MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce
SHA3-384 hash: d5b3ceeb7627950026d7f0911d5dd8c55af4e3298bbf02eeb344b2f700467727cdbdeb8e71d6c750e92e775a8eafa146
SHA1 hash: 10af94b80f702e3dba6dff38136ce68cfc2e5f64
MD5 hash: a0e2271f268bb048f62c403b3693341b
humanhash: edward-washington-three-georgia
File name:debugger.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'055'232 bytes
First seen:2023-05-20 11:05:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:RyGWx/pkWxnWgmINbXzkmqDVtDl8Tbgt1um3o:EGkNxWwNbXziDVtKTW193
Threatray 3'080 similar samples on MalwareBazaar
TLSH T13D25231787E88032E8F8273078F652D31A367D726839867B7796E59E0C736C15C7236A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Neiki
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
debugger.exe
Verdict:
Malicious activity
Analysis date:
2023-05-20 11:08:46 UTC
Tags:
redline
Link:
https://app.any.run/tasks/da6c75f9-ec3a-4928-848c-3f123eab52c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll anti-vm CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6468a99b3f2c246c51081e7e/reports/1bae6d75-dfb9-4604-bebd-824b00b931e5/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1307453
Link:
https://www.hybrid-analysis.com/sample/44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e051d97-7e0b-48c8-851d-8de7ab2ef2bd
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237963
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870955 Sample: debugger.exe Startdate: 20/05/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 9 other signatures 2->49 8 debugger.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 37 C:\Users\user\AppData\Local\...\x9601810.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\i4444447.exe, PE32 8->39 dropped 17 x9601810.exe 1 4 8->17         started        process5 file6 29 C:\Users\user\AppData\Local\...\x6659690.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\h6403374.exe, PE32 17->31 dropped 51 Antivirus detection for dropped file 17->51 53 Multi AV Scanner detection for dropped file 17->53 55 Machine Learning detection for dropped file 17->55 21 x6659690.exe 1 4 17->21         started        signatures7 process8 file9 33 C:\Users\user\AppData\Local\...\g9240262.exe, PE32 21->33 dropped 35 C:\Users\user\AppData\Local\...\f1549430.exe, PE32 21->35 dropped 57 Antivirus detection for dropped file 21->57 59 Multi AV Scanner detection for dropped file 21->59 61 Machine Learning detection for dropped file 21->61 25 f1549430.exe 2 21->25         started        signatures10 process11 dnsIp12 41 77.91.68.253, 19065, 49682, 49683 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 25->41 63 Antivirus detection for dropped file 25->63 65 Multi AV Scanner detection for dropped file 25->65 67 Machine Learning detection for dropped file 25->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-20 08:21:39 UTC
File Type:
PE (Exe)
Extracted files:
118
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=is633lnqeifexch6da6i4yw4spx674kxanw636xhzjnmusd5cxha._file
Verdict:
malicious
Similar samples:
1a6cb6a3ae4f0530a57855656c2d7a95fb89d222736aec9ba1471ef05d8ab82f
RedLineStealer
25622e93e61116c3f973342219321891473820af450bbdbae9377827695955d6
RedLineStealer
40bdc5c0b9dd9d1def9423ef3823d5d92f45129cec3084adda88026eb482d80c
