MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
SHA3-384 hash: 48b117d90200a1bd7722b451f2942eac2cb13b8abda6d49e4e98a60391cad6fb7116387e2347b095b66313bf7e64aca3
SHA1 hash: 26d036a05f3e6ae8b8fac5e971509cf5bdd82682
MD5 hash: 930e0ee50934fc02fcbb98d9f2952164
humanhash: wyoming-missouri-oregon-speaker
File name:ck5Ex60.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'646'080 bytes
First seen:2024-01-05 10:11:17 UTC
Last seen:2024-01-06 02:52:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:gR5z1o02R2cFrN5m9oD46HicgXMPDTfYX+pf:cE03yrjocwgf
TLSH T1CA752347D6C8A032EE7557B184F603432D71FE52EEBA5369235049880DB16D8A8B7B3F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e8e307f94d9319f62b20920b93bec8ad8fad2341a3fa1d072a0cd8257295d881.exe
Verdict:
Malicious activity
Analysis date:
2024-01-04 21:04:12 UTC
Tags:
autoit amadey botnet stealer loader redline kelihos trojan risepro evasion
Link:
https://app.any.run/tasks/f3cbccce-41ee-4a97-8598-e741a2f36176

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469579/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware hook installer keylogger lolbin lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6597d5f4b855eb369314a1e2/reports/1c4d6625-432a-4e3d-bc51-fb4c308bc801/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92f91a05-8fd4-453b-927e-d03460d7924c
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370278
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370278 Sample: ck5Ex60.exe Startdate: 05/01/2024 Architecture: WINDOWS Score: 100 112 ipinfo.io 2->112 114 BiFyPFCGqiSSr.BiFyPFCGqiSSr 2->114 130 Snort IDS alert for network traffic 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 Yara detected RisePro Stealer 2->134 136 7 other signatures 2->136 12 ck5Ex60.exe 1 4 2->12         started        16 wscript.exe 2->16         started        18 MaxLoonaFest131.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\2rv6894.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\Local\...\1TD30cg5.exe, PE32 12->110 dropped 172 Binary is likely a compiled AutoIt script file 12->172 22 2rv6894.exe 14 12->22         started        26 1TD30cg5.exe 12 12->26         started        174 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->174 28 EchoScan.pif 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        signatures6 process7 file8 100 C:\Users\user\AppData\Local\Temp\...\Flexible, PE32 22->100 dropped 150 Multi AV Scanner detection for dropped file 22->150 152 Contains functionality to register a low level keyboard hook 22->152 36 cmd.exe 1 22->36         started        39 conhost.exe 22->39         started        154 Binary is likely a compiled AutoIt script file 26->154 156 Machine Learning detection for dropped file 26->156 158 Found API chain indicative of sandbox detection 26->158 160 Contains functionality to modify clipboard data 26->160 41 chrome.exe 1 26->41         started        44 chrome.exe 26->44         started        46 chrome.exe 26->46         started        102 C:\Users\user\AppData\Local\...\jsc.exe, PE32 28->102 dropped 162 Writes to foreign memory regions 28->162 164 Injects a PE file into a foreign processes 28->164 48 jsc.exe 28->48         started        signatures9 process10 dnsIp11 140 Uses ping.exe to sleep 36->140 142 Drops PE files with a suspicious file extension 36->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 36->144 146 Uses ping.exe to check the status of other devices and networks 36->146 51 cmd.exe 1 36->51         started        54 conhost.exe 36->54         started        122 192.168.2.4, 443, 49729, 49730 unknown unknown 41->122 124 239.255.255.250 unknown Reserved 41->124 56 chrome.exe 41->56         started        69 2 other processes 41->69 59 chrome.exe 44->59         started        61 chrome.exe 46->61         started        126 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 48->126 128 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 48->128 90 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 48->90 dropped 92 C:\Users\user\AppData\...\FANBooster131.exe, PE32 48->92 dropped 94 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 48->94 dropped 96 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 48->96 dropped 148 Found many strings related to Crypto-Wallets (likely being stolen) 48->148 63 cmd.exe 48->63         started        65 cmd.exe 48->65         started        67 conhost.exe 48->67         started        file12 signatures13 process14 dnsIp15 138 Uses ping.exe to sleep 51->138 71 Random.pif 4 51->71         started        75 cmd.exe 2 51->75         started        77 cmd.exe 2 51->77         started        83 6 other processes 51->83 116 clients.l.google.com 142.250.113.100, 443, 49733 GOOGLEUS United States 56->116 118 142.250.113.104 GOOGLEUS United States 56->118 120 22 other IPs or domains 56->120 79 schtasks.exe 63->79         started        81 schtasks.exe 65->81         started        signatures16 process17 file18 104 C:\Users\user\AppData\Local\...choScan.pif, PE32 71->104 dropped 166 Found API chain indicative of sandbox detection 71->166 168 Drops PE files with a suspicious file extension 71->168 170 Contains functionality to modify clipboard data 71->170 85 cmd.exe 71->85         started        106 C:\Users\user\AppData\Local\...\Random.pif, PE32 75->106 dropped signatures19 process20 file21 98 C:\Users\user\AppData\...choScan.url, MS 85->98 dropped 88 conhost.exe 85->88         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 20:52:07 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zidv5awlzky6oohm7356da3fcw43akj2zfvvsaqnb7bxjj5v75q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google evasion persistence phishing trojan
Link:
https://tria.ge/reports/240105-l8g9bsaee3/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
MD5 hash:
d040e6b89d3e9b6c792c9b4a89549801
SHA1 hash:
995a51ac061716ef7dc327653a90c14c40fb3fc8
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/faa18553-6c50-442d-b8af-9921cc44b530/
Parent samples :
e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
9e56bc168efc43001c19a1720891c88fa4cefb2057b0b38b8c0effaab170e190
cf0c7d8987626b0d2f0115ca56a525762382a4e453365ea740caf733fd8a908e
da928ea0a7b11461c0e4e77880b48723a1138e68c7948a153c17f5e9da624209
e8e307f94d9319f62b20920b93bec8ad8fad2341a3fa1d072a0cd8257295d881
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
828cda2143a5d51706f89716c96c8714cdadac696df62a806e566ecead0ed4ce
9120ce3b64b1eea0eccc343744f4e8ff3bdc88b8a79743e07a975c6c313789ee
3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
17eb1a2f794ad5e02a0d96fcbd42fcfe328eb4a10bdda74d8e5cb1dfc46e4fa6
cbb21348582932ab0b31c23529c0cf675ba8b40f85f373d9a33b2853aedd1c16
9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1
c97aa2240452b4c1db4ccfbfc783c95d6b47309d5bd389675864d0fc3541b93a
fdb1515e4b51131fe289ea794f76acacb9939416b0905ed9e9e44f0ca60fc805
9bccd2dc8f14b92f591fab90b458da775598de51f9c56dca13ed0561e33eea24
SH256 hash:
f21eba52c63ede94c5b7ff0efb669aa8ecd10d2d165ba75e4e7c2c01971214d2
MD5 hash:
a2278fa594146739911620355df65a67
SHA1 hash:
3d31e3119426f59055ccd10327465a4d4eb7c4f8
Link:
https://www.unpac.me/results/faa18553-6c50-442d-b8af-9921cc44b530/
SH256 hash:
f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
MD5 hash:
930e0ee50934fc02fcbb98d9f2952164
SHA1 hash:
26d036a05f3e6ae8b8fac5e971509cf5bdd82682
Link:
https://www.unpac.me/results/faa18553-6c50-442d-b8af-9921cc44b530/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_Debugger
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469579/

Comments