MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206
SHA3-384 hash: c4950adadeeb741373f014c51272b102e1c7a81f7ac046d408d5cea6ab572d1d45d9384cfffe1c982b2dd59b7e724609
SHA1 hash: 293e5184eb24a7dc83468ad14a9449e9ca67122b
MD5 hash: b347a0f26d057878a1c24927ced02b30
humanhash: east-coffee-network-item
File name:b347a0f26d057878a1c24927ced02b30.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:586'752 bytes
First seen:2023-06-18 18:11:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:dMrOy90cyrwseeuT1W1CvL/7qFwyFPH4/YRsI:vypxreuprLOFwK4/YRr
Threatray 1'289 similar samples on MalwareBazaar
TLSH T1FBC41213BAC89576DCB117B058F707E30A36BDF19E74839A26C1989A1D722C4A43773B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.97.73.129:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b347a0f26d057878a1c24927ced02b30.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 18:13:23 UTC
Tags:
rat redline amadey trojan loader
Link:
https://app.any.run/tasks/d451a5d6-449f-425d-8573-b1aa39ccb93e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400204/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Launching a service
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Disabling the operating system update service
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91414/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB evasive installer killav lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/648f48f5540cead77b081d51/reports/33ecc317-4e2e-4c9f-bbc5-7cfe6b5497b3/overview
Verdict:
Malicious
Labled as:
TR/Disabler.ocayi
Link:
https://www.hybrid-analysis.com/sample/f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e6edde1-d742-489d-93d9-6a89285d39bc
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256925
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889941 Sample: SeakYjzvZr.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 16 other signatures 2->84 11 SeakYjzvZr.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 6 other processes 2->18 process3 file4 68 C:\Users\user\AppData\Local\...\x9332724.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\i3240029.exe, PE32 11->70 dropped 20 x9332724.exe 1 4 11->20         started        process5 file6 56 C:\Users\user\AppData\Local\...\x4354346.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\h5968077.exe, PE32 20->58 dropped 86 Antivirus detection for dropped file 20->86 88 Multi AV Scanner detection for dropped file 20->88 90 Machine Learning detection for dropped file 20->90 24 x4354346.exe 1 4 20->24         started        signatures7 process8 file9 64 C:\Users\user\AppData\Local\...\g3355815.exe, PE32 24->64 dropped 66 C:\Users\user\AppData\Local\...\f1860454.exe, PE32 24->66 dropped 100 Antivirus detection for dropped file 24->100 102 Multi AV Scanner detection for dropped file 24->102 104 Machine Learning detection for dropped file 24->104 28 g3355815.exe 3 24->28         started        32 f1860454.exe 4 24->32         started        signatures10 process11 dnsIp12 72 C:\Users\user\AppData\Local\...\rugen.exe, PE32 28->72 dropped 106 Antivirus detection for dropped file 28->106 108 Multi AV Scanner detection for dropped file 28->108 110 Machine Learning detection for dropped file 28->110 112 Contains functionality to inject code into remote processes 28->112 35 rugen.exe 18 28->35         started        74 83.97.73.129, 19071, 49721 UNACS-AS-BG8000BurgasBG Germany 32->74 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->116 118 Tries to harvest and steal browser information (history, passwords, etc) 32->118 file13 signatures14 process15 dnsIp16 76 77.91.68.63, 49722, 49723, 49724 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 35->76 60 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 35->62 dropped 92 Antivirus detection for dropped file 35->92 94 Multi AV Scanner detection for dropped file 35->94 96 Creates an undocumented autostart registry key 35->96 98 2 other signatures 35->98 40 cmd.exe 35->40         started        42 schtasks.exe 1 35->42         started        44 rundll32.exe 35->44         started        file17 signatures18 process19 process20 46 conhost.exe 40->46         started        48 cmd.exe 40->48         started        50 cacls.exe 40->50         started        54 4 other processes 40->54 52 conhost.exe 42->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-18 18:12:09 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6au2dbrfbbakwvesylmpt7xfdf5zsgprcepi2eoey3dorp37qida._file
Verdict:
malicious
Similar samples:
1484d62d930b194a9c46779e4e6619b75118dec1aaa02eb9132aab31666ce562
RedLineStealer
1834db2a405c78564f9928d0f0047fce383d0e5d4d1d98aafbc3c2d7d453aec2
RedLineStealer
291d8988a8f46bda0aa9b2fb0b5267442ca40e4a115cb58c0122f70238cbc609
RedLineStealer
313585d2d0a21bd87791ebde0e70d7243361f4b7d987dda6f483e1fc45f5abe2
RedLineStealer
8af32f3ea4635d8b35ae555aeb954d087acbf0225580d8bf929adc7426fe8932
RedLineStealer
a669ab0a60d4d8c8421d88ca8d8f826d7ff82f9a4e2bb68f0c57e5c109be7c47
RedLineStealer
ad6de406918f235ea46c9c377059c17e6e1ddec6e1a642fedfd74345f93833b6
RedLineStealer
b35472d4bd71abc436d5eeef223b81aac4ad00813abc2e66ed862b19165db479
RedLineStealer
c18d461cd880e179ec078722740b182ece28ff886fc63711a906e473bc83d750
RedLineStealer
f50da55eaa745a7d2017eded3d9edcc93c51f6df1cdbcbb12899ff42e27203b8
RedLineStealer
+ 1'279 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:duza botnet:jason discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230618-ws6xvsaa21/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
83.97.73.129:19071
77.91.68.63/doma/net/index.php
Unpacked files
SH256 hash:
2e7859551a2369e581931c570929a0cfc1cda70ca5c34569c149ffb506f2ea6b
MD5 hash:
c6f6f4b214c16c26bf2677033a4048d7
SHA1 hash:
b265886e747570601309db7d74de49f7ff1ad712
Link:
https://www.unpac.me/results/565f5564-c2f8-45ab-9e05-193486a31ecb/
SH256 hash:
8f947b57ffc60726f55d4dda9e7811a718bba641cf7101afa905a05a6cc294f3
MD5 hash:
c7339c21df25b5e34cc462fecfd47f40
SHA1 hash:
e2f6fdcd790a79db4ebf861ae13f3fd95d66a760
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/565f5564-c2f8-45ab-9e05-193486a31ecb/
Parent samples :
5def806156638d2795eabe2316f883d7bedaa757fd63c27482a496e7c0ab2763
813f3255652fc8ac950a4611d9497badc1c1a621e4f271d5dcee883fa162f1f1
3d9df09517fe7c019744f8db097cbff2304983bf7bf849d6b0433d5bf375fb01
1e9bb027abe27d495031e8b42200127a77f1001718a21efdfc8a63c148bb77d2
4927b49cf1b8c574dce9dde9cc82ddadb3889379cc4d902f23a975bcb63ac137
73861fb9934dbb50980b122d09c40410b9d8647a41ea3e979ef2962548e443c6
f13f02aa849c05f3fe6138f313a724a5ceab956da51534cb758659d1eea65b29
bde084bd369527e5d9cc6e440307abc229bde84472f0f53badf35f6bd6103161
6eff779a6cb922aedf32da7fd302ee49c9510ae16b110265f925886ef4392d50
8f1dfae61cbfd98979fa45deebe12cc5209900cca48709461cd48a66e75119c0
2ac06f431e8eb09e79f49a8c48f8c78b48811cfad1bfc8596548fa914e7c9c2a
3e2a82c304b006daffacd795750d1840bea149c965c45af5d3b16850e59bdb62
b15849f6e2c98266566997447410049a88602146690ff11db43cdb2247c8b307
1a236f267968ab05825ba26696b3cf6d7206652e6270862b193e158f2b3b0cd9
3e4674a7852d5caaf91327eb30c4ef3203b4c9fdde5863d747a630204954c849
7288e1fcee7dc6d34283fbbafe62bd3acb2b298acbf7595a755f9be1e4f9a5d2
753632d55853829735e0474a7e4c25dc67028e13d7761d526c16996e12488ed4
43f645ae0a220821d90a577fdde150eb1703ec1d1f0dbb5ee4e9fe8f5003c57e
27a6305cc8f925ecab42667752af467c4a1fe5b3295c14b044139109816f500b
63329aea8ffc61e789d6c16c1a2c510b230a15f101e5561ab916cf71c11162fc
5cbdfaf9a2f3589457c73f25d7af4bcda6564194644045cf11f0702c6c6e7d74
1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15
cf5b027b9568681a634e2c0ce43707c23957e85ffa0d5d0fbd4b2666f7c0ad9d
1c979e42b2df7a2fbe8e12b3a01c4328efa1a5ac62a8d501fe2036387f238b47
b41ee2b1b8f70818f324289322e7f9f9953ef24f1453c58e5b60d62e4d42db50
978a82019c58fa07909c1a4db2f0abffadff34f2f6e54e01a7caa81543e5cd7f
f4cc43b0584990550de85c0b4ded078290795ef293138e53484c9e349d76c73f
1c5c57072fd5ae3b1682f8ee7419651e8f27f8b4904e8cbabb86d848feda1144
98b877762780e4dcf90dffb4c2cf70d3ebb158d5efde641d3a0efe04f1736803
4082d4f42bc590bedccf4dcf735a60df67e548241a2f355eda67b59c3a40e9f2
46d9a5ab93798bb3d94d4149cfb4ada12ab4e4c4ee142209138e3ed1d95d893a
4b76a9c249498aac4289699748d925a10c484a314060c0fe31e9e87a1761a20a
d2cefc6e6ca21d0ff729d103b0860a4d86edd2d6f5bdbf5f164ae7c9190560b6
d721510c9d42eec90daef64673b450b2c5b739bf521d8595bd64334e255dda0d
9a83b648c2d4db403eda4e057af19151fce73fe65aa5f894022f76e726fae853
a08b8647747252810ad2049bb03327a002da5b37dbba3670396d4910d07ff06c
4570b227d49bae33f0abaf7db904cec2612fa34cb1f62e7f1a5b82c5c37c0ec1
2d40b1a2404c6a22c5a67ca1115cd639a642fb355b25e67d7053f142b4b4404c
3201bcf371e8d4b7f81f0264bdb7c84aa0423b06d16ebd097c1c8a1003694dbf
498b9937ce745bf8eeca0180b5359b54ae8e475034e2c62c66c45a10523cf8b8
15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3
6c8b20be5076b051b407cd2bdb1c9d4248529560b18c61e0d405e11fa1cb29f4
5124284375d8cab0c059fb7b92b4bbb325983f8818ec895d4399cde4f0bcb1eb
cdae8e6a7da218ee7996f920b46b06c1f38b4f9d1a045b04ce513c0edd5610b1
012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85
ec71edee6e23a115e4ae9703efa5d7612c03756f6815b198ab1a96ac4fb2668d
d20e3fcae49369fe44fc26e89f31571cc43e0a81c6de49d337d1555ca0b138f4
2039a9367059b0285dacde7133f6b16320aeb72c9bf3c3b59c3d040384311f5d
f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206
9afd281bb487e496b33b3584195a5d1e29e526f4de466f9ce53f06e55fb4b0ad
57e3c368454172a98c6c1ab91c963d280fe472fe8dd4f230b527795babc012d7
184d8ed5b3a9975730423165b4f90b1e67ff7d7a58dd30d769afa9359e0da84a
7ef5dfc66bb1e64f1a28312ae77e9757294d4749dab547889fb8c51543fd18b0
c9ade4d2bd017046a824abd70d96afbd6ba37c63a0ab99c49b22610a3f5280ba
143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c
e7c32781fbc49afcf0c98a5ce2dbc8468a32aa24a8eb070d345b64bf32e22350
ac733f94761b6c54a238801ce3b36e92eca62d3725e823a9f8ae749c4ab8f3be
1dd27448fbca8cfeb823747f88230ba442ea67707393ae49d6a559f77b6e7eef
77dd0db7ee643998fda7b76cd75fb7da0348d00349a7b99a2212ca08e5e8eb3d
13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462
ac7753101d4e589a20c4e926e11b7d0fad8f145aa17c6843fe2d5ed65151eeab
7624ec18d269378960fbb0e3506d55493b1b02c89c148ffea4bba6343c71ef21
739ef5fbfd92fd4c257ac98794c66bc43489216efc3f1d18511fa04708ccc561
e3706009e5cb3bfa09a2f066a10ac37241f13316755cecccc111604e192d6543
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a
e5000f5825148ffb407a42205a7fc4834fd9cb996b26cb06ef9fa03b68f91b3f
0a25e00d0db3375f4d3a8fd25efdb4ac356402a3392103d1383b3cffb88463e8
SH256 hash:
0dd28cb67af2bd795c88c009ab45d1199012c7655471ce255805dd665103c568
MD5 hash:
d0c619cbd6578b1fb4b4f894fe13d7ec
SHA1 hash:
48148f813f3e8181e20de491e1e0c6464ab8be5d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/565f5564-c2f8-45ab-9e05-193486a31ecb/
SH256 hash:
24f931e18d3043798d94c8d11706246e63e8b28db5ca1dfadfd73b99f6f9f363
MD5 hash:
28a65342db2b0a19b8e8c29227e8ab7c
SHA1 hash:
31dede04df66f3fe0fc2a42393adf62a836f2275
Link:
https://www.unpac.me/results/565f5564-c2f8-45ab-9e05-193486a31ecb/
SH256 hash:
f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206
MD5 hash:
b347a0f26d057878a1c24927ced02b30
SHA1 hash:
293e5184eb24a7dc83468ad14a9449e9ca67122b
Link:
https://www.unpac.me/results/565f5564-c2f8-45ab-9e05-193486a31ecb/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f029a1862508/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2665478/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400204/

Comments