RedLineStealer
50c2c9ec4c94886cac486cfae467e57c683eb450c48a57688ca6054c1b8d2d4f
RedLineStealer
6b39b939acf1f4aa5bebe7d32fd69de1389bdbfac2e15ee8c71e45ed4faebd8b
RedLineStealer
6df63c6f49144b0e0914f380133c52cd7a7b23bbcefa931c5d2d2b2c5c8524d2
RedLineStealer
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
RedLineStealer
b94f59e01806fd3d43d17935c5d1d0a5838ace2826e982e59bf4379f76f9a647
RedLineStealer
f6156e781add70f932d821aa8ccb59363f9ac868148e0eeeb79c1d19540435de
RedLineStealer
f7f243c095defbebffaac067bd9c1f965e506dd54bc515721c854b37b52b72b3
RedLineStealer
+ 3'070 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:deren infostealer persistence
Link:
https://tria.ge/reports/230520-m7emgsee91/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.68.253:19065
Unpacked files
SH256 hash:
c42c4181c3e5986338fe83304afa62bc3532e56b614e999aa28b65447316fe6f
MD5 hash:
21ed125865cd7bd672e835466b1551da
SHA1 hash:
d642b7dac17e3210b3a34bbf8fd9282bf9c580fe
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7fca03c2-c0d0-4f25-ab6c-180f57425950/
Parent samples :
137f040c851e03f92823a1095f5aa284f7208caa5f3ae8ad678988f7626b6882
f14f3eb79738f392dbc6667d382dcf74cbee3e796092de891d39d66ddfb8c1c7
99789a1eb6f137364d3dc285ad6bf62edd1142f386586c008b409529cdd2b666
d520d0a3bec456986553675f6a60a92e2b5efc61d7099228b18fce3525cb1965
646088e6cd38244c299e62ec5e456a4e8b4a0393602de42181380595d5cce57f
4107f199d6e98f570d2caf4bb81a9a889d7558c242cd6984550317bd89598a59
e53bd8d9458c25d81bfcfd7a9a03572429e86d80d7829ec1e3c24556dfff3f1b
10ab0290093184e094f84af4798585c366bf5013d4954d5a90f50abe0655ba1f
b2fd7968c35b3c26ba361e3d32015a94793dfc3312cf711e9bf23ae6325f0f19
d3cebf550355c5ef5eb213fb762c3add9a0b58a06b2aee542342a999a0e9e3a8
825dfe48062002a35ba01cb1b4114468be1e478d100b2b63bacd2162c41c806f
ff347aab721f9742ce05958e193232cf298756778d769f8d62b2cbd768c7f326
9a3380f918e8d137eeb28cf4a24289904217c98041f83c02661db7cf212c4ed3
2197586b6439e362fa612f1035cabaee5a64293a850f50bef562b4df615d9550
1f3f6144648299ea64ccfce0a00ae78ffd76f2068c52000bcc0c772ee02d5335
1c86bb59740f3710cc5b755991d1ce2f22961e939247dd81374cd14ad78b9ef2
db6306215e0fbed64f5093fd3a78511654fedad60ad8036ce7dde9f45dfa2fe5
44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce
5d51caadec5672a1910726b7ccf2100a88f7ad809c712e74024ef2b330ddec7b
a77ef6de5912cbd676b798f45fed91a7314b9ad1aca464c4dcbd23ae63995e02
670b019c303190592bfd9cf06c5b46b676cc3db7104664e535ebf35ca8b0431c
11a611b132bb86919750c5430f157a630b25e9a573db6ac5ccadbf50c3606a3f
88e10bb65c0ca2af9262bcadad39eb60a21e037f76e018425ca2333a98851f02
6fadef11cbfbf357aaf69dde5e95aeac88787d1835ca4234667d3ade0e2ad198
27797974837bdaceda419c104f03ddf9b8f2f61609c7b70d56a27f0a5b191ed5
34a2ce2cacfe70b81c5b3ebd1bf39d3772c17924442272e1cc77be537bd49d98
49067ad06f7e88a216359704d4f5b2220e81a98e7cd38fe9635dcced23aae3da
dc26facf6d78dd67497d26b2bce53f5d75a2c2fcdbae226f3efc9ea09cddba80
e2a26075a09efb7052c7e7cea0cd353dcc817a9a42db90a9dcd4f11f4fba1bf8
76668462759315c9354b9422e0550cd3befd34b35f79b87578084dbf44e89dd7
c1b96a261643e29186af75d1c13f4b310a9563c6bf626d6d074ad01109e8c43b
a9a6908a8a7efe1330f2964b55833bc6061086bcfe54c57e71efd8abaa73b00b
845c2f7b81953b3d5f1419c14648f852e6c5edebfa4e176ff75b8f236402022b
982a104d110f82375b04015ac03ab499d219e902f89acb6655ebbe79f642365d
