MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
SHA3-384 hash: b1bfdcd76c190a4d765e33cb04b4d0a55815026d93af11446bdaacc1ac876b4e582454ed2c710c8f2df72fe7a3d98ac4
SHA1 hash: 60f1f567faffa6a38fa482ea4483255827ec06d5
MD5 hash: ab31ce3d8435d9d31eb80309924c56a9
humanhash: bakerloo-asparagus-jupiter-salami
File name:ab31ce3d8435d9d31eb80309924c56a9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:811'520 bytes
First seen:2024-02-03 18:00:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7515ecf8c0dfa4d230ad835fe0acb57f (18 x Amadey, 4 x RedLineStealer, 2 x RiseProStealer)
ssdeep 12288:2BghBmftb1V6Lnmo7YNQN2YcKify3iHPuXBY7CHW6+gjfOoNb9up:2Bscftb+LnvwQgsiK3zXBon9iZNA
Threatray 210 similar samples on MalwareBazaar
TLSH T1150533B25777D248C678FAF9AC5111CC7AA8397A690ECE0F348F155C09346AEDF06B12
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.222.212.74:1450

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b.exe
Verdict:
Malicious activity
Analysis date:
2024-02-03 18:00:57 UTC
Tags:
amadey botnet stealer redline loader
Link:
https://app.any.run/tasks/2ef678c7-b606-44b1-8fcd-64c7225efebe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474402/
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65be7f617251d2ad7dc785b2/reports/15ba021c-be91-4644-9dff-9b4919ba685a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3533246b-145d-48ad-95e6-f4ea6574e35b
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386163
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386163 Sample: PRAir7ZLGj.exe Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 11 other signatures 2->57 8 PRAir7ZLGj.exe 1 5 2->8         started        12 explorhe.exe 2->12         started        14 explorhe.exe 2->14         started        16 3 other processes 2->16 process3 file4 43 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 8->43 dropped 81 Detected unpacking (changes PE section rights) 8->81 83 Hides threads from debuggers 8->83 85 Contains functionality to detect sleep reduction / modifications 8->85 18 explorhe.exe 22 8->18         started        signatures5 process6 dnsIp7 45 185.215.113.68, 49729, 49730, 49732 WHOLESALECONNECTIONSNL Portugal 18->45 47 193.233.132.167, 49731, 49976, 80 FREE-NET-ASFREEnetEU Russian Federation 18->47 35 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 18->35 dropped 37 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 18->39 dropped 41 2 other malicious files 18->41 dropped 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Detected unpacking (changes PE section rights) 18->63 65 5 other signatures 18->65 23 1.exe 5 4 18->23         started        27 1.exe 18->27         started        29 rundll32.exe 12 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 dnsIp11 49 92.222.212.74, 1450, 49735, 49978 OVHFR France 23->49 67 Multi AV Scanner detection for dropped file 23->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->69 71 Machine Learning detection for dropped file 23->71 73 Found many strings related to Crypto-Wallets (likely being stolen) 23->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->75 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 79 System process connects to network (likely due to code injection or exploit) 29->79 33 conhost.exe 31->33         started        signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-02-03 18:01:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t5y2ws2ngxxk4k2ajpfcydiexspc7fj76rgjf4ykpyiu2e3qz5q._file
Verdict:
malicious
Similar samples:
36b5114f8d3e120537f0410c4e706133442ac35364a52f6fb59d2a563862d721
RedLineStealer
5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608
RedLineStealer
68e4ec5353ebf39650fef8827957802e36a0f2617838bf57d3eebc9bb9a8df61
RedLineStealer
82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
RedLineStealer
977beed7b160040412c8422f67dfcab9d3dc5878c22f07b75ffe032d5fbee00c
RedLineStealer
cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
RedLineStealer
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
RedLineStealer
e63ca1fab4f451d24f0844b9183ae69de3fef8022c36a38f116cdd094ee1a746
RedLineStealer
fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
RedLineStealer
+ 200 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:privateloader family:redline family:risepro family:xmrig botnet:@oni912 botnet:@pixelscloud botnet:livetrafic collection discovery evasion infostealer loader miner persistence ransomware stealer trojan upx
Link:
https://tria.ge/reports/240203-wlvw1shebr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
UPX packed file
Creates new service(s)
Downloads MZ/PE file
Modifies Installed Components in the registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Djvu Ransomware
PrivateLoader
RedLine
RedLine payload
RisePro
xmrig
Malware Config
C2 Extraction:
http://185.215.113.68
193.233.132.62:50500
94.156.67.230:13781
20.79.30.95:33223
http://193.233.132.167
45.15.156.209:40481
Unpacked files
SH256 hash:
d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
MD5 hash:
ab31ce3d8435d9d31eb80309924c56a9
SHA1 hash:
60f1f567faffa6a38fa482ea4483255827ec06d5
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/74f16018-dd18-4e5f-a849-2a040a9b0115/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4fb8d5a5a69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2751874/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474402/

Comments