MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4
SHA3-384 hash: d8bc026fa95cd8506ea6dd829f03f0a956bf6b11d7db5f04054a97677f1a969c2742878e50a5c70948e239e9c9c5f44a
SHA1 hash: 0298f54885b2acbefbf30d6c9fabe4182ee7d71e
MD5 hash: bad5bf7da41fdb03171a9072bd39a48f
humanhash: nevada-nitrogen-four-carpet
File name:bad5bf7da41fdb03171a9072bd39a48f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'140'224 bytes
First seen:2023-04-09 16:00:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:xy++TNXTatkFIdy7T4sNQQND3pmKaAs1xzNDcQes1Xz:kDcoISpmPlLgT
Threatray 2'673 similar samples on MalwareBazaar
TLSH T1B6352342B7E89473CDF52BB45DF606870E3ABEA6ADB543173352ACA94CF21449831327
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://212.113.119.255/joomla/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
bad5bf7da41fdb03171a9072bd39a48f.exe
Verdict:
Malicious activity
Analysis date:
2023-04-09 16:03:14 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/2498c6ba-725f-42c7-b1a3-3ff9afceb38f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381114/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77171/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6432e13ef17a8f86fc8c7b11/reports/6077c14e-a00b-4987-b6b9-327f83c36aa1/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1310591
Link:
https://www.hybrid-analysis.com/sample/1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3c256c7-9f22-4876-b9b5-ac4ecfdfbe1e
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/1210936
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843852 Sample: qx1ayTc61x.exe Startdate: 09/04/2023 Architecture: WINDOWS Score: 99 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 7 other signatures 2->57 9 qx1ayTc61x.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 2 other processes 2->16 process3 file4 43 C:\Users\user\AppData\Local\...\zap4884.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\y22EE09.exe, PE32 9->45 dropped 18 zap4884.exe 1 4 9->18         started        process5 file6 35 C:\Users\user\AppData\Local\...\zap1787.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Local\...\xtRrR91.exe, PE32 18->37 dropped 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Machine Learning detection for dropped file 18->63 22 zap1787.exe 1 4 18->22         started        signatures7 process8 file9 39 C:\Users\user\AppData\Local\...\zap1471.exe, PE32 22->39 dropped 41 C:\Users\user\AppData\Local\...\w16Ta21.exe, PE32 22->41 dropped 65 Multi AV Scanner detection for dropped file 22->65 67 Machine Learning detection for dropped file 22->67 26 zap1471.exe 1 4 22->26         started        signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\v7451AG.exe, PE32 26->47 dropped 49 C:\Users\user\AppData\Local\...\tz2700.exe, PE32 26->49 dropped 69 Multi AV Scanner detection for dropped file 26->69 71 Machine Learning detection for dropped file 26->71 30 tz2700.exe 9 1 26->30         started        33 v7451AG.exe 1 1 26->33         started        signatures13 process14 signatures15 73 Multi AV Scanner detection for dropped file 30->73 75 Machine Learning detection for dropped file 30->75 77 Disable Windows Defender notifications (registry) 30->77 79 Disable Windows Defender real time protection (registry) 30->79 81 Detected unpacking (changes PE section rights) 33->81 83 Detected unpacking (overwrites its own PE header) 33->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-09 16:01:10 UTC
File Type:
PE (Exe)
Extracted files:
189
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzf6zx5ii7665vpffu7slxne4mxqicmbrowvzflck3bn2nojghca._file
Verdict:
malicious
Similar samples:
3ce59f4740e06e135b214f2345f4ca167586b83aa2afdfbb4ade797d90e5c85d
RedLineStealer
47de00d106dd237c87aac8014aff32244f8c974dee45dbd512228f15673410e4
RedLineStealer
53069da8103b319980e687cba051c0f6a49e1806bf6cb30826b65f3507098e40
RedLineStealer
6fed2ab08446e6cdb2c0ba81f108d3eaf5186ab8f45d6cd3d27d86bcf77a99e4
RedLineStealer
71bf3f169694a071ecf57ca50a1cab9f09a42bd63e744dad76240f41c5a8146f
RedLineStealer
7a420492a6b132a40688165f244fec62096338b64d77e8921d587b33c85b71fb
RedLineStealer
804c33adb410686c058fe376b00742c92bfd08cb015f32ddb49a578eaae64667
RedLineStealer
ad87fff54c6386ba282fdb21d283c187aeef155263d52f7da25baed2968ba7ff
RedLineStealer
be2a4634c8cea6ead9547bfbec6557629a8a19fedc559f17fa93f0c3d16b6b7f
RedLineStealer
e101ad45e1f2ffb7409c1db6b46a2ab3374e26c43f2abb708d1ddb9be3365a4f
RedLineStealer
+ 2'663 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:litor botnet:norm discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/230409-tf7mhsde8s/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.145:4125
212.113.119.255/joomla/index.php
Unpacked files
SH256 hash:
89c3ecc861034306b290edcb2472e5918c817188b8abb31a0bd7f7016959c289
MD5 hash:
b98cf332c5b43976627c313cb0012111
SHA1 hash:
8ff175fb8ba62e6dd79d4383bc00fb3b285224f0
Link:
https://www.unpac.me/results/d9608a6f-f068-4085-80a0-8ea5d87abfe7/
SH256 hash:
4557d1ff3ee9cb0a8759896d45e76732cc264795a0e0ccca0ed06a5118718186
MD5 hash:
07cd8d0a8b91369f670a46d76c308897
SHA1 hash:
beff684fc005f2c6e39b45fe5bc7518a0db16c20
Link:
https://www.unpac.me/results/d9608a6f-f068-4085-80a0-8ea5d87abfe7/
SH256 hash:
1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4
MD5 hash:
bad5bf7da41fdb03171a9072bd39a48f
SHA1 hash:
0298f54885b2acbefbf30d6c9fabe4182ee7d71e
Link:
https://www.unpac.me/results/d9608a6f-f068-4085-80a0-8ea5d87abfe7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e4becdfa847/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1e4becdfa847fdeed5e52d3f25dda4e32f0409818bad5c956256c2dd35c931c4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2603216/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381114/

Comments