:\Users\user\AppData\Local\...\4PR061TO.exe, PE32 111->171 dropped 211 Antivirus detection for dropped file 111->211 213 Machine Learning detection for dropped file 111->213 signatures37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 20:34:12 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7zqd543vf2azq2lmiugasibwyqj5r5f7bdjh6eax3cawuxcykwa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:kedru botnet:livetraffic botnet:pixelnew2.0 botnet:plost botnet:up3 backdoor dropper evasion infostealer loader persistence rat trojan
Link:
https://tria.ge/reports/231103-zgek1scb55/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
194.49.94.11:80
http://host-file-host6.com/
http://host-host-file8.com/
195.10.205.17:8122
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
718297507750eeebbad561d1d2ce2a0aed61095f9ed7ea790180a10e872d32ac
MD5 hash:
962cee236aec244a53501db079c1c626
SHA1 hash:
de456fe61513b456f0c75cfc0c77b4df39562008
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
Parent samples :
d24dbfc796b0b1b56e8a669aaac50a6eb730882738111cd1ba66790d85b4fa7e
aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
SH256 hash:
f852dbc94ee59069011a0332f180d2946eecdbf046ed282b25d18f2585e89738
MD5 hash:
2b69c7c79ce0c8ab946d60132c63a88d
SHA1 hash:
ac8ce53bca2a41f1b169433221b0a9ea715b1e3a
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
Parent samples :
aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
172f218bed376edaefeaca3e144df5148b9348be8a06cbfb9fd50803940e28e8
SH256 hash:
e9fa5ab928a79709abfcb3e7d773b820510f76f3d2b67043d11425ac4d605362
MD5 hash:
1a1a5cdd6cb0a13ab96b426d5949665e
SHA1 hash:
7bd6c162dfc8a4d6f55b44bd6e3199a5987c1412
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
SH256 hash:
fb6d753345112df9fc90177d4008a5742090fadb8dc13b3f1fa3147209c0d4a2
MD5 hash:
c880a8e2b91d14c7acf126533e10bd91
SHA1 hash:
87c0a18bc06a36d84684f887913de845dd78f9a5
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
SH256 hash:
f6adf4e50a44fb9c2941355cbae6be6a8cf3c27a8e64723b98af8dc03973a5f3
MD5 hash:
b75c1de2a81fcf4a963451edfd2079a1
SHA1 hash:
5155826320a60ddd91557057c428629ba36b67f9
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
SH256 hash:
aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac
MD5 hash:
9f55390934317f9d308b0e8d509c8c5d
SHA1 hash:
6ef655cf11ea5dba5e48f7dba969cbda82a48795
Link:
https://www.unpac.me/results/d1cd8bbd-6f46-4e83-810e-43f48c05fb84/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aff301f79ba9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe aff301f79ba9740cc34b6228604901b6209ec7a5f84693f880bec40b52e2c2ac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2727421/
  
Delivery method
Distributed via web download

Comments