MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317
SHA3-384 hash: 2cd87eb367176ef545bb4a06f9778d07796784d8caa5ba281ff3f43c87fd8c0048ab256167487e99a7b28ed583d84c87
SHA1 hash: edaaa8fb82e0aeb17e75a6b2d151433cc03751fd
MD5 hash: 10ea41fd11c557045c27e5c2c6c2e7ba
humanhash: purple-minnesota-october-fillet
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:675'840 bytes
First seen:2023-02-04 01:05:23 UTC
Last seen:2023-02-04 01:15:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:0G7Fy909rmBsLOCgFSiYBwwSP43mjc+I3/VWPbajAw3TJDuQTJyNiwF/NJi5LTg8:fyirmYOCw1YMg3m+/VS+p35BdGF/sLF
TLSH T1D7E41353EAD88132D9B55BB018F612870E35FCE2ADB087BB1715649E4C73580FA74B2B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://62.204.41.248/li/flow.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-04 01:08:28 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/3fc4cbf3-7264-455e-82fd-629c1a7b5eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360129/
Detection(s):
Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65176/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
60%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63ddaf7b89bd67c10fdc6e45/reports/9a9edf24-dfb9-4dae-af28-6ce33093eb86/overview
Verdict:
Suspicious
Labled as:
HEUR/AGEN.1252166
Link:
https://www.hybrid-analysis.com/sample/ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b30810cb-dd1e-483f-bd9d-1c7cd035003e
Result
Threat name:
Amadey, RHADAMANTHYS, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165609
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798380 Sample: file.exe Startdate: 04/02/2023 Architecture: WINDOWS Score: 100 143 Snort IDS alert for network traffic 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 Antivirus detection for URL or domain 2->147 149 17 other signatures 2->149 14 file.exe 1 4 2->14         started        17 rundll32.exe 2->17         started        19 rundll32.exe 2->19         started        21 5 other processes 2->21 process3 file4 127 C:\Users\user\AppData\Local\Temp\...\ziam.exe, PE32 14->127 dropped 129 C:\Users\user\AppData\Local\Temp\...\hank.exe, PE32 14->129 dropped 23 ziam.exe 1 4 14->23         started        27 hank.exe 1 4 14->27         started        process5 file6 97 C:\Users\user\AppData\Local\Temp\...\dona.exe, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\ani.exe, PE32 23->99 dropped 159 Antivirus detection for dropped file 23->159 161 Multi AV Scanner detection for dropped file 23->161 163 Machine Learning detection for dropped file 23->163 29 dona.exe 3 23->29         started        33 ani.exe 23->33         started        101 C:\Users\user\AppData\Local\...\repka.exe, PE32 27->101 dropped 103 C:\Users\user\AppData\Local\...\redko.exe, PE32 27->103 dropped 36 repka.exe 3 27->36         started        38 redko.exe 5 27->38         started        signatures7 process8 dnsIp9 121 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 29->121 dropped 185 Multi AV Scanner detection for dropped file 29->185 187 Machine Learning detection for dropped file 29->187 40 mnolyk.exe 26 29->40         started        133 82.115.223.9, 15486, 50213 MIDNET-ASTK-TelecomRU Russian Federation 33->133 189 Antivirus detection for dropped file 33->189 191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->191 193 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->193 195 Tries to harvest and steal browser information (history, passwords, etc) 33->195 123 C:\Users\user\AppData\Local\...\repka.exe.log, ASCII 36->123 dropped 197 Detected unpacking (changes PE section rights) 36->197 199 Detected unpacking (overwrites its own PE header) 36->199 201 Tries to steal Crypto Currency Wallets 36->201 135 62.204.41.170, 4179, 49696, 49697 TNNET-ASTNNetOyMainnetworkFI United Kingdom 38->135 file10 signatures11 process12 dnsIp13 139 62.204.41.5, 49698, 49699, 49701 TNNET-ASTNNetOyMainnetworkFI United Kingdom 40->139 141 62.204.41.248, 49700, 49702, 49704 TNNET-ASTNNetOyMainnetworkFI United Kingdom 40->141 113 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 40->113 dropped 115 C:\Users\user\AppData\Local\...\lebro.exe, PE32 40->115 dropped 117 C:\Users\user\AppData\Local\Temp\...