4cada5bc9e82b93e8091da9301dce9aaf906115d7d130a40c96991ab2714d76e
81ce76d33d304d1909a1169f8a1908899e3cfd17d78836a5dbb6ada4d726716d
7e9b4ed4d92b0ad92f877ae769961461fa001f0fdfada370102eedea00b6b0d4
5ec32631a87f54a0bf4a5223995bb44922254865aa4f302b34a6037821060044
2225316305e207606a1699df51f2ecec4d7ba1e57903436d10f99c3f72b211f6
785481179aa8914e3c8dcb43a93804089363f057c0cfe43d892bb0da629a4e88
7028e76632c233c35eb952013fae76a3ff77b5bc2c84bbb5ed6989063a9323f7
4b21acc320a5c0ba3ad4003d5dbb6648bd84624ec19c11ec0e297b8e931231a5
96a4c4f58bfd5094f9949625b89169a5b2ee1bf2b3bfc48099500bbf9eebbf8b
4cdc2dcba10a7a3778f06d835eb61464fb67ff0bf6f756ef73b1da4720c80cc7
5cefc3ac6f11a1fb5846ddf517f6d8ac863c332e7fa29e23228c07c829b8efee
ee0be10e82e493002f19223b7688965b0a41917a2e037a3b4061532d9709aeb9
d6ac7634a16cfbfbbb744cfe0321798fafbf7e8bdc5a8ef13e3fc0d5760c0651
820aa2d8278af28e5533ea9842ce2a78419a864878a0fc48e2c9eaf9b43b6cdf
a485e59eb316bad0a19f6b42d0d0c5c07f86398938bbc2ee36515f1c4096aa01
833bc1b1adabeea44495a4c5a6884e629c3f564653cafa8ec2a9e8862a8fc365
38f4f79862e8b005cdda25651b57527818eaa1b9914f4d829007cc2528058875
70ac042a67c0d0fcb0015807cb14017a4479d4bf15a3d07c07dca603d9576186
a81ba345213a66db164ce21e006831d134e7e8897ddfe9543815cd0e058e498c
2f6ff7c40d7288cebdfbe7861c98d119bb4c13aa2beab66ae5a5e56b32abfcfb
d0d3696a4878d1df5768dbb1b9646c68070e82b5d8711cf51db81af4b02aea05
557d1499f4f440e7e60572e0f651c2030c3384b87810af4b50e75e7069f48d9e
c66ce9727f69893adde9f944b2374843e602fba69811d11d93399da9da350fb9
d53f8f851ff83c23e7381844ea8366fda134819b78a9c7e1b906ce727ffb0bda
0a32d2d34c60e9376817d2be951c5bb4b35b78391c9d466aee51020b10cc96f4
0440b12b2965feb6ee205f87b124f41e00846556d7b6c060f5be22ac92318cd5
d953e7f93ee71444d7da6aa629ecc5ea463ef6d42b7d0d72cfdf210daeff51fb
8bdb76d576ef549cad918c9b3ea92118d5c3c638c98eca280ac6263f852c706d
0089fa82a88effc73051b27371bfa5721fa5cc794f0e4e4bf9f0b9d83d66aba8
e166c0e9bd962efa6d12ee4692d7bf26e0622b57d56c08dad9e95b3f27b2c8b6
087e7f370f4a253e574cf529776c81717fc21f2f1079a874cce935455e83b735
ad3d69fb243359c9f8d08b69624ef624cced39d9046936706ebf64adb3d953df
988fb9540b2fb9a36ffe5d6be533fb685af902e533fb5c90af69d0ab6a68dff9
d7d273247e567e31d519bf809c79e985532cb9e0d5db0539fd744ca2b8111f5b
78639b705ca3837252cc962bc36515994160b4518e4afb4500a50f4e38dbc56d
b721d0aa091dde7dfaf529ba827a7fb9989ed8bdcee6f714c53a999c3c6c4af7
SH256 hash:
b96944b16322b08d51dcb4a0ee9ef282cbdce1064ce4884be552f7b7eb00461b
MD5 hash:
b9d9b454e1dcc4c3421d7c3d0d249fa5
SHA1 hash:
6919e322dc6c11cefcf0c22491216ac7c25c6faf
Link:
https://www.unpac.me/results/7fca03c2-c0d0-4f25-ab6c-180f57425950/
SH256 hash:
92535238a559c755e6194b4fe0aa68eb05d3d8867d586d4c877d3a866299d1cc
MD5 hash:
f497bb53b19eb94bfa6e16074e55ecf2
SHA1 hash:
207378e256749834da3eaec365c10fe67464fd68
Link:
https://www.unpac.me/results/7fca03c2-c0d0-4f25-ab6c-180f57425950/
SH256 hash:
44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce
MD5 hash:
a0e2271f268bb048f62c403b3693341b
SHA1 hash:
10af94b80f702e3dba6dff38136ce68cfc2e5f64
Link:
https://www.unpac.me/results/7fca03c2-c0d0-4f25-ab6c-180f57425950/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44bdbdadb022/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44bdbdadb0220a4b88fe183c8e62dc93efeff157036dedfae7ca5aca487d15ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments