MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12
SHA3-384 hash: dd194d4111fe2c5f5e60e47d59082e46521e06f791566dcb67f686ccdaa74537c94f612235c0ae95e71f6ab10201b6c1
SHA1 hash: c3a09f80477b8d44a2428d9ba6a28aad3d6fb5d9
MD5 hash: aaef11f9c446555dd43348b1986bed70
humanhash: sodium-fifteen-beryllium-mexico
File name:aaef11f9c446555dd43348b1986bed70.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:955'904 bytes
First seen:2023-09-24 08:15:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:cykZBejNIVO7uGtpLqwspJ1fI+IVsstT3a:LwdVal3mnBIKstj
TLSH T134152303A9E91533D9B29B701CF60A870B367C910E39D75B7386CD9768B2844DA3673B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
176.123.9.142:37637

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aaef11f9c446555dd43348b1986bed70.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-24 08:17:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/788cad6c-61de-45ee-9c62-cd77214835ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450850/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/650ff04333582f234e014738/reports/bea5a015-07f4-4a29-a9d3-1e6619cc4014/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b677ec32-adbb-428a-875a-dab17b2e213d
Result
Threat name:
Fabookie, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1313461
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1313461 Sample: Gg8EZ1PToZ.exe Startdate: 24/09/2023 Architecture: WINDOWS Score: 100 141 www.google.com 2->141 143 www.facebook.com 2->143 145 6 other IPs or domains 2->145 165 Snort IDS alert for network traffic 2->165 167 Multi AV Scanner detection for domain / URL 2->167 169 Found malware configuration 2->169 171 12 other signatures 2->171 15 Gg8EZ1PToZ.exe 1 4 2->15         started        18 svchost.exe 21 32 2->18         started        20 svchost.exe 2->20         started        23 4 other processes 2->23 signatures3 process4 dnsIp5 133 C:\Users\user\AppData\Local\...\v4190227.exe, PE32 15->133 dropped 135 C:\Users\user\AppData\Local\...\e1385981.exe, PE32 15->135 dropped 25 v4190227.exe 1 4 15->25         started        29 WerFault.exe 18->29         started        31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        35 WerFault.exe 18->35         started        147 192.168.2.1 unknown unknown 20->147 file6 process7 file8 121 C:\Users\user\AppData\Local\...\v3288074.exe, PE32 25->121 dropped 123 C:\Users\user\AppData\Local\...\d0042641.exe, PE32 25->123 dropped 207 Multi AV Scanner detection for dropped file 25->207 37 d0042641.exe 25->37         started        40 v3288074.exe 1 4 25->40         started        signatures9 process10 file11 173 Multi AV Scanner detection for dropped file 37->173 175 Writes to foreign memory regions 37->175 177 Allocates memory in foreign processes 37->177 179 Injects a PE file into a foreign processes 37->179 43 AppLaunch.exe 37->43         started        46 WerFault.exe 37->46         started        117 C:\Users\user\AppData\Local\...\v6141052.exe, PE32 40->117 dropped 119 C:\Users\user\AppData\Local\...\c8787787.exe, PE32 40->119 dropped 48 v6141052.exe 1 4 40->48         started        51 c8787787.exe 40->51         started        signatures12 process13 file14 209 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->209 211 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->211 213 Maps a DLL or memory area into another process 43->213 223 2 other signatures 43->223 53 explorer.exe 43->53 injected 101 C:\Users\user\AppData\Local\...\b1101796.exe, PE32 48->101 dropped 103 C:\Users\user\AppData\Local\...\a7557228.exe, PE32 48->103 dropped 215 Multi AV Scanner detection for dropped file 48->215 58 a7557228.exe 48->58         started        60 b1101796.exe 48->60         started        217 Writes to foreign memory regions 51->217 219 Allocates memory in foreign processes 51->219 221 Injects a PE file into a foreign processes 51->221 62 AppLaunch.exe 51->62         started        64 AppLaunch.exe 51->64         started        66 WerFault.exe 51->66         started        signatures15 process16 dnsIp17 149 5.42.65.80, 49758, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 53->149 151 77.91.68.238, 49747, 49751, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 53->151 155 3 other IPs or domains 53->155 109 C:\Users\user\AppData\Roaming\ebjwtfg, PE32 53->109 dropped 111 C:\Users\user\AppData\Local\Temp823.exe, PE32 53->111 dropped 