MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38
SHA3-384 hash: bde8d391eb3db33eb9ca3c37bbbfc31544695ffb60e958bb85fefad4da43d45a980a49c44f498db9afdbad413ed0d637
SHA1 hash: ae7331e4f5f33b45032079b1df5ac95a42ecf597
MD5 hash: 79e674ac89a2c699011c3972aad98e67
humanhash: triple-zulu-one-stream
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:812'032 bytes
First seen:2023-05-01 19:14:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1efe015ade03f54dd6d9b2ccea28b970 (268 x RedLineStealer, 256 x Amadey, 2 x GuLoader)
ssdeep 12288:3y90gmtxe4IuPFe9HgGCLuMwBCx2dH+g7hbenLOKr3s501Mk:3yUptNe9HPCKMwB9+gVbenNtMk
Threatray 53 similar samples on MalwareBazaar
TLSH T182051217A6D88933E9B617B049F217E30A38FCA26A3482E75348664F59B32D1DD31337
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Chainskilabs
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-05-01 19:17:00 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/42e4fe95-9c46-4552-b8b8-489667436b33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385889/
Detection(s):
Win.Packed.Disabler-9997785-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.47223212.29771.27352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82137/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll amadey CAB comodo greyware installer packed redline rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64500fb792903068e34f6524/reports/e050b561-61af-415f-96dd-d919234a67f7/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1310591
Link:
https://www.hybrid-analysis.com/sample/17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9b3b974-7266-4e73-b82f-8312a6320544
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224210
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 857162 Sample: setup.exe Startdate: 01/05/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 8 setup.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 file4 31 C:\Users\user\AppData\Local\...\x82657822.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\o07168393.exe, PE32 8->33 dropped 15 x82657822.exe 1 4 8->15         started        process5 file6 35 C:\Users\user\AppData\Local\...\n79741046.exe, PE32 15->35 dropped 37 C:\Users\user\AppData\Local\...\m98299447.exe, PE32 15->37 dropped 41 Antivirus detection for dropped file 15->41 43 Machine Learning detection for dropped file 15->43 19 m98299447.exe 3 15->19         started        23 n79741046.exe 3 15->23         started        signatures7 process8 file9 29 C:\Windows\Temp\1.exe, PE32 19->29 dropped 53 Detected unpacking (changes PE section rights) 19->53 55 Detected unpacking (overwrites its own PE header) 19->55 57 Machine Learning detection for dropped file 19->57 25 1.exe 5 19->25         started        59 Antivirus detection for dropped file 23->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->63 65 2 other signatures 23->65 signatures10 process11 dnsIp12 39 185.161.248.73, 4164, 49701, 49702 NTLGB United Kingdom 25->39 67 Antivirus detection for dropped file 25->67 69 Multi AV Scanner detection for dropped file 25->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->71 73 3 other signatures 25->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 19:15:08 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7hf4nj66eajynon5agjqt55rh3y26r5b3q5rlxw3nuwejcsxu4a._file
Verdict:
malicious
Similar samples:
1e733f7dd81f0f7ca342286e81d655255b1e9ac221a99e630d4bb28bd5d7c175
RedLineStealer
4499294408d299a322eb96f73b77496042e5e773bae5e34ce56c43e664ce595d
RedLineStealer
576bbdd4dd36883501b201b08ccdf9fb8f8f860a295fb05f321722757daad89c
RedLineStealer
95dcb0e7ff7af28afd90c15da0623e73f3ceae583bf92f9dfd6b736d8657d0ed
RedLineStealer
9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715
RedLineStealer
a9aaea2b59ecc716f9f21db612a6dc1421ad618c7cedf5efc1f2060a712e263a
RedLineStealer
c3ae28893182c56f2dd617710bf2c240088c45a3edb529784e7c499e61397e8c
RedLineStealer
cff87da88e5e0dc7fe0a0942f3dc2c7c1a1542c4710ef7d029e7e0901868c0ac
RedLineStealer
f9108ec06b59b666d257d2b3efd2dda2277a97c6d7fd0de911dcf563239877c3
RedLineStealer
fe6f8a10cfea929c10df3a27631652354a0e555e76f62349b0eb74be82059008
RedLineStealer
+ 43 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dork botnet:gena discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230501-xx766agg7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
185.161.248.73:4164
Unpacked files
SH256 hash:
4b8f703dc9fa0a9180300b0d0af6237ac6cff58a91480c1c02d310d57dd0df30
MD5 hash:
792fcfb26bcf7ab503e55c8b8be510c9
SHA1 hash:
b31246d1d82a41c93b94b9fcee115ae7d60ef361
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
595aa92f6a7415468926141061cb7247f340b1c064f01ec3ebb45ce75fadab98
MD5 hash:
a8fd7d107b102caa87d22edff37b82b8
SHA1 hash:
15d98c6b667f518430bcd383611b1756618afbac
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
64317fef1f1f560c0d6640b814c86c24264bf65942874981cafea8221cf6cba4
MD5 hash:
d332a35fb411789cedc9763febecce36
SHA1 hash:
a4f8c658da69a4c48ac6ec9a65734080a7058094
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
23c65b707870466944054879ffdb083c69f6b4bb2d92283d247b9f95171b2d70
MD5 hash:
4ae4255b32c5cbba6b7d53a280a16d23
SHA1 hash:
7543999d94bcaaed98252334f8206e594b1c8058
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
1782a231afdb9f7dd459dc8e10c1cab56cfc6f4fd771619836b9568d938c34c8
MD5 hash:
47e29902de8f43fb2b6429b1f9446e6b
SHA1 hash:
495400b53ea4ec846abedacaf42c899eedc5d612
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
85a25a76615d7ab02fe6b16ed559b4ab7f28c41bf203a13a6fdee754468ba65f
MD5 hash:
b2849e42cf4e08241f8dadfda97f8f37
SHA1 hash:
473bae0473bff32696d09ee55378ecbd6913bcbb
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
e4aa7894da855da6a3bc811611f6968c4fa5377730f485ac0552ec89abcedb0a
MD5 hash:
62fb308feedd12012d08ba369db5e13d
SHA1 hash:
d65110f27e0e048439855b1fca7da3734dfb3573
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
46f864d3e57b937df89f683ee4587b743d910262e83cade248ce5f3b66eae285
MD5 hash:
d9177b8485bb89298340e59019836db3
SHA1 hash:
2f002fc64c61b9359bf81b511f620e3263409388
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
db7482e77a8dca1d931683d2f4e4e8fa3499479ac64dfbf24cd979a40461801c
MD5 hash:
7e3428d1e3b10246227830e434b69c1b
SHA1 hash:
11e9c64f7b6489d7a38b0205d02f69f9c1d741a7
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
SH256 hash:
17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38
MD5 hash:
79e674ac89a2c699011c3972aad98e67
SHA1 hash:
ae7331e4f5f33b45032079b1df5ac95a42ecf597
Link:
https://www.unpac.me/results/bf760478-19f3-43ef-a39b-0e0c8c25fa66/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17ce5e353ef1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 17ce5e353ef1009c35cde80c984fbd89f78d7a3d0ee1d8aef6db69622452bd38

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/385889/

Comments