MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88
SHA3-384 hash:	cd1e8802c7180badbb9a921e134abe1694e311bb5b43c9e79291341415ef929f94e61727a081686400535f1d1da4dc36
SHA1 hash:	817e5e5f61d2739b029fe4a361645189828b5fe3
MD5 hash:	ff77196ef256f77726b114b414394794
humanhash:	single-south-virginia-purple
File name:	4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'054'720 bytes
First seen:	2023-05-18 13:54:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:gySosGmhm5+OnXqeFsMUF6bHvjysyIR1s5+cDx:nDsGmE55nXNxUF820Rs
TLSH	T155252316FACC8027D4FD1BB154FA03532B363DA09AB0029F75569D964DB29E4B831B3B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88

Verdict:

Malicious activity

Analysis date:

2023-05-18 17:28:33 UTC

Tags:

redline

Link:

https://app.any.run/tasks/38cc1a40-a377-42a2-b355-55429a111e16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/85365/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/907e213b-ec1a-4879-9c39-5678205fde03

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-18 06:47:46 UTC

File Type:

PE (Exe)

Extracted files:

118

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j3tonutstxjgpgxta2jjli5yxqag47uvfuhrqtzkknl5wyhcjoea._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dream discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230518-q78r4sbh79/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Malware Config

C2 Extraction:

77.91.68.253:4138

Unpacked files

SH256 hash:

3c99b915e5ed4d7c5036edc01dd92403a7cc229814fc640543ab82d4882f38df

MD5 hash:

3b6e7b2b695b67b8fdb01818cd22f3ff

SHA1 hash:

f2393c504b07533c38c8964d5dcb0692b7000650

Link:

https://www.unpac.me/results/a1496d7f-c033-4785-a57d-96703dc81474/

SH256 hash:

d7be22a0204cc3dae01691295543956d70ca8b4593393f62bad5395407488639

MD5 hash:

a8a86517204ff54de3ef7b0343b6e992

SHA1 hash:

efabb8de40fd13410dadfba205fe12b5e5e0800a

Detections:

redline

Link:

https://www.unpac.me/results/a1496d7f-c033-4785-a57d-96703dc81474/

Parent samples :

