MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
SHA3-384 hash: dbbd419c440bb501280e4b196a006490c76b9d3322ff57f2c8179cc66f992e8e63cea300b3ebc39ecebf4acef4c6aa78
SHA1 hash: de26cd5bafec9961499cc3447e5cdcca9d6d6dd3
MD5 hash: 264e03f2c4b3c9b812f440fe60bf15c6
humanhash: single-comet-london-item
File name:264e03f2c4b3c9b812f440fe60bf15c6
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:760'832 bytes
First seen:2023-09-10 14:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:vMrmy90XzIxWZFj5tj5hV1yNqfEwWpORnyU+8d9KGOZUZ:RyEUI9tj5r18qOSnyU+IOU
Threatray 2'891 similar samples on MalwareBazaar
TLSH T1EFF41223DBCC59B6D9B61B309CFB02971B317E918D74532B2789AD5E0CB1A806272737
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
264e03f2c4b3c9b812f440fe60bf15c6
Verdict:
Suspicious activity
Analysis date:
2023-09-10 14:29:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92848e82-6930-417b-bc58-d7fbc454844a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447737/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack CAB control explorer greyware installer installer lolbin lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64fdd237a2b9c745b28de292/reports/4e37039b-6e53-4e30-a9d4-97376df6d660/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5652549e-3f4e-4e7b-92ee-4aa58ba4b786
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306871
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306871 Sample: p6A3tdPbDl.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 8 other signatures 2->72 9 p6A3tdPbDl.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 file4 50 C:\Users\user\AppData\Local\...\x7585153.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\k2188875.exe, PE32 9->52 dropped 16 x7585153.exe 1 4 9->16         started        process5 file6 42 C:\Users\user\AppData\Local\...\x8100774.exe, PE32 16->42 dropped 44 C:\Users\user\AppData\Local\...\j4171249.exe, PE32 16->44 dropped 58 Antivirus detection for dropped file 16->58 60 Machine Learning detection for dropped file 16->60 20 x8100774.exe 1 4 16->20         started        24 j4171249.exe 13 16->24         started        signatures7 process8 dnsIp9 46 C:\Users\user\AppData\Local\...\i2341115.exe, PE32 20->46 dropped 48 C:\Users\user\AppData\Local\...\g9569753.exe, PE32 20->48 dropped 74 Antivirus detection for dropped file 20->74 76 Machine Learning detection for dropped file 20->76 27 g9569753.exe 1 20->27         started        30 i2341115.exe 4 20->30         started        54 5.42.92.211, 49735, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 24->54 file10 signatures11 process12 dnsIp13 78 Contains functionality to inject code into remote processes 27->78 80 Writes to foreign memory regions 27->80 82 Allocates memory in foreign processes 27->82 84 Injects a PE file into a foreign processes 27->84 33 AppLaunch.exe 9 1 27->33         started        36 WerFault.exe 23 9 27->36         started        38 conhost.exe 27->38         started        40 2 other processes 27->40 56 77.91.124.82, 19071, 49731 ECOTEL-ASRU Russian Federation 30->56 86 Antivirus detection for dropped file 30->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->88 90 Machine Learning detection for dropped file 30->90 92 2 other signatures 30->92 signatures14 process15 signatures16 62 Disable Windows Defender notifications (registry) 33->62 64 Disable Windows Defender real time protection (registry) 33->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5/
Threat name:
Win32.Trojan.Plugx
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 14:27:06 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2a7uqpeexkh6yhmewfqmsdd33xy3poes3vqazimp32u624qfv6sq._file
Verdict:
malicious
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
RedLineStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
RedLineStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
RedLineStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
RedLineStealer
752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
RedLineStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RedLineStealer
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
RedLineStealer
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
RedLineStealer
a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
RedLineStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
RedLineStealer
+ 2'881 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline botnet:virad dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230910-rseq6ahg7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.82:19071
Unpacked files
SH256 hash:
dbaf00646b7630bb7939d82ceacbb65f270d9eccb62927e66590b63e855f1e84
MD5 hash:
62ed4a23765dc876563ca4ec96a06596
SHA1 hash:
e5fcea229bfb10f19524dbedf8377bff123a382c
Link:
https://www.unpac.me/results/4474e38c-4432-415e-9840-1394d2fcb682/
SH256 hash:
675a03a83a6667cdd454f3523fd06da16ed6f8da89181ec08f5701faaab7457d
MD5 hash:
f9e5b02e5739cc922cbb6876c73f8223
SHA1 hash:
33fdd7047963bfc7f332521f89664c9384c8fa9b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/4474e38c-4432-415e-9840-1394d2fcb682/
Parent samples :
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
SH256 hash:
3fc0e858430c000567660879849bb8ea3c3ed18437e20c5528dd706bbb1faa73
MD5 hash:
cb4bdfd54068ef5bfbde57d9805543c8
SHA1 hash:
7cf0f0a8b143b681f7dd1025987339629d812845
Link:
https://www.unpac.me/results/4474e38c-4432-415e-9840-1394d2fcb682/
SH256 hash:
4d5e1651c14a81f95c958e8c8615cefc8fa177150a06bd5bd4a17cb21437a9c9
MD5 hash:
a46a89d154b40403f8cf26dae7eed026
SHA1 hash:
0308c239d44438e733e2f9bf4dfa74e6ac9525ce
Link:
https://www.unpac.me/results/4474e38c-4432-415e-9840-1394d2fcb682/
SH256 hash:
d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
MD5 hash:
264e03f2c4b3c9b812f440fe60bf15c6
SHA1 hash:
de26cd5bafec9961499cc3447e5cdcca9d6d6dd3
Link:
https://www.unpac.me/results/4474e38c-4432-415e-9840-1394d2fcb682/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d03f483c84ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447737/

Comments


Avatar
zbet commented on 2023-09-10 14:26:55 UTC

url : hxxp://77.91.124.231/new/foto3450.exe