\gona.exe, PE32 40->117 dropped 119 5 other malicious files 40->119 dropped 169 Multi AV Scanner detection for dropped file 40->169 171 Creates an undocumented autostart registry key 40->171 173 Machine Learning detection for dropped file 40->173 175 Uses schtasks.exe or at.exe to add and modify task schedules 40->175 45 lebro.exe 40->45         started        49 nika.exe 40->49         started        51 gona.exe 40->51         started        53 3 other processes 40->53 file14 signatures15 process16 file17 125 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 45->125 dropped 203 Multi AV Scanner detection for dropped file 45->203 205 Machine Learning detection for dropped file 45->205 55 nbveek.exe 45->55         started        207 Disable Windows Defender notifications (registry) 49->207 209 Disable Windows Defender real time protection (registry) 49->209 211 Antivirus detection for dropped file 51->211 60 conhost.exe 53->60         started        62 conhost.exe 53->62         started        64 cmd.exe 53->64         started        66 5 other processes 53->66 signatures18 process19 dnsIp20 137 62.204.41.88, 49719, 49720, 49726 TNNET-ASTNNetOyMainnetworkFI United Kingdom 55->137 105 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 55->105 dropped 107 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 55->107 dropped 109 C:\Users\user\...\lightfileredline.exe, PE32 55->109 dropped 111 3 other malicious files 55->111 dropped 165 Multi AV Scanner detection for dropped file 55->165 167 Machine Learning detection for dropped file 55->167 68 lightfileredline.exe 55->68         started        71 rundll32.exe 55->71         started        73 cmd.exe 55->73         started        75 2 other processes 55->75 file21 signatures22 process23 signatures24 151 Detected unpacking (creates a PE file in dynamic memory) 68->151 153 Machine Learning detection for dropped file 68->153 155 Writes to foreign memory regions 68->155 157 Allocates memory in foreign processes 68->157 77 dllhost.exe 68->77         started        80 rundll32.exe 71->80         started        83 conhost.exe 73->83         started        85 cmd.exe 73->85         started        87 cacls.exe 73->87         started        91 4 other processes 73->91 89 conhost.exe 75->89         started        process25 dnsIp26 177 Tries to harvest and steal browser information (history, passwords, etc) 77->177 131 192.168.2.1 unknown unknown 80->131 179 System process connects to network (likely due to code injection or exploit) 80->179 181 Tries to steal Instant Messenger accounts or passwords 80->181 183 Tries to harvest and steal ftp login credentials 80->183 93 tar.exe 80->93         started        signatures27 process28 process29 95 conhost.exe 93->95         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-04 01:06:08 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjxr64yvyobvqowlhsxs66tuzcots56l6xxbto4lzqnbivo4smlq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:flow! botnet:gonka botnet:redko botnet:temposs6678 bootkit discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230204-bf3z8aca54/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
62.204.41.170:4179
62.204.41.5/Bu58Ngs/index.php
62.204.41.88/9vdVVVjsw/index.php
82.115.223.9:15486
45.66.230.190:28356
Unpacked files
SH256 hash:
6943fa10964c97990ea4598ba95183df5541d3780696236efbb3741ad70ad7a3
MD5 hash:
6774aff91e016329c314fda5c64dafdd
SHA1 hash:
bf73a6b423b89ef3cdc8b04738159189aec435bf
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/dffa3012-c1a0-4b13-9cf4-1dc3e05185d1/
Parent samples :
f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba
ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317
716a1e8a2385af12aebf95bcaa32cd4b28db5c36aff954ccdfd4f550a5c54a00
317618ef12fa752d88f9de1c08291231f2496e33094329501d9a1e56b468be2c
09b749cb035fd17bc749c1738d1f35f35500df7b157552f26f7570d80f8acde1
fd175c2b3abdea1356f213078f594cd33d643c39ce9db3360f30263bbafa90c9
85b23d055ec1ed780b24ab997ebe9c42f6bd601d74443cf551553de74709299f
de9573b6d66e311748f8dd4deb632be37d5c03430dec960f3cb964fe72695a27
6fbf44183c6ed6ebe3f188f187afe712574c34d9787cdf40c5bcbb07f6d50fb7
ef837e4549085f90fccd5b3a25082480ea20102458889ea8576c2714404086ea
SH256 hash:
ed17ed7eebabe13474c25f17b5da7bd55dda0bf1c378a5dfd4eec86f4b691c2b
MD5 hash:
4c2e09312bca6ad7592ddcd82cd69966
SHA1 hash:
0cbd1236ddeb3ac552360fbe126e08e46657ec15
Link:
https://www.unpac.me/results/dffa3012-c1a0-4b13-9cf4-1dc3e05185d1/
SH256 hash:
ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317
MD5 hash:
10ea41fd11c557045c27e5c2c6c2e7ba
SHA1 hash:
edaaa8fb82e0aeb17e75a6b2d151433cc03751fd
Link:
https://www.unpac.me/results/dffa3012-c1a0-4b13-9cf4-1dc3e05185d1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba6f1f7315c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/360129/

Comments