MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
SHA3-384 hash: 39d62c974f3aa2df7fdda6fef432200c2c3f86678109ef6da11cd24acb469ac9cd59f8ffe247815517f9ac9860875f5b
SHA1 hash: 336c32ca3bbe6aab791604338043382a6ceff759
MD5 hash: 6c069b020a1acf1937d0f7e9339aec39
humanhash: social-steak-five-pennsylvania
File name:6c069b020a1acf1937d0f7e9339aec39.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:770'048 bytes
First seen:2023-06-01 19:45:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:fMrNy90bpGEeY+ItX0wfxGURiQ93iabIdAezcU6djXOlaaOYTr3zdD3dUvrTdgw8:WyIpyItX0k4UI23ineeYNdj+/n3zdD3J
Threatray 434 similar samples on MalwareBazaar
TLSH T1FFF41252B7F89676E8A12B705DFA07931A31FC9098B4C3133649AC6B1CB3795A13173B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6c069b020a1acf1937d0f7e9339aec39.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 19:51:21 UTC
Tags:
rat redline amadey trojan loader
Link:
https://app.any.run/tasks/fec23205-a2a1-4b09-b39e-cc4936caf372

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394610/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll anti-vm CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6478f58299da9635873cb760/reports/658aca3a-f889-41a7-a89d-43d214af3478/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5a4438b-0978-4d6d-89b7-af9e60fc92b9
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247225
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 880241 Sample: rPeTFRozfl.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 9 rPeTFRozfl.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 45 C:\Users\user\AppData\Local\...\y4277064.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\n1851162.exe, PE32 9->47 dropped 18 y4277064.exe 1 4 9->18         started        process5 file6 37 C:\Users\user\AppData\Local\...\y8527531.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Local\...\m4839165.exe, PE32 18->39 dropped 63 Antivirus detection for dropped file 18->63 65 Multi AV Scanner detection for dropped file 18->65 67 Machine Learning detection for dropped file 18->67 22 y8527531.exe 1 4 18->22         started        signatures7 process8 file9 41 C:\Users\user\AppData\Local\...\l9154091.exe, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\...\k2542753.exe, PE32 22->43 dropped 69 Antivirus detection for dropped file 22->69 71 Multi AV Scanner detection for dropped file 22->71 73 Machine Learning detection for dropped file 22->73 26 l9154091.exe 4 22->26         started        30 k2542753.exe 1 22->30         started        signatures10 process11 dnsIp12 49 83.97.73.127, 19045, 49697 UNACS-AS-BG8000BurgasBG Germany 26->49 75 Antivirus detection for dropped file 26->75 77 Multi AV Scanner detection for dropped file 26->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->79 89 3 other signatures 26->89 81 Machine Learning detection for dropped file 30->81 83 Writes to foreign memory regions 30->83 85 Allocates memory in foreign processes 30->85 87 Injects a PE file into a foreign processes 30->87 32 AppLaunch.exe 9 1 30->32         started        35 conhost.exe 30->35         started        signatures13 process14 signatures15 51 Disable Windows Defender notifications (registry) 32->51 53 Disable Windows Defender real time protection (registry) 32->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 08:29:40 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ips7ur5fiurrijmomanetmzvzjueiznjuzlyrxtgfu5l6vskim7q._file
