MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c
SHA3-384 hash: 26b13027f9a42f85a727f1b4d0130920e69a4875cacfc90a91a162de4803f9352a4d5d977da96338bcf5945f0431c72b
SHA1 hash: 808c96713ccfe0a11831546f72df41c8f5c7fb07
MD5 hash: edfceed35fa14f8d74af8e883e12cf81
humanhash: vermont-michigan-red-papa
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'614'336 bytes
First seen:2023-10-25 00:41:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:7iJTR0YIMAaITM51Uj6A6ZhA56aGwj+E2b:yZcxTMHUj6Aeh66
Threatray 2'645 similar samples on MalwareBazaar
TLSH T152753307E6D85133E668EB3000B77BC718B4FC44597C66AA1690969F0EB2948A73F377
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://109.107.182.2/race/bus50.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-25 00:43:07 UTC
Tags:
stealc stealer redline amadey botnet trojan loader smoke opendir
Link:
https://app.any.run/tasks/c4cd5e29-88b5-4ff2-8317-c291a578cfc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456105/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Launching a service
Сreating synchronization primitives
Creating a file
Creating a window
Launching cmd.exe command interpreter
Running batch commands
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6538645be3768e7905ca543b/reports/962761cc-e23b-4c19-aa39-e0f8738c0e67/overview
Verdict:
Malicious
Labled as:
Kryptik.JKR.gen
Link:
https://www.hybrid-analysis.com/sample/ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ef456ac-bace-4bec-8c37-83d34a689e7f
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331613
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331613 Sample: file.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 161 youtube-ui.l.google.com 2->161 163 www3.l.google.com 2->163 165 16 other IPs or domains 2->165 191 Snort IDS alert for network traffic 2->191 193 Found malware configuration 2->193 195 Malicious sample detected (through community Yara rule) 2->195 197 21 other signatures 2->197 15 file.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 1 2->21         started        23 7 other processes 2->23 signatures3 process4 file5 151 C:\Users\user\AppData\Local\...\yb8cb27.exe, PE32 15->151 dropped 153 C:\Users\user\AppData\Local\...\7hn3Lo70.exe, PE32 15->153 dropped 25 yb8cb27.exe 1 4 15->25         started        173 Changes security center settings (notifications, updates, antivirus, firewall) 18->173 175 Query firmware table information (likely to detect VMs) 21->175 signatures6 process7 file8 135 C:\Users\user\AppData\Local\...\ik1Ck64.exe, PE32 25->135 dropped 137 C:\Users\user\AppData\Local\...\6vi3PD6.exe, PE32 25->137 dropped 235 Antivirus detection for dropped file 25->235 237 Multi AV Scanner detection for dropped file 25->237 239 Machine Learning detection for dropped file 25->239 29 ik1Ck64.exe 1 4 25->29         started        33 6vi3PD6.exe 25->33         started        signatures9 process10 file11 147 C:\Users\user\AppData\Local\...\hg9vD39.exe, PE32 29->147 dropped 149 C:\Users\user\AppData\Local\...\5wE8uS5.exe, PE32 29->149 dropped 257 Antivirus detection for dropped file 29->257 259 Multi AV Scanner detection for dropped file 29->259 261 Machine Learning detection for dropped file 29->261 35 hg9vD39.exe 1 4 29->35         started        39 5wE8uS5.exe 29->39         started        signatures12 process13 file14 117 C:\Users\user\AppData\Local\...\Kx5lt47.exe, PE32 35->117 dropped 119 C:\Users\user\AppData\Local\...\4Tk195Sx.exe, PE32 35->119 dropped 213 Antivirus detection for dropped file 35->213 215 Multi AV Scanner detection for dropped file 35->215 217 Machine Learning detection for dropped file 35->217 41 Kx5lt47.exe 1 4 35->41         started        45 4Tk195Sx.exe 35->45         started        121 C:\Users\user\AppData\Local\...\explothe.exe, PE32 39->121 dropped 47 explothe.exe 39->47         started        signatures15 process16 dnsIp17 139 C:\Users\user\AppData\Local\...\Op6uy76.exe, PE32 41->139 dropped 141 C:\Users\user\AppData\Local\...\3cu06Qk.exe, PE32 41->141 dropped 241 Antivirus detection for dropped file 41->241 243 Multi AV Scanner detection for dropped file 41->243 245 Machine Learning detection for dropped file 41->245 50 3cu06Qk.exe 41->50         started        53 Op6uy76.exe 1 4 41->53         started        247 Writes to foreign memory regions 45->247 249 Allocates memory in foreign processes 45->249 251 Injects a PE file into a foreign processes 45->251 56 AppLaunch.exe 45->56         started        171 77.91.124.1, 49705, 49706, 49707 ECOTEL-ASRU Russian Federation 47->171 143 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 47->143 dropped 145 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 47->145 dropped 253 Creates an undocumented autostart registry key 47->253 255 Uses schtasks.exe or at.exe to add and modify task schedules 47->255 59 cmd.exe 47->59         started        61 schtasks.exe 47->61         started        63 rundll32.exe 47->63         started        file18 signatures19 process20 dnsIp21 177 Antivirus detection for dropped file 50->177 179 Multi AV Scanner detection for dropped file 50->179 181 Machine Learning detection for dropped file 50->181 185 5 other signatures 50->185 65 explorer.exe 27 22 50->65 injected 127 C:\Users\user\AppData\Local\...\2Ld5101.exe, PE32 53->127 dropped 129 C:\Users\user\AppData\Local\...\1pl11At1.exe, PE32 53->129 dropped 70 1pl11At1.exe 53->70         started        72 2Ld5101.exe 53->72         started        167 77.91.124.86, 19084, 49703, 49748 ECOTEL-ASRU Russian Federation 56->167 183 Tries to harvest and steal browser information (history, passwords, etc) 56->183 74 conhost.exe 59->74         started        76 cmd.exe 59->76         started        78 cacls.exe 59->78         started        82 4 other processes 59->82 80 conhost.exe 61->80         started        file22 signatures23 process24 dnsIp25 155 5.42.65.80, 49945, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 65->155 157 77.91.68.249, 49744, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 65->157 159 4 other IPs or domains 65->159 109 C:\Users\user\AppData\Local\Temp\B5AC.exe, PE32 65->109 dropped 111 C:\Users\user\AppData\Local\Temp\B2EC.exe, PE32 65->111 dropped 113 C:\Users\user\AppData\Local\Temp\AEB5.exe, PE32 65->113 dropped 115 6 other malicious files 65->115 dropped 199 System process connects to network (likely due to code injection or exploit) 65->199 201 Benign windows process drops PE files 65->201 84 9F02.exe 65->84         started        88 rundll32.exe 65->88         started        90 Conhost.exe 65->90         started        203 Multi AV Scanner detection for dropped file 70->203 205 Contains functionality to inject code into remote processes 70->205 207 Writes to foreign memory regions 70->207 92 AppLaunch.exe 9 1 70->92         started        209 Allocates memory in foreign processes 72->209 211 Injects a PE file into a foreign processes 72->211 94 AppLaunch.exe 12 72->94         started        file26 signatures27 process28 dnsIp29 123 C:\Users\user\AppData\Local\...\PW4pu0Eh.exe, PE32 84->123 dropped 125 C:\Users\user\AppData\Local\...\6Vw52sW.exe, PE32 84->125 dropped 219 Antivirus detection for dropped file 84->219 221 Machine Learning detection for dropped file 84->221 97 PW4pu0Eh.exe 84->97         started        223 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 92->223 225 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 92->225 227 Modifies windows update settings 92->227 229 2 other signatures 92->229 169 193.233.255.73, 49702, 49704, 49743 FREE-NET-ASFREEnetEU Russian Federation 94->169 file30 signatures31 process32 file33 105 C:\Users\user\AppData\Local\...\yl7LF1iC.exe, PE32 97->105 dropped 107 C:\Users\user\AppData\Local\...\5AI32QQ.exe, PE32 97->107 dropped 187 Antivirus detection for dropped file 97->187 189 Machine Learning detection for dropped file 97->189 101 yl7LF1iC.exe 97->101         started        signatures34 process35 file36 131 C:\Users\user\AppData\Local\...\lz4NJ7dl.exe, PE32 101->131 dropped 133 C:\Users\user\AppData\Local\...\4ef133Io.exe, PE32 101->133 dropped 231 Antivirus detection for dropped file 101->231 233 Machine Learning detection for dropped file 101->233 signatures37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 00:42:06 UTC
File Type:
PE (Exe)
Extracted files:
226
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55odzwb3ciiifw67j5plqwj5iczllvb3nelnh7eyworxq6biq6ga._file
Verdict:
malicious
Similar samples:
2434a9706c210bbda5c8bc42d5245f307d288625722889a79e784a4af11c6723
RedLineStealer
274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b
RedLineStealer
3284e773190a76acd9195d6978089a1f8fb856c837efba6dbe5713de3d2c01a0
RedLineStealer
3b75fef36f2d68ceed33969816c1c90b4094db8c1a2bc98d848857f904da21e2
RedLineStealer
6c4eeafcda86d5bd3f31bbb5d53dcbeb18542a14b599d2a5e222d8a1cdb5baae
RedLineStealer
6e3da629f58585ed8b4a732516294693db5158c8e5c551b1c35d93e46e009a23
RedLineStealer
ad79b4136b9e78f7c6c3e18b60d3bfe663ef741b926c294a908bc4416b4b42db
RedLineStealer
ef084f589ca9e0e3395495e211edf5903e986b77307ae0e515dc51886dfbffc5
RedLineStealer
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
RedLineStealer
f34053453587ed5bb5cc44041732dda7101f5fab23a8080dee965dbec596d2c2
RedLineStealer
+ 2'635 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:smokeloader botnet:@ytlogsbot botnet:grome botnet:kinza botnet:up3 backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware trojan
Link:
https://tria.ge/reports/231025-a2b8ysdb81/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Amadey
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
194.169.175.235:42691
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
be4b48101a1a088dd69cbff07f9633d6b20d4f9ec2903b75b6a010c10b3b46b6
MD5 hash:
013f1ebd3d99b1e54ceb016a26c1f145
SHA1 hash:
0c3c5bf7b24919eca8a486872c255284569dc92d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
SH256 hash:
cb2478e2d088447b85638b344f4b58829419391df91b45fe18f09edeaa7b55b7
MD5 hash:
31c8aaf627e4b6c3de62440d852ffd62
SHA1 hash:
c74eee61a89a5e27828b1abd8809317773097a14
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
SH256 hash:
07a1db4eedb9f29b91a19c9e8a1d69abf7ba189c908e65b9713a619c2887b78a
MD5 hash:
2c8b777f67580c332e9ea548d4fce387
SHA1 hash:
8efbd64da965a04429eee6737b2bee739caa8d2e
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
Parent samples :
ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c
e5a0153f278414621e6aab40ca86efc8bcfba7787ad61fce886daaadc7c2b178
04049e006b103c762f308155c4d9cd4310bdca27a9ff6b6ea45bc5fe757034be
c6954a8566262d8395ac3861a1dffe990bbce05ef20750716aa63703981a3fbf
7f7d7e4b47a92c89715bc074780bf03e2b41d67498e7ee5d435102d5ff8aa8a9
2a9b3852b7f12031702400476992c1a136872b5e15120cca65f61f843b05e810
147e3b92e142b17b4fe60713499d0288ec9f99b06bdecb3c1d591413b81412ce
807de0b885f90bfe2d06227ff66abed429321a7f729e77a5360c1448ff9ee777
SH256 hash:
9f68bb92b5a4fe0ba3c2915413739d84c36918fcf09a618d1b385f9216d91da3
MD5 hash:
28b9acf7e0faf9d499b5916d3784ae23
SHA1 hash:
8112d3e064baf82ccb6a6c55ea3dccb527c2a9fc
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
SH256 hash:
d64c410ca97d316070bd48d9639358f23edf33afdfc02b7fe60dd881893833d6
MD5 hash:
5a3ee0bf7cff836940c99c20594b7317
SHA1 hash:
3091e2cf3a4dc4ce3b060cc5011abf07bda0a241
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
SH256 hash:
ef5c3cd83b121082dbdf4f5eb8593d40b2b5d43b6916d3fc98b3a3787828878c
MD5 hash:
edfceed35fa14f8d74af8e883e12cf81
SHA1 hash:
808c96713ccfe0a11831546f72df41c8f5c7fb07
Link:
https://www.unpac.me/results/9d89aa37-2428-43d8-bacf-50c31664b97a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef5c3cd83b12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/456105/

Comments