MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a
SHA3-384 hash: 91df1f6d415ed0ba23d568fe4330a56f614df1548660122c39fbb75eefbd5f970b6dce39f2a516f8a01a6a524f0cf12e
SHA1 hash: aafb9168ed62dc2ebeeb8428c3a39a6525142f6c
MD5 hash: 15f57d45fe2a1e8da248cf9b3723d775
humanhash: eighteen-black-utah-zebra
File name:15f57d45fe2a1e8da248cf9b3723d775.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:240'640 bytes
First seen:2022-12-23 15:05:34 UTC
Last seen:2022-12-25 05:19:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd0e4efabc62274a7cfb37b4b7a2951d (17 x Amadey, 5 x RedLineStealer, 1 x Stop)
ssdeep 6144:okwjBO99g6779r0psUhmiIuVyD2NgOJgN:VTrOh2uVyCN3S
Threatray 3'459 similar samples on MalwareBazaar
TLSH T1F03409217916C031C56061B729B9BFF2C19DA8259BB049DB7B800F7BDA122F67970E3D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://62.204.41.182/g9TTnd3bS/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
15f57d45fe2a1e8da248cf9b3723d775.exe
Verdict:
Malicious activity
Analysis date:
2022-12-23 15:08:09 UTC
Tags:
trojan amadey opendir loader rat redline stealer remcos keylogger
Link:
https://app.any.run/tasks/257c5b6b-5894-44eb-a28a-861672690ddf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Doina.45665.15855.13100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a window
Searching for the window
Launching cmd.exe command interpreter
Creating a file
Creating a file in the %AppData% subdirectories
Adding an access-denied ACE
Searching for analyzing tools
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63a5c3dccd05a9f1899d99f6/reports/306db1c9-f996-4a48-af2f-d45e78dc6756/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43df0ee0-2304-4610-9231-88976f014718
Result
Threat name:
Amadey, Raccoon Stealer v2, RedLine, Rem
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140072
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Remcos RAT
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 772802 Sample: zbvsZwaPi0.exe Startdate: 23/12/2022 Architecture: WINDOWS Score: 100 151 44software.org 2->151 179 Snort IDS alert for network traffic 2->179 181 Multi AV Scanner detection for domain / URL 2->181 183 Malicious sample detected (through community Yara rule) 2->183 185 20 other signatures 2->185 12 zbvsZwaPi0.exe 4 2->12         started        16 nbveek.exe 2->16         started        18 WinComService.exe 2->18         started        20 nbveek.exe 2->20         started        signatures3 process4 file5 147 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 12->147 dropped 149 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 12->149 dropped 249 Contains functionality to inject code into remote processes 12->249 22 nbveek.exe 2 37 12->22         started        signatures6 process7 dnsIp8 159 62.204.41.182, 49695, 49696, 49698 TNNET-ASTNNetOyMainnetworkFI United Kingdom 22->159 161 62.204.41.13, 49703, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 22->161 163 6 other IPs or domains 22->163 119 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 22->119 dropped 121 C:\Users\user\AppData\Local\...\daemon.exe, PE32 22->121 dropped 123 C:\Users\user\AppData\Local\...\7s96f.exe, PE32 22->123 dropped 125 12 other malicious files 22->125 dropped 215 Creates an undocumented autostart registry key 22->215 217 Creates multiple autostart registry keys 22->217 219 Uses schtasks.exe or at.exe to add and modify task schedules 22->219 27 bin.exe 3 22->27         started        31 daemon.exe 22->31         started        34 build.exe 22->34         started        36 6 other processes 22->36 file9 signatures10 process11 dnsIp12 135 C:\Users\user\AppData\...\WinComService.exe, PE32 27->135 dropped 227 Multi AV Scanner detection for dropped file 27->227 229 Machine Learning detection for dropped file 27->229 38 WinComService.exe 1 24 27->38         started        171 179.43.142.85 PLI-ASCH Panama 31->171 137 C:\Users\user\AppData\Local\...\n6Sl6Bs7.exe, PE32+ 31->137 dropped 139 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->139 dropped 141 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 31->141 dropped 145 5 other files (3 malicious) 31->145 dropped 231 Antivirus detection for dropped file 31->231 233 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->233 235 Tries to harvest and steal browser information (history, passwords, etc) 31->235 243 4 other signatures 31->243 43 explorer.exe 34->43 injected 173 138.124.180.186 NOKIA-ASFI Norway 36->173 175 31.41.244.198 AEROEXPRESS-ASRU Russian Federation 36->175 177 192.168.2.4, 443, 49690, 49695 unknown unknown 36->177 143 C:\Users\user\AppData\Local\...\JZX7sKF.cVP, PE32 36->143 dropped 237 System process connects to network (likely due to code injection or exploit) 36->237 239 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->239 241 Tries to steal Instant Messenger accounts or passwords 36->241 245 2 other signatures 36->245 45 conhost.exe 36->45         started        47 regsvr32.exe 36->47         started        49 conhost.exe 36->49         started        file13 signatures14 process15 dnsIp16 165 193.42.33.28, 49707, 49709, 49715 EENET-ASEE Germany 38->165 167 80.76.51.173, 49712, 80 CLOUDCOMPUTINGDE Bulgaria 38->167 169 2 other IPs or domains 38->169 127 C:\Users\user\AppData\Roaming\...\agent.exe, PE32 38->127 dropped 129 C:\Users\user\AppData\Roaming\...\bd.exe, PE32 38->129 dropped 131 C:\Users\user\AppData\...\system32.exe, PE32 38->131 dropped 133 3 other malicious files 38->133 dropped 221 Multi AV Scanner detection for dropped file 38->221 223 Creates HTML files with .exe extension (expired dropper behavior) 38->223 225 Creates multiple autostart registry keys 38->225 51 system32.exe 38->51         started        56 bd.exe 38->56         started        58 agent.exe 38->58         started        66 2 other processes 38->66 60 lkjhg.exe 43->60         started        62 agent.exe 43->62         started        64 linda5.exe 43->64         started        68 3 other processes 43->68 file17 signatures18 process19 dnsIp20 153 193.218.201.186 ISABELIsabelGroupBE United Kingdom 51->153 155 106.52.15.123 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 51->155 157 47.93.60.63 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 51->157 105 C:\windowss64\computer.exe, PE32 51->105 dropped 107 C:\Users\user\AppData\...\exploror[1].exe, PE32 51->107 dropped 187 Creates multiple autostart registry keys 51->187 189 Drops executables to the windows directory (C:\Windows) and starts them 51->189 211 2 other signatures 51->211 70 computer.exe 51->70         started        74 cmd.exe 51->74         started        109 C:\Users\user\AppData\...\nsis_uns645155.dll, PE32+ 56->109 dropped 191 Query firmware table information (likely to detect VMs) 56->191 193 Tries to detect sandboxes and other dynamic analysis tools (window names) 56->193 195 Tries to delay execution (extensive OutputDebugStringW loop) 56->195 197 Tries to detect sandboxes / dynamic malware analysis system (registry check) 56->197 111 C:\ProgramData\sdfghjk\lkjhg.exe, PE32 58->111 dropped 76 cmd.exe 58->76         started        78 wscript.exe 58->78         started        199 Antivirus detection for dropped file 60->199 201 Multi AV Scanner detection for dropped file 60->201 203 Machine Learning detection for dropped file 60->203 80 cmd.exe 60->80         started        82 iexplore.exe 60->82         started        205 Writes to foreign memory regions 62->205 207 Maps a DLL or memory area into another process 62->207 86 2 other processes 62->86 84 regsvr32.exe 64->84         started        209 Uses cmd line tools excessively to alter registry or file data 66->209 88 8 other processes 66->88 file21 signatures22 process23 file24 113 C:\Users\user\...\._cache_computer.exe, PE32 70->113 dropped 115 C:\ProgramData\Synaptics\Synaptics.exe, PE32 70->115 dropped 117 C:\ProgramData\Synaptics\RCX6634.tmp, PE32 70->117 dropped 213 Multi AV Scanner detection for dropped file 70->213 90 conhost.exe 74->90         started        92 reg.exe 76->92         started        95 conhost.exe 76->95         started        97 conhost.exe 80->97         started        99 reg.exe 80->99         started        101 conhost.exe 86->101         started        103 reg.exe 86->103         started        signatures25 process26 signatures27 247 Disables UAC (registry) 92->247
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 15:06:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrzztcdedefjkyvbc7a6iwd4yoo6dpaqc6zwt5fkbrzwzu43gu5a._file
Verdict:
malicious
Similar samples:
09eb79c073a41109d90d5bf4a1c461ca74e80b1facc141a76a44983d8d64918a
RedLineStealer
0b0ce705253e2b6da3bb808b4a51aa1b849d2fe8181c72b10a44527b379e6359
RedLineStealer
1486f8972308128a65b1ace2fcaa4b84e19895c16417c9a1161e57cff7f6487a
RedLineStealer
3d52e472dccb590859f2b385e06076096357f1b9521ef9c01935d8dbcea513a0
RedLineStealer
660d9b301036507db4e0422d486d8ed5a19d6626308f98f7697492df4a161194
RedLineStealer
97406ce4e2f14cee1e32d3bcd082878a106d34e179e7ab9bc04aa92e424e72bc
RedLineStealer
9b5569c70506b827fe1e38b2477e7134b8642c5f0e2dffb39699daa1eecebb32
RedLineStealer
d82c09076d5daee0cf72c69e92658f798b74ed4ac505ac144bd68823b240f233
RedLineStealer
f42d98e5fb7292bfc67fda6bb43bed2a33ad76e0b9f45fe78e1f29e716cf1666
RedLineStealer
fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13
RedLineStealer
+ 3'449 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:redline family:remcos family:rhadamanthys family:smokeloader botnet:12-22-22 botnet:installs botnet:installs1 botnet:installs2 botnet:post botnet:trud backdoor bootkit collection discovery evasion infostealer persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/221223-sgq6gsbg7x/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Interacts with shadow copies
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
DcRat
Detect Amadey credential stealer module
Detect rhadamanthys stealer shellcode
Detects Smokeloader packer
RedLine
RedLine payload
Remcos
Rhadamanthys
SmokeLoader
UAC bypass
Malware Config
C2 Extraction:
62.204.41.182/g9TTnd3bS/index.php
193.42.33.28/game0ver/index.php
31.41.244.198:4083
138.124.180.186:39614
194.180.48.225:1024
89.23.96.2:7253
Dropper Extraction:
https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err
https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err
Unpacked files
SH256 hash:
bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a
MD5 hash:
15f57d45fe2a1e8da248cf9b3723d775
SHA1 hash:
aafb9168ed62dc2ebeeb8428c3a39a6525142f6c
Link:
https://www.unpac.me/results/6548515e-2a71-4c72-90d8-ae99b2c76631/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc7399886419/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2482938/
  
Delivery method
Distributed via web download

Comments