Verdict:
malicious
Similar samples:
1484d62d930b194a9c46779e4e6619b75118dec1aaa02eb9132aab31666ce562
RedLineStealer
1834db2a405c78564f9928d0f0047fce383d0e5d4d1d98aafbc3c2d7d453aec2
RedLineStealer
291d8988a8f46bda0aa9b2fb0b5267442ca40e4a115cb58c0122f70238cbc609
RedLineStealer
313585d2d0a21bd87791ebde0e70d7243361f4b7d987dda6f483e1fc45f5abe2
RedLineStealer
8af32f3ea4635d8b35ae555aeb954d087acbf0225580d8bf929adc7426fe8932
RedLineStealer
a669ab0a60d4d8c8421d88ca8d8f826d7ff82f9a4e2bb68f0c57e5c109be7c47
RedLineStealer
ad6de406918f235ea46c9c377059c17e6e1ddec6e1a642fedfd74345f93833b6
RedLineStealer
b35472d4bd71abc436d5eeef223b81aac4ad00813abc2e66ed862b19165db479
RedLineStealer
c18d461cd880e179ec078722740b182ece28ff886fc63711a906e473bc83d750
RedLineStealer
f50da55eaa745a7d2017eded3d9edcc93c51f6df1cdbcbb12899ff42e27203b8
RedLineStealer
+ 424 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:diza botnet:rocker discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230601-ygy4zsgf2z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
83.97.73.127:19045
Unpacked files
SH256 hash:
a5562a0a00b133443e525a118ebea73977a7cb0f302747b631960ec09eb4d279
MD5 hash:
9d3b083dc48bbaef144da7cb4657e4b1
SHA1 hash:
e9f4deab8a93fa0c489d32832e49765a7aa2463c
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
SH256 hash:
5993470c5025e009edd820b9af0cab89788865327440e29d2bd90e599b2162cf
MD5 hash:
7ec9798445fb0afccf895c43d0adfd7c
SHA1 hash:
903e37516608d9e879d422635cd6bdbfedbe12ea
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
SH256 hash:
426ece31a36f480dc64cf6a405615a218a1fbcbdd56af613e003223c00db529e
MD5 hash:
6e28e4312834034ee8eb136c928894db
SHA1 hash:
80f22c0c5709abc58e9d004daad796607dc8f22a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
Parent samples :
c79a41202d72d2a6c8d58689ba8096ea126c588bff1f1696efc0eae3fed2986e
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
SH256 hash:
4fea32cb0288f98129e4e56cd5e5af2dacdfe6b0c6e7db42a67af6cdbe89f690
MD5 hash:
b708c8bedb00f539edb8d056ba69838b
SHA1 hash:
8f56cea3ab2d87826b7fc3e9deff4d38f0558224
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
Parent samples :
3c7c842eeaf0fc00c5684502e6210910fa4f6c2330d4995db24d7d8cb2e382fc
1e6cc8ee3d2b82fc2b4538d1692a743a4248e62aeecc5f398f12c29a182b45b6
e7c62cef016330c1753267044ff028e2d540daa80d59c2e3281fc157732e088d
a90fbf1c03c8e62d375d1ca724f54cbb8ebaf7f5bf1704b9f169fd8718bf2dec
d20e6f6bbb8729ffb27c7bbe53b2cfb6569d28cca619c3d5150bdf60285e0ea8
ee6678289afba6f7944db28ec1b1790cd60166067a5fe302e65900ef73a34749
aab38ac1e86de919044adeaa2928bab5db15f1c76185b4992975be46e8546d5b
ce4cae330aa5f0e056819902f214848048d24d814c206ac5d54bfb97234999fb
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
86db2ca351c5dd8f02b6f7ef6cff4db8580a71539346405e055221d9b2bf06ea
806d3ff15a35a429397395792b17a81a1253621369d1a7729601e77ab502ac5e
d507009c432cc1e5d3bcf5a2f2989b57b46b4dc29fd671a7ba944fa89c2bf4dd
79fd3804e906bde77b899146e6b4374f5dc806541fab41ae2336662f160ffae5
10ac1c308250ede73e6c7b1f1ed46adf0981e594a99b9046f74bce0c21884fc1
5cdeca24aab55d732bac9d577468abdde98fc53072fb046963c94b126e8cdc03
f70a327a32c7e97c3bec0c18df753c7bfa009dabf1a70f1bf2544d80c0385737
e4d022604f556eb393967a7c0f07aaf624e0db727dc78c80aa6f52e9a7ae6dc4