6874579083866491914f0d0abeb7aa41f89984b23eba45d7e3d4c6b541d1590c
e62f15e2d2c2703aede889f62a0185f1c3293d91b394cdd814bcb3fc11ffd0ef
901bef1389535d2a88cca1e4786667bdd4f1b3f2ee57a8319fc79e3ffd81c291
59020905e7bc86aafc3ee35ab09b9bd2274db025cc1496ce60849bf68c4dfc91
79069213cd560829256de065e5bde668b2b09df0462eacaa9c58cbcd43803bb6
f01e4e13ab7d2e115099c3e3ae1dbf5f211bd17c6afd20db84bbdf18866224d6
6b4037a48d116b95097079a9abe02e5ef2dfad10eb1b6d6e3ab1fb8d056fe119
6975da6b09ba946b5ff4fad98eddb1b3ac61cc6290a6cd1849a84fde7eb95687
582922fd4434763473a1e8e5327c9d8f5650ad6f142aa39acacd2ee580e45684
96c0720b5a196a65f3ffa56bb6ae827241f410c0b051f784014e3ec554b05a01
0c4f1f1cc2ef5d0588330c31f21b5f0b5be5e78b3550d0031083ee22f18d51b7
e779ae0bb123600cdf943f6d68902efbc657e52a18d2049aa970eedbe3d459de
e1232c7a472043dae0e1ed2d5c6ffefd218f7e0e2b02b774a0f2fd7b9b6fc397
488f47913ebc1a517ff7e667457e109f85013665e7410e704468cfddf8f957f1
027e637e5002680c93e3e06b6aa052ab9615b09ca109ca978a30d680463bfaa1
12497aaf8b60780593cbaf2ce31bc6af26dfb71879aa41ad91fc6a7de4863584
15c0b7692e6816d0eee98cfb1e47d26c43ee3773478972bf00b9dc539caee3f7
1b3e72fc4627178d84a0d6fda53ea20ba7dc5ed1d04db282709e864bcbe502f3
2301a101d76ee2c1692ea788f4bee0d5904b1a869f4b28a9b4f53d9451991146
2a69af708cda37f77096756690a5249b4a64fb67f43c2bf3e6e5a2d8bd8b19e6
2cf5fbedccd0b6778bea65b3e86f83bd69bf9387ccdbe7ca06ea49f544413b7d
379025fd7a8792612d77977b9009ff47d7e0931bcae558f45e2eff07b6290015
3f41f04a9de43e495da231f0680fa14e736499f9256a2db57a2d6ff59d3551e8
417b380175bbfc3563297c45a26d14107ecd863606673b9f8b620a28c3beff84
42da8606faa8969db395c1e0ac6e84edde19e4c41d1e7bf36bf4e7479446518b
4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88
64772f2a439ab590be6915af4a26d084e17c3cc171806890a1d0c9e72178dd68
66cba3ded9ec39d9c1d1941388c78a8d4ed8fdcb12da5dcc2329f759bca154c3
694de2387416a117585d2f532595b99fdf63ec22e8581b0be74bee1e28bb1bca
6997523146cd7b528c63d5957d40402be15fe7759f7f6fea5ab559ceab1605c9
69cf5244fae9086a4da934107cbeaed93618408b20b3ac456c8407072d7db6df
6ff6304475351b27a30175798eda50187b6e5a71a3b3bf5c40fb341af2047f98
76935baedca16a33a2b049c8e72e1db2de5f7cd9de4126f35636bf1e7755118b
7d2ca14a698c1af1c81bdc2cef46583e869eb6e022f90e23a738d0042baa7f64
7dba885452b86f5d61b0666d366e21046613d914e5006a4e73ec6d9d71487e0e
80f35144988b230ea1c07b91d56b20329a34aab1d98b80d2bb425e58fcf94ef7
84497835c6c6c3e3f33958ba841e7fc2c1a03b1380873189e719e9699bfb4551
84656341abca1a255b71fba3415b830cae85a814b546f5b2d103216711813d1f
879b05437b8aaa02a1608ee7c070905714df31e4d2a17067be0371dcc86c6e5b
8969ab290f6afdd03a4bc78d82548b878f4f352c37a2f93cd255145c6621c110
89ee7b2e8e3fcd2968f29612f43a166cfafd2c1a15f5925f493531b4617eebd0
8c1f2a62eb7fb91124fd4f149529562b1259d9603f5e3b2e9f149447a302b186
a09f454432091d94acc1b023b9dcad9263256721f7ec197491fc264dc6f3c5c4
aa92073e04f7a4f4214b55a5e86cfbaf7c828cf52634bc655300d956c742a064
ac4160020cddb3c20f349f3ac3fe2ba8e43c933a894a46bd091ca97506786230
adcf10d6f25a16acdde6c6936c580355d2f4176a8c36ad077d036e2c462955da
b23b54788c4d54968b920121ef5e6a88cb502dd95ad34749920dc9def4879f06
b7999a0c803b356aa65cf4050360a95cda60a05ba2eae04771a9c633eb836e3b
c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
d96696ec0d30216eb16dfeac15215c25baea61044e45b76b5ee3347501950350
da866012d0f638dcd44de30eac7fe7cb62fcb121cbc1adbe23b9d426ff364541
dc8a58d1b646cf1498952d53b950e4e44af2cd448a41ee9f42f1d64036739cf9
e0eca07aea1f524cb3db5c39b062bfed640da3a6baf528ce423857f558ce1ef1
e4d14984da7282c7822a4522daa79894c4247bb1b57131ff177bbd2b3cfddba0
ed7bbaa4419792f6bbca87431665b52eb18e888ab11b2c9121dc36051d7d5e85
f2ee05062e086c891664d55b30f823230d8c5e60e748279c1dea29840926de65
f6c1258653cf5108b1b26073a4fea9717c8e54d4a77958ac2c322fed4d8a0545
fa58852087c17d55009b5ffa5f9da7e6aa3c9ca0a718f3b0bb96f65d912aeafc
6feb4c24a3b46245e6b4df19e587d0b04323466cfcc7ddd7d5e75272f1ee918f

SH256 hash:

2cc94c247c7223109c0d4949a75c1119911ea16282e90340bc1b53c5eb859bc2

MD5 hash:

e4669f26748c85edc6218aca883f515a

SHA1 hash:

608d6ecadda7248347ab72836ac982bcba0e52df

Link:

https://www.unpac.me/results/a1496d7f-c033-4785-a57d-96703dc81474/

SH256 hash:

4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88

MD5 hash:

ff77196ef256f77726b114b414394794

SHA1 hash:

817e5e5f61d2739b029fe4a361645189828b5fe3

Link:

https://www.unpac.me/results/a1496d7f-c033-4785-a57d-96703dc81474/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ee6e6d2729d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required