MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
SHA3-384 hash: 6be7b0d9b003d9649f8140265c6604f58b51e14c1c2e0a454e1b00156fb865df058c28726986b04609f0c0984539f497
SHA1 hash: 9333bc5b3f78f0a3cca32e1f6a90af8064bf8a81
MD5 hash: 4d40ebb93aa34bf94d303c07c6a7e5e5
humanhash: nebraska-carpet-summer-bluebird
File name:4d40ebb93aa34bf94d303c07c6a7e5e5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:551'936 bytes
First seen:2024-08-31 20:40:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qOfX3Lh7cnz3M+QnY1UXC0lQkqTJ9k3TBV+zF:nHJcnz3HIC0lmk3TqF
TLSH T13BC47C10EF135E4DDC401332A31677996B97CCA80213CA8E7E4B7A7D7D366E0A2598E7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.215.113.19/CoreOPT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.19/CoreOPT/index.php https://threatfox.abuse.ch/ioc/1317664/
185.208.158.139:27667 https://threatfox.abuse.ch/ioc/1318677/

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4aac8eb6ddaa80532f39a15deea7b86989546dfe18c6c1687417c882f0ca022b
Verdict:
Malicious activity
Analysis date:
2024-08-31 16:39:48 UTC
Tags:
amadey botnet stealer payload loader themida zharkbot purecrypter netreactor api-base64 pureminer miner xmrig
Link:
https://app.any.run/tasks/05251106-f5e2-45ae-9657-281abda91411

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.SingleXOR.EXE.202.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d37fe2a0c486d2f793ca50
Tags:
Generic Static Stealth Dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Delayed reading of the file
Forced shutdown of a system process
Setting a single autorun event
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/66d37fdf3c4b518fb3a59ed4/reports/8eae4a7f-e4fc-4cd1-921d-2b2181340258/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d138d8d-fd56-4659-8769-891811b83eff
Result
Threat name:
Amadey, RedLine, XWorm, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1502281
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected Stratum mining protocol
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Child Process of AspNetCompiler
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PersistenceViaHiddenTask
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502281 Sample: trSK2fqPeB.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 111 rx.unmineable.com 2->111 113 rx-eu-lon.unminable.com 2->113 115 9 other IPs or domains 2->115 141 Sigma detected: Xmrig 2->141 143 Multi AV Scanner detection for domain / URL 2->143 145 Suricata IDS alerts for network traffic 2->145 147 26 other signatures 2->147 10 trSK2fqPeB.exe 1 4 2->10         started        14 Cerker.exe 11 2->14         started        17 TypeId.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 93 C:\Users\user\Pictures\Illumination.pif, PE32 10->93 dropped 95 C:\Users\...\Illumination.pif:Zone.Identifier, ASCII 10->95 dropped 169 Creates multiple autostart registry keys 10->169 171 Drops PE files with a suspicious file extension 10->171 173 Writes to foreign memory regions 10->173 21 RegAsm.exe 39 10->21         started        135 exonic-hacks.com 185.216.214.225 SERVERDISCOUNTERserverdiscountercomDE Germany 14->135 137 fusionflow-meta.net 188.114.96.3 CLOUDFLARENETUS European Union 14->137 97 C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe, PE32 14->97 dropped 99 C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, PE32+ 14->99 dropped 101 C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, PE32+ 14->101 dropped 103 2 other malicious files 14->103 dropped 26 FRaqbC8wSA1XvpFVjCRGryWt.exe 14->26         started        28 IIZS2TRqf69aZbLAX3cf3edn.exe 14->28         started        30 ix4A2DreBBsQwY6YHkidcDjo.exe 14->30         started        38 2 other processes 14->38 175 Antivirus detection for dropped file 17->175 177 Multi AV Scanner detection for dropped file 17->177 179 Machine Learning detection for dropped file 17->179 189 2 other signatures 17->189 32 aspnet_compiler.exe 17->32         started        139 127.0.0.1 unknown unknown 19->139 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->181 183 Allocates memory in foreign processes 19->183 185 Injects a PE file into a foreign processes 19->185 187 Loading BitLocker PowerShell Module 19->187 34 HM3SOlbpH71yEXUIEAOeIiGX.exe 19->34         started        36 SmLAztxc1o8yfogkJXrRjbDt.exe 19->36         started        40 6 other processes 19->40 file6 signatures7 process8 dnsIp9 119 185.215.113.19, 49732, 49733, 80 WHOLESALECONNECTIONSNL Portugal 21->119 121 2x.si 172.67.143.156 CLOUDFLARENETUS United States 21->121 131 2 other IPs or domains 21->131 81 C:\Users\user\AppData\Local\...\ovrflw.exe, PE32 21->81 dropped 83 C:\Users\user\AppData\Local\...\kitty.exe, PE32 21->83 dropped 85 C:\Users\user\AppData\Local\Temp\...