c33b62ebaee1132c3560744fcc28ce5a60f14f91cd9c0c7e098bfd2d4d35ab21
SH256 hash:
0929aed00ea0291b4166a257b40ae2b0af076993d0bfba78fa41e82ad9933399
MD5 hash:
46b7002e9828fe04b958da3a1e9ab7a6
SHA1 hash:
720c30f4661621598b525666eb7b9cd6db3f86ca
Detections:
HealerAVKiller
Create hunting rule
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
Parent samples :
c79a41202d72d2a6c8d58689ba8096ea126c588bff1f1696efc0eae3fed2986e
52295749526fdbff59e549e9480b5de8d4b3cde5a5a51722a9d61a7efb0ac05a
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
ca3ae8596a43fab969da8cad4cc20a02cfd3ffd65dd2b1a05d2a404e281a9ac2
de69842d0b844c1b7d75ecc08050b9c35ab4c587c4eccef966b82df6c65c6be7
742e7df621fd61cc2634b0e4ffde3976c847fcfdc95348a4dff591eeedb3234d
6c751b88ec0494c0848a7b01904a38a5ccf46bb6901404b178a6d5b51f75b14f
723b82e93dd8feae6b17eb5a7577328b81303fc36fbb557dca29a9233b989486
203554d11cd8d9a8fcad90f71604ed56e55fc587e0f10528e3a711117106e097
df22d21151daa9e2c32fedfaf67ee7b13913f8a650153443dc3d2fbd9d8fa732
38e591ce57ce0e4237c7ae9a3097cbeafaa14800ba43f76e59205e41cbe12f16
e3bfd095dde915136422887e63f1fc3b5bde09f587ca98c9f6a00b06fc6e6256
c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad
8b00e8342d9c518441471b108c7a34bf2b5e3095d588ef085127079a6d82761d
3118bebd18a67e11e2780e62f0256e4be8c67b24f9fc1fbdb5c201cf6860c5af
d906130b9b1841c940b973ca80127f599247f877d31892bfabf4bade8b603c8e
5d805379d8c091cc9aabb17156df24becf5b1e3f15c2bcf5a55c7ef93f8d20e3
2e7bbc0fd717a4f9e31985dede8bfc127a8a21c9656f9b8dc8be02ed93eab93c
1cb72edc0f1a84fb53e7a921c94bc95648ac55675d149a961cbcbffe44e1c304
59808576771e48d1a31b076748d691ae039a856dc43765c73ec362fa754e6415
19c2391800ad2eebcf2d04f271e6e331d88c9f1bcaff62f5b02f1cccf9c4a7ff
06c8c0ee65c80247e4adb9b03dadfbd311de9ea01de5a8a349cc717528b7cd4f
678ace6d8456a0b5c3db92e8873dc01858bd98bc7a08f993db5bc754910e4499
cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
e899b408f2cb7ba552bc1eabfa6ed858215dbfc2c3974196367ccdcb2a444ecc
7becbd225d65be7dfda500f924bfb9070d068ecf3a34f6ba490fa0e1ba6497f0
e9bc1461c10946308fa4a0fb16f274108d80c351068ca95b5698a5a51d3b6de7
d7e1af2362cb778e3ba97174915da73fcd8fb4df49363fb09267eb28db27e77b
71a35fe403a4e41182eb707e3a7d76821034b494551ee67432afd6e7fa82e864
a387529289f01378ad79a948e7989817510c8d0b5de04921f65d21309ddb8a3c
81d0f5a0e99bc1f96d20b5aa4e8168cc0e50d58af04fa0bf52625a9cf7731fa2
98b544cb9a160813bd7758ca417c4d458625a75f2fcbbc148c6fbd9bd7221cbe
50ee7ab95de8e4a91c87f0b161cd2cdb593f7083645511b2f012a8451e776903
bde590ce8aad046c624f2b8b588d872f905e7f12acf69d49eca7299f60c7b906
a973c5027fe4ab592558a1cbc9e69e4aba9795badd326d29a46c7029e975a16b
e363f52ff771a575a98e3fb0b711c9f54978ebfc9b3a119939a57ca545e67356
ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
e96dd0b309b24dcd980fd017ed7190631541e1c2190a5a428d1ee456d1e18f2f
8b6ae8309efba64783aa15aeb7b5aad7ab4071211139e6e119082840ca06e023
a328a4e8510854022165818038f1b0578aa34f483cd7f65c548f4e2b6d99ccb1
SH256 hash:
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
MD5 hash:
6c069b020a1acf1937d0f7e9339aec39
SHA1 hash:
336c32ca3bbe6aab791604338043382a6ceff759
Link:
https://www.unpac.me/results/9be7f0c3-83e2-4123-a7ef-ec7f25feed74/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43e5fa47a545/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2648486/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/394610/

Comments