MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc
SHA3-384 hash:	dbbe4e74c32cface57769fdf1d6950fe3c4405b41640131d8a2495f4f76584533c88e5bbc5952c4fbc93b3b9406de376
SHA1 hash:	7c51bab7b281eb69584cc5d1fc14976501e63b02
MD5 hash:	e5816c103dd3ecf193121e32ddd284eb
humanhash:	september-maine-pennsylvania-quebec
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'002'496 bytes
First seen:	2023-10-16 03:10:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:1yOtm7/nx8J+DQSzuWbBCF1I4OMG6JQLm:QRLx8QDRzuYylGUQ
TLSH	T147251202FBDD9976DCB9277088F542931B363CB15C38626B2B4A98491873BC4AC7177B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://77.91.68.249/navi/kur90.exe

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-16 03:14:07 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/7ec7a348-eeb6-4e37-8eab-1d1597e84d7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/454658/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Modifying a system executable file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Blocking the Windows Defender launch

Disabling the operating system update service

Infecting executable files

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32

Link:

https://www.filescan.io/uploads/652ca9c6d9aa13270183fe56/reports/c7967cdd-b62c-42d3-a120-e247f95b625b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23a40ebb-bfc8-4f8c-ad19-feed79833ef8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc/

Threat name:

Win32.Trojan.Whispergate

Status:

Malicious

First seen:

2023-10-16 03:11:05 UTC

File Type:

PE (Exe)

Extracted files:

151

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xj6ehedvpw3wxfortssj56xapgr6vqlznctmguxbp6fswea6lhoa._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:@ytlogsbot botnet:breha botnet:kukish botnet:pixelscloud2.0 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan

Link:

https://tria.ge/reports/231016-dpk7wade29/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies system certificate store

Enumerates physical storage devices

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Manipulates WinMonFS driver.

Maps connected drives based on registry

.NET Reactor proctector

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Windows security modification

Downloads MZ/PE file

Looks for VMWare Tools registry key

Modifies Windows Firewall

Looks for VirtualBox Guest Additions in registry

DcRat

Glupteba

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Malware Config

C2 Extraction:

77.91.124.55:19071
http://77.91.68.29/fks/
85.209.176.128:80
185.216.70.238:37515

Unpacked files

SH256 hash:

5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

MD5 hash:

53e28e07671d832a65fbfe3aa38b6678

SHA1 hash:

6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

8626e4d70c40ca7c21bd00f88433ebb3ac18f28f19c1dabfa95ccf0fdc81e11b

MD5 hash:

82a821b19e683abb373d2bf019d710cc

SHA1 hash:

0364df58d2a87b6008ec53f4ec2e3450ffdcbd91

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

90f765cbe5959bbbea898c7739ebb92b938030861302273e92f9d1d9422dcfa1

MD5 hash:

31f5a16570945ad71b705e029bf70523

SHA1 hash:

028c5f2f8de305a682baac7a15acc0ea3e47af3f

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

bf567d793d9003ebe1a1a4c3f6f1722f96ceb3c91fcee6f8f48868b84585f497

MD5 hash:

362e77451829e7a3d61681bf62c2a5fa

SHA1 hash:

e706893da3a9b023723fcccf6539379b4deb3076

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

d8afffdad6de607872739974dfd124daf70cbdb2c1a125b02be2dbb04bd55f59

MD5 hash:

1988215cab0c892f148cfa39313e8aff

SHA1 hash:

43a3919a1d0a11a266b764f27213a4c5f54d889d

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

e4b578f4d40bcaa2e34b6510818cfb023b50f53c039921cb047b22bf3f1737c2

MD5 hash:

378b7d606563d6081fe5715d7018a21c

SHA1 hash:

e58ede39fbaa24e08b3a4cf233db76e0f81018a6

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

SH256 hash:

ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc

MD5 hash:

e5816c103dd3ecf193121e32ddd284eb

SHA1 hash:

7c51bab7b281eb69584cc5d1fc14976501e63b02

Link:

https://www.unpac.me/results/760bcd37-b6f0-4cd3-bd37-5126dcb904af/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba7c4390757db76b95d19ca49efae079a3eac17968a6c352e17f8b2b101e59dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/454658/

URLhaus

https://urlhaus.abuse.ch/url/2715539/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample