MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA3-384 hash: abd258c2f365e5d3700b2b7abe0ce1bce06bd50e01060df7239b70e5b2dc7fbe3faf949fe3864e5b7face42027fe91d4
SHA1 hash: 1188348ca7e52f075e7d1d0031918c2cea93362e
MD5 hash: 55f845c433e637594aaf872e41fda207
humanhash: yankee-mirror-hot-bravo
File name:SecuriteInfo.com.Trojan.DownLoader45.64798.14568.10081
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:314'368 bytes
First seen:2023-09-03 00:26:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44e769941d2c6ad88bf42ac4adb36135 (25 x Amadey, 2 x RedLineStealer)
ssdeep 6144:GUG2bcUH6Z0+ReEjhVsJgAmkMAIeuudb8MT8AOacOZS:GU9bIeEdVsJqeuudbFT8SZS
Threatray 268 similar samples on MalwareBazaar
TLSH T19D644A517912C032DA6151721AB5BFF2C5AC6C249BB049DB7BC00E76DE212E6BE70F39
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
4fc8a187f6d2efe15e9d060bcf18c317.exe
Verdict:
Malicious activity
Analysis date:
2023-08-12 17:27:17 UTC
Tags:
loader smoke trojan amadey payload fabookie stealer redline vidar arkei ransomware stop
Link:
https://app.any.run/tasks/8d40384f-2a79-4a0f-9500-6feaf46a3a2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445752/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.64798.14568.10081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey clipbanker control greyware lolbin shell32
Link:
https://www.filescan.io/uploads/64f3d2d82a262962b791987c/reports/605a544b-5fc7-4cab-9493-c4f79b051766/overview
Verdict:
Malicious
Labled as:
Trojan.ClipBanker
Link:
https://www.hybrid-analysis.com/sample/f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ccb1b7b-8413-4579-a2d4-5573f333bb47
Result
Threat name:
Amadey, Fabookie, Glupteba, RedLine, Smo
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302201
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302201 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 03/09/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Found malware configuration 2->96 98 20 other signatures 2->98 8 SecuriteInfo.com.Trojan.DownLoader45.64798.14568.10081.exe 3 2->8         started        12 cmd.exe 2->12         started        14 cmd.exe 2->14         started        16 7 other processes 2->16 process3 file4 76 C:\Users\user\AppData\Local\...\yiueea.exe, PE32 8->76 dropped 138 Contains functionality to inject code into remote processes 8->138 18 yiueea.exe 31 8->18         started        140 Uses powercfg.exe to modify the power settings 12->140 142 Modifies power options to not sleep / hibernate 12->142 23 conhost.exe 12->23         started        25 sc.exe 12->25         started        33 4 other processes 12->33 35 4 other processes 14->35 27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        37 8 other processes 16->37 signatures5 process6 dnsIp7 78 79.137.192.18, 49723, 49724, 49727 PSKSET-ASRU Russian Federation 18->78 80 95.214.27.254, 49725, 49728, 49730 CMCSUS Germany 18->80 82 app.nnnaajjjgc.com 18->82 62 C:\Users\user\AppData\Local\...\msedge.exe, PE32+ 18->62 dropped 64 C:\Users\user\AppData\Local\...\winlog.exe, MS-DOS 18->64 dropped 66 C:\Users\user\AppData\Local\...\taskhost.exe, PE32 18->66 dropped 68 9 other malicious files 18->68 dropped 104 Antivirus detection for dropped file 18->104 106 Multi AV Scanner detection for dropped file 18->106 108 Creates an undocumented autostart registry key 18->108 110 2 other signatures 18->110 39 msedge.exe 18->39         started        43 taskhost.exe 3 18->43         started        45 winlog.exe 2 18->45         started        47 11 other processes 18->47 file8 signatures9 process10 dnsIp11 70 C:\Windows\System32\drivers\etc\hosts, ASCII 39->70 dropped 112 Multi AV Scanner detection for dropped file 39->112 114 Suspicious powershell command line found 39->114 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->116 132 4 other signatures 39->132 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->118 120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->120 122 Injects a PE file into a foreign processes 43->122 50 taskhost.exe 43->50         started        124 Query firmware table information (likely to detect VMs) 45->124 134 2 other signatures 45->134 86 app.nnnaajjjgc.com 154.221.26.108, 49731, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 47->86 88 z.nnnaajjjgc.com 156.236.72.121, 443, 49726 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 47->88 90 192.168.2.1 unknown unknown 47->90 72 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 47->72 dropped 74 C:\Users\...\765ee0cd0127635f33f9958c884e6c38, SQLite 47->74 dropped 126 Detected unpacking (changes PE section rights) 47->126 128 Detected unpacking (overwrites its own PE header) 47->128 130 Machine Learning detection for dropped file 47->130 136 2 other signatures 47->136 54 taskhost.exe 47->54         started        56 taskhost.exe 47->56         started        58 conhost.exe 47->58         started        60 8 other processes 47->60 file12 signatures13 process14 dnsIp15 84 happy1sept.tuktuk.ug 85.209.3.9 SQUITTER-NETWORKSNL Russian Federation 50->84 100 Tries to harvest and steal browser information (history, passwords, etc) 54->100 102 Tries to steal Crypto Currency Wallets 54->102 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-05 17:03:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h43cvhzfbkjy6sljbeqt5atkiciz2aurrty6twdfsahyhixhi4q._file
Verdict:
malicious
Similar samples:
0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
RedLineStealer
32be354147ecd358cbcc377dcd9e85e8712d0500df481195b88088f70c4bd18c
RedLineStealer
4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
RedLineStealer
48f42120cc5b3683db52663963704e8f0a7d935a2a24e3911e83079fb4f25ff3
RedLineStealer
5cb22ccee1a8b75c76ff734ade511c73be1bb0e2f81fb463ccd85058c9bf028f
RedLineStealer
82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30
RedLineStealer
836253d5026a357aa7d50bb553c16481812b8462541c1ac16730c72af29508a9
RedLineStealer
bcf6cae1bda693ce71df94dee69483c65092020ac5faea5d59c9918ba3e2034f
RedLineStealer
dc477f02dd4d206254829138039006a17309b453eec83b5134e0e6e5aee67485
RedLineStealer
f99105d3e75dd3ff6a90047b7ba912f4fcec7234695b9355a5d9cfb6db0fb05c
RedLineStealer
+ 258 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:redline botnet:010923 evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230903-arrwnagb74/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Fabookie payload
Fabookie
RedLine
Malware Config
C2 Extraction:
79.137.192.18/9bDc8sQ/index.php
happy1sept.tuktuk.ug:11290
Unpacked files
SH256 hash:
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
MD5 hash:
55f845c433e637594aaf872e41fda207
SHA1 hash:
1188348ca7e52f075e7d1d0031918c2cea93362e
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/8af16154-d8b1-4e1d-a6d8-47a2fd24c5ee/
Parent samples :
48f42120cc5b3683db52663963704e8f0a7d935a2a24e3911e83079fb4f25ff3
6936a56efd4d51f236841a94f58686ad099773e0adbef02561cda498347181f4
836253d5026a357aa7d50bb553c16481812b8462541c1ac16730c72af29508a9
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9f9b154f928/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Amadey_7abb059b
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2708952/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445752/

Comments