MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba
SHA3-384 hash: 7f81570ed6b07b3916f7b2a48d33cc731bdcfe721135f67cee19c1d1a9a251ab053a2a75bbc12023bdc990fca123ee74
SHA1 hash: 08c204385efc01ed1aa8ff837572d64db9428809
MD5 hash: 20dfb45f65b59e034e36b1c5584c63f5
humanhash: fix-seven-nuts-football
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:676'864 bytes
First seen:2023-02-04 01:04:29 UTC
Last seen:2023-02-04 01:14:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:KG7Py90OrmBsLOCgFSiYBwwSP43mjc+I3/VWPbajAw3TJDubTJJ14tRvkENvTw:ny9rmYOCw1YMg3m+/VS+p35mdX8KEN8
TLSH T124E41292FEE48132D9B51BB018F913870E35FCA5ADB493AB1791348E4CB3540EA75B27
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://62.204.41.248/is/zhiga.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-04 01:05:28 UTC
Tags:
trojan rat redline amadey loader
Link:
https://app.any.run/tasks/afc7fc8b-276d-42d2-8dd8-478e2ad62249

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360128/
Detection(s):
Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65175/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63ddaf3e89bd67c10fdc6d46/reports/39618e58-3f87-4fd6-9aa8-0bb7cc0ca0b7/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1252166
Link:
https://www.hybrid-analysis.com/sample/f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62ae574c-b490-429d-9785-4f22b3faf10c
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165608
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798379 Sample: file.exe Startdate: 04/02/2023 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 16 other signatures 2->97 10 file.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 6 other processes 2->17 process3 file4 77 C:\Users\user\AppData\Local\Temp\...\puan.exe, PE32 10->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\hank.exe, PE32 10->79 dropped 19 puan.exe 1 4 10->19         started        23 hank.exe 1 4 10->23         started        process5 file6 59 C:\Users\user\AppData\Local\Temp\...\mixo.exe, PE32 19->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\briv.exe, PE32 19->61 dropped 99 Antivirus detection for dropped file 19->99 101 Multi AV Scanner detection for dropped file 19->101 103 Machine Learning detection for dropped file 19->103 25 briv.exe 3 19->25         started        29 mixo.exe 19->29         started        63 C:\Users\user\AppData\Local\...\repka.exe, PE32 23->63 dropped 65 C:\Users\user\AppData\Local\...\redko.exe, PE32 23->65 dropped 32 repka.exe 3 23->32         started        34 redko.exe 5 23->34         started        signatures7 process8 dnsIp9 75 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 25->75 dropped 129 Multi AV Scanner detection for dropped file 25->129 131 Machine Learning detection for dropped file 25->131 36 mnolyk.exe 33 25->36         started        85 176.113.115.16, 4122, 49997 SELECTELRU Russian Federation 29->85 133 Detected unpacking (changes PE section rights) 32->133 135 Detected unpacking (overwrites its own PE header) 32->135 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->137 139 Tries to harvest and steal browser information (history, passwords, etc) 32->139 87 62.204.41.170, 4179, 49700, 49702 TNNET-ASTNNetOyMainnetworkFI United Kingdom 34->87 141 Antivirus detection for dropped file 34->141 143 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->143 145 Tries to steal Crypto Currency Wallets 34->145 file10 signatures11 process12 dnsIp13 81 62.204.41.4, 49703, 49704, 49706 TNNET-ASTNNetOyMainnetworkFI United Kingdom 36->81 83 62.204.41.248, 49705, 49707, 49709 TNNET-ASTNNetOyMainnetworkFI United Kingdom 36->83 67 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 36->67 dropped 69 C:\Users\user\AppData\Local\...\trebo1.exe, PE32 36->69 dropped 71 C:\Users\user\AppData\Local\...\trebo.exe, PE32 36->71 dropped 73 7 other malicious files 36->73 dropped 105 Multi AV Scanner detection for dropped file 36->105 107 Creates an undocumented autostart registry key 36->107 109 Machine Learning detection for dropped file 36->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 36->111 41 trebo1.exe 36->41         started        44 nika.exe 36->44         started        46 trebo.exe 36->46         started        49 4 other processes 36->49 file14 signatures15 process16 dnsIp17 113 Multi AV Scanner detection for dropped file 41->113 115 Query firmware table information (likely to detect VMs) 41->115 117 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 41->117 127 4 other signatures 41->127 119 Machine Learning detection for dropped file 44->119 121 Disable Windows Defender notifications (registry) 44->121 123 Disable Windows Defender real time protection (registry) 44->123 89 82.115.223.9, 15486, 50068 MIDNET-ASTK-TelecomRU Russian Federation 46->89 125 Antivirus detection for dropped file 46->125 51 conhost.exe 49->51         started        53 conhost.exe 49->53         started        55 cmd.exe 49->55         started        57 5 other processes 49->57 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-04 01:05:07 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mlcue4rshxhvnis3qkl4yacoeubr62lacr54xoccplcy3aix25a._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:gonka botnet:mixo botnet:redko botnet:temposs6678 discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230204-bfhdhsca49/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
62.204.41.170:4179
62.204.41.4/Gol478Ns/index.php
176.113.115.16:4122
82.115.223.9:15486
Unpacked files
SH256 hash:
6943fa10964c97990ea4598ba95183df5541d3780696236efbb3741ad70ad7a3
MD5 hash:
6774aff91e016329c314fda5c64dafdd
SHA1 hash:
bf73a6b423b89ef3cdc8b04738159189aec435bf
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/eb9f1025-8ae5-45ba-b01d-3af915cd1072/
Parent samples :
f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba
ba6f1f7315c383583acb3caf2f7a74c89d3977cbf5ee19bb8bcc1a1455dc9317
716a1e8a2385af12aebf95bcaa32cd4b28db5c36aff954ccdfd4f550a5c54a00
317618ef12fa752d88f9de1c08291231f2496e33094329501d9a1e56b468be2c
09b749cb035fd17bc749c1738d1f35f35500df7b157552f26f7570d80f8acde1
fd175c2b3abdea1356f213078f594cd33d643c39ce9db3360f30263bbafa90c9
85b23d055ec1ed780b24ab997ebe9c42f6bd601d74443cf551553de74709299f
de9573b6d66e311748f8dd4deb632be37d5c03430dec960f3cb964fe72695a27
6fbf44183c6ed6ebe3f188f187afe712574c34d9787cdf40c5bcbb07f6d50fb7
ef837e4549085f90fccd5b3a25082480ea20102458889ea8576c2714404086ea
SH256 hash:
ed17ed7eebabe13474c25f17b5da7bd55dda0bf1c378a5dfd4eec86f4b691c2b
MD5 hash:
4c2e09312bca6ad7592ddcd82cd69966
SHA1 hash:
0cbd1236ddeb3ac552360fbe126e08e46657ec15
Link:
https://www.unpac.me/results/eb9f1025-8ae5-45ba-b01d-3af915cd1072/
SH256 hash:
f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba
MD5 hash:
20dfb45f65b59e034e36b1c5584c63f5
SHA1 hash:
08c204385efc01ed1aa8ff837572d64db9428809
Link:
https://www.unpac.me/results/eb9f1025-8ae5-45ba-b01d-3af915cd1072/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3162a139191/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3162a139191ee7ab512dc14be6002712818fb4b00a3de5dc213d62c6c08beba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/360128/

Comments