113 C:\Users\user\AppData\Local\Temp\DF5A.exe, PE32 53->113 dropped 115 4 other malicious files 53->115 dropped 181 System process connects to network (likely due to code injection or exploit) 53->181 183 Benign windows process drops PE files 53->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->185 68 7662.exe 53->68         started        87 2 other processes 53->87 187 Multi AV Scanner detection for dropped file 58->187 189 Contains functionality to inject code into remote processes 58->189 191 Writes to foreign memory regions 58->191 71 AppLaunch.exe 9 1 58->71         started        74 AppLaunch.exe 58->74         started        76 WerFault.exe 21 9 58->76         started        193 Allocates memory in foreign processes 60->193 195 Injects a PE file into a foreign processes 60->195 78 AppLaunch.exe 13 60->78         started        81 WerFault.exe 19 9 60->81         started        83 AppLaunch.exe 60->83         started        85 AppLaunch.exe 60->85         started        153 77.91.124.82, 19071, 49720, 49754 ECOTEL-ASRU Russian Federation 62->153 197 Tries to harvest and steal browser information (history, passwords, etc) 62->197 file18 signatures19 process20 dnsIp21 105 C:\Users\user\AppData\Local\...\x4403429.exe, PE32 68->105 dropped 107 C:\Users\user\AppData\Local\...\k8169889.exe, PE32 68->107 dropped 89 x4403429.exe 68->89         started        199 Disable Windows Defender notifications (registry) 71->199 201 Disable Windows Defender real time protection (registry) 71->201 203 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->203 205 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 74->205 157 5.42.92.211, 49717, 49752, 49757 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 78->157 file22 signatures23 process24 file25 125 C:\Users\user\AppData\Local\...\x5424286.exe, PE32 89->125 dropped 127 C:\Users\user\AppData\Local\...\j5210263.exe, PE32 89->127 dropped 92 x5424286.exe 89->92         started        process26 file27 129 C:\Users\user\AppData\Local\...\x2989475.exe, PE32 92->129 dropped 131 C:\Users\user\AppData\Local\...\i0356758.exe, PE32 92->131 dropped 95 x2989475.exe 92->95         started        process28 file29 137 C:\Users\user\AppData\Local\...\h6234383.exe, PE32 95->137 dropped 139 C:\Users\user\AppData\Local\...\g4912370.exe, PE32 95->139 dropped 98 g4912370.exe 95->98         started        process30 signatures31 159 Writes to foreign memory regions 98->159 161 Allocates memory in foreign processes 98->161 163 Injects a PE file into a foreign processes 98->163
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-09-23 22:02:21 UTC
File Type:
PE (Exe)
Extracted files:
149
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ttq6ktljrhjv3f5cd7wrzev4rmgdn7ima4fc6umc66ay43jvmja._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:glupteba family:healer family:redline family:smokeloader family:xmrig botnet:eges botnet:nanya botnet:up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/230924-j548kseg64/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
XMRig Miner payload
RedLine
RedLine payload
SmokeLoader
xmrig
Detect Fabookie payload
Detects Healer an antivirus disabler dropper
Fabookie
Glupteba
Glupteba payload
Healer
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
http://app.nnnaajjjgc.com/check/safe
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
72beb0b0c9de9fe800797b9ba22a03f3c632499a49481f38dacb567118903075
MD5 hash:
cfc86de5ac3c799ad8cd4002281b7829
SHA1 hash:
7113c679a0cd0e242bb5bc31b94637992865d4d4
Link:
https://www.unpac.me/results/98288143-a1b9-4604-836c-4cd830830553/
SH256 hash:
70ebdba0402f6e78248e2770ecd8150308d791ea5cce2ed7da7fe034b8a501ba
MD5 hash:
42a15d80a40e3f7d4b897d8e7c750435
SHA1 hash:
f5fb367e304a883b66b4eb7304f204ca2b77716a
Link:
https://www.unpac.me/results/98288143-a1b9-4604-836c-4cd830830553/
SH256 hash:
fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12
MD5 hash:
aaef11f9c446555dd43348b1986bed70
SHA1 hash:
c3a09f80477b8d44a2428d9ba6a28aad3d6fb5d9
Link:
https://www.unpac.me/results/98288143-a1b9-4604-836c-4cd830830553/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fce70f2a6b4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fce70f2a6b4c4e9aecbd10ff68e495e45861b7e86038517a8c17bc0c7369ab12

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2713520/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/450850/

Comments