MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
SHA3-384 hash: 530d0f0a5f62472a743acb203f7f3ede6be5bcf2bdb1f6e7ac8e15add45be8f5a04359c790556d4e77812e42109289da
SHA1 hash: 344d18855274a530aeb83a8f738c44b48cb49287
MD5 hash: 12506feb2e48b0014b8cc83d2e4c6c5d
humanhash: delaware-cup-whiskey-april
File name:12506feb2e48b0014b8cc83d2e4c6c5d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'157'632 bytes
First seen:2023-11-28 23:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:kyUSjJi2DSBNRzfYTJaNqbsvJLXyhXGZnLwO:zhJhENaVuqwvJehWZnLw
TLSH T11D35230356ED8473E5756F7058F727B3163A7DE2E5B491972306BC2E6D12A80A0B232F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.49.94.80:29960

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c7fffbee15d5fb4fafd44c29466adeae
Verdict:
Malicious activity
Analysis date:
2023-11-26 09:03:23 UTC
Tags:
risepro stealer evasion redline
Link:
https://app.any.run/tasks/96019380-cf79-4036-9ead-348cec74996a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461047/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e319680-f6c7-4f81-9028-aa6c60a11ad5
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349595
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349595 Sample: ktu3ipUZSz.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 100 66 ipinfo.io 2->66 72 Snort IDS alert for network traffic 2->72 74 Found malware configuration 2->74 76 Antivirus detection for URL or domain 2->76 78 13 other signatures 2->78 10 ktu3ipUZSz.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 501 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 56 C:\Users\user\AppData\Local\...\zS3mh13.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\...\3tM26Fj.exe, PE32 10->58 dropped 20 zS3mh13.exe 1 4 10->20         started        94 Multi AV Scanner detection for dropped file 13->94 96 Contains functionality to check for running processes (XOR) 13->96 98 Tries to steal Mail credentials (via file / registry access) 13->98 104 3 other signatures 13->104 24 WerFault.exe 13->24         started        100 Tries to harvest and steal browser information (history, passwords, etc) 16->100 26 WerFault.exe 16->26         started        102 Machine Learning detection for dropped file 18->102 signatures6 process7 file8 52 C:\Users\user\AppData\Local\...\2ve1925.exe, PE32 20->52 dropped 54 C:\Users\user\AppData\Local\...\1dS08HT5.exe, PE32 20->54 dropped 80 Antivirus detection for dropped file 20->80 82 Multi AV Scanner detection for dropped file 20->82 84 Machine Learning detection for dropped file 20->84 28 1dS08HT5.exe 1 503 20->28         started        33 2ve1925.exe 20->33         started        signatures9 process10 dnsIp11 68 194.49.94.152, 19053, 49708, 49710 EQUEST-ASNL unknown 28->68 70 ipinfo.io 34.117.59.81, 443, 49709, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 28->70 60 C:\Users\user\AppData\...\FANBooster131.exe, PE32 28->60 dropped 62 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 28->62 dropped 64 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 28->64 dropped 106 Multi AV Scanner detection for dropped file 28->106 108 Contains functionality to check for running processes (XOR) 28->108 110 Tries to steal Mail credentials (via file / registry access) 28->110 120 4 other signatures 28->120 35 schtasks.exe 1 28->35         started        37 schtasks.exe 1 28->37         started        39 WerFault.exe 28->39         started        112 Antivirus detection for dropped file 33->112 114 Writes to foreign memory regions 33->114 116 Allocates memory in foreign processes 33->116 118 Injects a PE file into a foreign processes 33->118 41 AppLaunch.exe 33->41         started        44 AppLaunch.exe 33->44         started        46 conhost.exe 33->46         started        file12 signatures13 process14 signatures15 48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->88 90 Found many strings related to Crypto-Wallets (likely being stolen) 44->90 92 Tries to harvest and steal browser information (history, passwords, etc) 44->92 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 09:03:06 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ww6zl2wgkbrlfkb42hhh5ov43xjuuey6ahoer4t645pievwxvbvq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231128-284qbsdd3w/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
PrivateLoader
RisePro
Malware Config
C2 Extraction:
194.49.94.152
Unpacked files
SH256 hash:
94b596e1eb2cc6484458ca6c16b57381ec0767dbbbc900a98cc1033b016ae9d5
MD5 hash:
1102356f4617283415a9cd11e2b62476
SHA1 hash:
f1719167905d101a1ac8c25c567b8444ae0dcaa4
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/20593c72-438d-409a-99a5-976de667b54a/
Parent samples :
3f3db5abfb02754f3e57374c328736c80664abea892a397018ae5e91257edae0
ab08505aa422514c152884d9348303c29c91c5191a3e77ea146cfc90ea542b92
d11147f3e5a94754d73dabb4007a05d0b0ff304971b2bd43829b48c73ff0ba47
fb715d832dc2ccdd174f5ce2c826609ce79e3091b73d85747a1d42ac6a80169c
fecd07f619fcc202c0c60384c1466762f7452360ad0fa073ef1a90d76f711f04
b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
b467f4f038aeaabd94eaa3341e578cbd36b1062a50d24098a4edebbe798f4a59
SH256 hash:
8e803708682f2539c7d498d52d7f51b9829fdea27974b68e95095a2338223475
MD5 hash:
39fefaac2ddf4fbb7a222d575038aca1
SHA1 hash:
b0d05309955d4939cf20c478b34cb1a7e1f91296
Link:
https://www.unpac.me/results/20593c72-438d-409a-99a5-976de667b54a/
SH256 hash:
b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b
MD5 hash:
12506feb2e48b0014b8cc83d2e4c6c5d
SHA1 hash:
344d18855274a530aeb83a8f738c44b48cb49287
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/20593c72-438d-409a-99a5-976de667b54a/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5bd95eac650/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5bd95eac65062b2a83cd1ce7ebabcddd34a131e01dc48f27ee75e8256d7a86b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461047/

Comments