MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464
SHA3-384 hash: 1d6eab97e06320e4444085049940e70a47f9d4ca06c9218c30651b00f5c9c7fa8be571c627c12ff74cf27ea99f0ac2dc
SHA1 hash: f7985e84a2df6a3a45738bc2594c5c457f4c7d8a
MD5 hash: c725804be4d040c9addbecd7c11e1d60
humanhash: hot-alpha-aspen-oregon
File name:c725804be4d040c9addbecd7c11e1d60.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'046'528 bytes
First seen:2023-05-19 07:10:20 UTC
Last seen:2023-05-20 14:54:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:9yAQqgRnzjx4//7QAqV/TQFfHWAQ8CyB092HIWSg/:YxzjxWDQlxMFfHWAhC52HIxg
Threatray 2'458 similar samples on MalwareBazaar
TLSH T1E6252255AEE84033ECE517B0A8F716570B3DBD216A78022B73C54E5B5CF2281E876B36
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.68.253:41783

Intelligence

File Origin
# of uploads :
4
# of downloads :
265
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c725804be4d040c9addbecd7c11e1d60.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 07:12:36 UTC
Tags:
redline
Link:
https://app.any.run/tasks/480cbe14-8cea-4a9b-b5ba-3c9fa0060afc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85641/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll CAB confuserex installer lolbin packed packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64672106e2cab1a0387e3a25/reports/11cd00e7-3886-4847-a599-3452d93f4d6b/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1323756
Link:
https://www.hybrid-analysis.com/sample/2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ff1fff3-866b-47cc-acdf-463304acc2d1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236902
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869895 Sample: vy7VZhq1sj.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 8 other signatures 2->58 9 vy7VZhq1sj.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 file4 42 C:\Users\user\AppData\Local\...\z0140058.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\s1826344.exe, PE32 9->44 dropped 16 z0140058.exe 1 4 9->16         started        process5 file6 34 C:\Users\user\AppData\Local\...\z1240390.exe, PE32 16->34 dropped 36 C:\Users\user\AppData\Local\...\r2659647.exe, PE32 16->36 dropped 48 Antivirus detection for dropped file 16->48 50 Machine Learning detection for dropped file 16->50 20 z1240390.exe 1 4 16->20         started        24 r2659647.exe 2 16->24         started        signatures7 process8 dnsIp9 38 C:\Users\user\AppData\Local\...\p3497010.exe, PE32 20->38 dropped 40 C:\Users\user\AppData\Local\...\o5102353.exe, PE32 20->40 dropped 60 Antivirus detection for dropped file 20->60 62 Multi AV Scanner detection for dropped file 20->62 64 Machine Learning detection for dropped file 20->64 27 o5102353.exe 9 1 20->27         started        30 p3497010.exe 20->30         started        46 77.91.68.253, 41783, 49703, 49704 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 24->46 file10 signatures11 process12 signatures13 66 Antivirus detection for dropped file 27->66 68 Multi AV Scanner detection for dropped file 27->68 70 Machine Learning detection for dropped file 27->70 72 2 other signatures 27->72 32 WerFault.exe 20 9 30->32         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 07:11:04 UTC
File Type:
PE (Exe)
Extracted files:
118
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxnt4i5n7nsyntyfgjhq65mbjapqhneyv2ufqytdt42rxdly4rsa._file
Verdict:
malicious
Similar samples:
20c4d7a2370fa52189596321cccce902ebf0e2026b696b2346c5e0ca3bb04ce0
RedLineStealer
23fbeba39612eab2ed7f8eb1416dc741f306a13a5f91bf524e36bccede09f861
RedLineStealer
2ed81c8a70821f622a4032f6fefc00a25c4cce03df139afe47f3d0d4209dc972
RedLineStealer
2fca3b457b1a010f86eecc7fbf138f8d0cd9ce6dd567a25f98a5efa97ea4b092
RedLineStealer
2fe6e3f3ef4455d0ab3051d04634c7762965b4decd50e3209e0f9ec099b54ac5
RedLineStealer
82eebd52e3ae5dcd6dea8faf522af875f81bdb3f87c4dd050f59053c167fbdbf
RedLineStealer
8546ad80e210e48de122136158279d6a7d08b66221412b6c41a2f16072686e1c
RedLineStealer
89904f29a736bcd96492f894375665321a11da82740498da56380f834199497f
RedLineStealer
9430eea55974af4d120181aa2904e4b75ef8097a0e89bcd6bd8698ee91781ae8
RedLineStealer
a33a85ec95382b08ad57705f113adab57971fd7e33d3072fad4a817955319c1b
RedLineStealer
+ 2'448 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lols evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230519-hzxqwaff75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.68.253:41783
Unpacked files
SH256 hash:
0b6ef47f3f74aa2cdef8014b687689cf9591c5affe5ffe7154bd6003beba41dc
MD5 hash:
a7298d04106f3df14ef6e5e57ab51837
SHA1 hash:
2e3b64dc7b3486190361385bb73f980eb3efc990
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
80d56459acba37cf67d74e93d6b8d1a68420ef8e63c5d7fe9cc5299d50327c31
MD5 hash:
9a901045903f55df23af0b9fa57b79d9
SHA1 hash:
19781f6e99c8d8aa53b769e17fb07c4bffe1252d
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
bd6aa86d8d89ab34e28caf2b4d5dea28e37cee508b41bedde71f4ed9890b14e9
MD5 hash:
3db1ed17d0aac5e7f563c7b580979599
SHA1 hash:
bc3a3f39cd620257472c378232d91fead101aded
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
21cf94b4444bb507abf0f1a7ae459b90df117d3076b17bd2468268b18033e117
MD5 hash:
5cd2555267e20742da3ea67b1a4080a8
SHA1 hash:
04473267e62eab3158a67ff98fe1d794f9335949
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
7398cb182725eb65042a7b8f01b381d8681099b6784dbef03be7a35d969fde8c
MD5 hash:
849205584b81457fd5254960d24a23c1
SHA1 hash:
874fa6494c0bb62bad377a76c4d73521e078bb67
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
57ed3f73c0028e35de3242337462b956961672ea51b4f5bb4aa8f1f3f642f3f6
MD5 hash:
396a1c34767487ed00e14b2c7d3a693a
SHA1 hash:
b9995de1e2251d8c4c267ca8f68d60cc9aaa8a9f
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
SH256 hash:
2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464
MD5 hash:
c725804be4d040c9addbecd7c11e1d60
SHA1 hash:
f7985e84a2df6a3a45738bc2594c5c457f4c7d8a
Link:
https://www.unpac.me/results/c6cf80e6-b42b-4d4e-96ed-a034e9baef91/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ddb3e23adfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2ddb3e23adfb6586cf05324f0f7581481f03b498aea85862639f351b8d78e464

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2631490/
  
Delivery method
Distributed via web download

Comments