\52i.exe, PE32+ 21->85 dropped 91 3 other malicious files 21->91 dropped 149 Creates HTML files with .exe extension (expired dropper behavior) 21->149 42 kitty.exe 1 3 21->42         started        46 52i.exe 5 21->46         started        48 ovrflw.exe 21->48         started        123 ip-api.com 208.95.112.1 TUT-ASUS United States 26->123 87 C:\Users\user\Windows.exe, PE32 26->87 dropped 151 Antivirus detection for dropped file 26->151 153 Multi AV Scanner detection for dropped file 26->153 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->155 165 3 other signatures 26->165 50 schtasks.exe 26->50         started        157 Machine Learning detection for dropped file 28->157 52 cmd.exe 28->52         started        125 185.196.10.120 SIMPLECARRIERCH Switzerland 32->125 127 github.com 140.82.121.4 GITHUBUS United States 32->127 129 objects.githubusercontent.com 185.199.110.133 FASTLYUS Netherlands 32->129 89 C:\Users\user\AppData\...\xzzrvckwuia.exe, PE32 32->89 dropped 159 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->159 161 Found strings related to Crypto-Mining 32->161 163 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->163 167 3 other signatures 32->167 54 xzzrvckwuia.exe 32->54         started        56 AddInProcess.exe 32->56         started        59 conhost.exe 38->59         started        61 2 other processes 40->61 file10 signatures11 process12 dnsIp13 105 C:\Users\user\AppData\Local\...\Cerker.exe, PE32 42->105 dropped 191 Antivirus detection for dropped file 42->191 193 Multi AV Scanner detection for dropped file 42->193 195 Creates an undocumented autostart registry key 42->195 209 2 other signatures 42->209 63 Cerker.exe 42->63         started        66 schtasks.exe 1 42->66         started        107 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 46->107 dropped 197 Machine Learning detection for dropped file 46->197 199 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->199 201 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->201 109 C:\Users\user\AppData\...\mswabnet.exe, PE32 48->109 dropped 203 Creates multiple autostart registry keys 48->203 68 mswabnet.exe 48->68         started        71 conhost.exe 50->71         started        73 conhost.exe 52->73         started        75 IIZS2TRqf69aZbLAX3cf3edn.exe 52->75         started        205 Reads the System eventlog 54->205 77 conhost.exe 54->77         started        133 rx-eu-lon.unminable.com 161.35.34.195 DIGITALOCEAN-ASNUS United States 56->133 207 Query firmware table information (likely to detect VMs) 56->207 file14 signatures15 process16 dnsIp17 211 Antivirus detection for dropped file 63->211 213 Multi AV Scanner detection for dropped file 63->213 215 Machine Learning detection for dropped file 63->215 217 2 other signatures 63->217 79 conhost.exe 66->79         started        117 185.208.158.114 SIMPLECARRER2IT Switzerland 68->117 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-08-31 17:24:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55dm5uoouheyoiw4ogvaz5saxxby3btx3eqcnnx543hg5ywweo2q._file
Verdict:
unknown
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:1176f2 discovery trojan
Link:
https://tria.ge/reports/240831-zgek1svamp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Amadey
Malware Config
C2 Extraction:
http://185.215.113.19
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/485fcd55-92b2-433c-a2b9-0b44f9ed0551
Unpacked files
SH256 hash:
b419741923e7cfcd3390e7ad648c8ec24241a09c27f151a1f0a15013e60f79be
MD5 hash:
3edd1d89b118e6967927fce9295af6a0
SHA1 hash:
8e1944243eda841114e7291f12e9497c172ace66
Detections:
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/b103ba95-4bed-4ad8-b2d7-5f297b91f76d/
SH256 hash:
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
MD5 hash:
ced97d60021d4a0bfa03ee14ec384c12
SHA1 hash:
7af327df2a2d1e0e09034c2bdf6a47f788cec4e4
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/b103ba95-4bed-4ad8-b2d7-5f297b91f76d/
Parent samples :
ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
SH256 hash:
8b9fcd126ea817623c6d948a9288288cf8631d9adb4a24b478aefbe9d9eee178
MD5 hash:
41c7854926173e87e1e24784cf1f49e3
SHA1 hash:
ac19b44941a9d71d8d51ae25954682873099da72
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/b103ba95-4bed-4ad8-b2d7-5f297b91f76d/
SH256 hash:
ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
MD5 hash:
4d40ebb93aa34bf94d303c07c6a7e5e5
SHA1 hash:
9333bc5b3f78f0a3cca32e1f6a90af8064bf8a81
Detections:
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/b103ba95-4bed-4ad8-b2d7-5f297b91f76d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef46ced1cea1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3110487/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3110493/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments