MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71
SHA3-384 hash: 46f6c5835f80d69fc4c43902863885e5bfb99f0920bd1a5ec473759613019aca1c4a648d5d27dcfaeddaaf12b1e2b344
SHA1 hash: 456695d1339d707a7a70defda03128f0bbbcf86b
MD5 hash: d9cc85558d134e556b76368bf54aef06
humanhash: oranges-green-lake-lactose
File name:d9cc85558d134e556b76368bf54aef06.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:748'032 bytes
First seen:2023-08-15 12:52:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:bMrYy906BmV8tP63yZbgK1DKWxtA9b0Kh4K7ne7VeNKRbOX1p79P7H/JdRAyR5dk:PyvEV6kQgK1GWxNMe7VuKROXRuyR5O
Threatray 2'450 similar samples on MalwareBazaar
TLSH T12DF41255DAD90437EEF41B70A8FB07830234BCE1157883AB3295AD5A5C33E94A97233B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d9cc85558d134e556b76368bf54aef06.exe
Verdict:
Malicious activity
Analysis date:
2023-08-15 13:01:35 UTC
Tags:
stealer redline amadey trojan stealc opendir loader
Link:
https://app.any.run/tasks/09d9dd01-a22e-45e9-9b2c-ef1ac0e0d01a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442834/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Launching a service
Launching a process
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Sending an HTTP POST request
Adding an access-denied ACE
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102889/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8d4e295-3022-46a5-85cd-71da72eb09de
Result
Threat name:
Amadey, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291456
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1291456 Sample: SgqwncMTIC.exe Startdate: 15/08/2023 Architecture: WINDOWS Score: 100 167 Snort IDS alert for network traffic 2->167 169 Multi AV Scanner detection for domain / URL 2->169 171 Found malware configuration 2->171 173 17 other signatures 2->173 14 SgqwncMTIC.exe 1 4 2->14         started        17 rundll32.exe 2->17         started        19 saves.exe 2->19         started        21 saves.exe 2->21         started        process3 file4 113 C:\Users\user\AppData\Local\...\x8246657.exe, PE32 14->113 dropped 115 C:\Users\user\AppData\Local\...\k3944067.exe, PE32+ 14->115 dropped 23 x8246657.exe 1 4 14->23         started        27 rundll32.exe 17->27         started        process5 file6 103 C:\Users\user\AppData\Local\...\x9143150.exe, PE32 23->103 dropped 105 C:\Users\user\AppData\Local\...\j9217687.exe, PE32 23->105 dropped 195 Antivirus detection for dropped file 23->195 197 Multi AV Scanner detection for dropped file 23->197 199 Machine Learning detection for dropped file 23->199 29 x9143150.exe 1 4 23->29         started        signatures7 process8 file9 109 C:\Users\user\AppData\Local\...\x3774210.exe, PE32 29->109 dropped 111 C:\Users\user\AppData\Local\...\i6264140.exe, PE32 29->111 dropped 213 Antivirus detection for dropped file 29->213 215 Multi AV Scanner detection for dropped file 29->215 217 Machine Learning detection for dropped file 29->217 33 x3774210.exe 1 4 29->33         started        37 i6264140.exe 29->37         started        signatures10 process11 dnsIp12 89 C:\Users\user\AppData\Local\...\h1089102.exe, PE32 33->89 dropped 91 C:\Users\user\AppData\Local\...\g7552494.exe, PE32 33->91 dropped 175 Antivirus detection for dropped file 33->175 177 Multi AV Scanner detection for dropped file 33->177 179 Machine Learning detection for dropped file 33->179 40 g7552494.exe 3 33->40         started        44 h1089102.exe 8 1 33->44         started        147 77.91.124.54, 19071, 49811, 49823 ECOTEL-ASRU Russian Federation 37->147 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->183 185 Tries to harvest and steal browser information (history, passwords, etc) 37->185 file13 signatures14 process15 file16 107 C:\Users\user\AppData\Local\...\saves.exe, PE32 40->107 dropped 201 Multi AV Scanner detection for dropped file 40->201 203 Machine Learning detection for dropped file 40->203 205 Contains functionality to inject code into remote processes 40->205 46 saves.exe 4 29 40->46         started        207 Antivirus detection for dropped file 44->207 209 Disable Windows Defender notifications (registry) 44->209 211 Disable Windows Defender real time protection (registry) 44->211 signatures17 process18 dnsIp19 153 77.91.68.1, 49761, 49763, 49765 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 46->153 155 77.91.68.18, 49759, 49760, 49762 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 46->155 157 77.91.68.3, 49768, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 46->157 139 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 46->139 dropped 141 C:\Users\user\AppData\Local\...\kaman.exe, PE32 46->141 dropped 143 C:\Users\user\AppData\Local\Temp\...\du.exe, PE32 46->143 dropped 145 7 other malicious files 46->145 dropped 159 Multi AV Scanner detection for dropped file 46->159 161 Creates an undocumented autostart registry key 46->161 163 Creates multiple autostart registry keys 46->163 165 Uses schtasks.exe or at.exe to add and modify task schedules 46->165 51 du.exe 46->51         started        54 foto4060.exe 1 4 46->54         started        57 fotod360.exe 46->57         started        59 4 other processes 46->59 file20 signatures21 process22 file23 187 Antivirus detection for dropped file 51->187 189 Multi AV Scanner detection for dropped file 51->189 191 Machine Learning detection for dropped file 51->191 193 4 other signatures 51->193 61 explorer.exe 51->61 injected 93 C:\Users\user\AppData\Local\...\x9280282.exe, PE32 54->93 dropped 95 C:\Users\user\AppData\Local\...\k5656482.exe, PE32+ 54->95 dropped 66 x9280282.exe 54->66         started        97 C:\Users\user\AppData\Local\...\y7943370.exe, PE32 57->97 dropped 99 C:\Users\user\AppData\Local\...\p8699544.exe, PE32+ 57->99 dropped 68 y7943370.exe 57->68         started        101 C:\Users\user\AppData\Local\Temp\rMuT1.cpl, PE32 59->101 dropped 70 control.exe 59->70         started        72 conhost.exe 59->72         started        74 conhost.exe 59->74         started        76 6 other processes 59->76 signatures24 process25 dnsIp26 151 77.91.68.29, 49959, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 61->151 117 C:\Users\user\AppData\Roaming\cvuuueu, PE32 61->117 dropped 119 C:\Users\user\AppData\Local\Temp\40D3.exe, PE32 61->119 dropped 121 C:\Users\user\AppData\Local\Temp\370E.exe, PE32 61->121 dropped 219 System process connects to network (likely due to code injection or exploit) 61->219 221 Benign windows process drops PE files 61->221 223 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->223 123 C:\Users\user\AppData\Local\...\x5261554.exe, PE32 66->123 dropped 125 C:\Users\user\AppData\Local\...\i9656161.exe, PE32 66->125 dropped 225 Antivirus detection for dropped file 66->225 227 Machine Learning detection for dropped file 66->227 78 x5261554.exe 66->78         started        127 C:\Users\user\AppData\Local\...\y8092322.exe, PE32 68->127 dropped 129 C:\Users\user\AppData\Local\...\o9856971.exe, PE32 68->129 dropped 82 y8092322.exe 68->82         started        84 rundll32.exe 70->84         started        file27 signatures28 process29 file30 131 C:\Users\user\AppData\Local\...\h4069076.exe, PE32 78->131 dropped 133 C:\Users\user\AppData\Local\...\g9964733.exe, PE32 78->133 dropped 229 Antivirus detection for dropped file 78->229 86 g9964733.exe 78->86         started        135 C:\Users\user\AppData\Local\...\y5223552.exe, PE32 82->135 dropped 137 C:\Users\user\AppData\Local\...\n4951915.exe, PE32 82->137 dropped signatures31 process32 dnsIp33 149 193.233.254.61, 49766, 49864, 49920 FREE-NET-ASFREEnetEU Russian Federation 86->149
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 18:00:39 UTC
File Type:
PE (Exe)
Extracted files:
155
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2kvqnwiznaeqmjmtl7stxmelzvelx4zoqpry24unir37fbzzjyq._file
Verdict:
malicious
Similar samples:
01437ec4da869262d500bf1d0889a1f7397bd5373374a6e82b8c89130cd0e240
RedLineStealer
20186f72de2f0571d762d6d253dc9d3193ceb8cd93a806c16383de02d08317e6
RedLineStealer
452f8a80f631d6cefac1a61e6a631540f257825432c2135b74fafcf3d8bd299c
RedLineStealer
6bae2b9a7aebdde484309dcbd6ae0d5d71a2403184d58b7ebf7112d7eed83ef7
RedLineStealer
c6687cf86289be29bdf0c28b729c952b8305ae7fae44501dc2eec83b5340aab2
RedLineStealer
cae5f39a29434b4ef28e43df63d0c89612581432ff9bf1f51fde4f1691071261
RedLineStealer
e71433ff6592e96e9182e19a58d2a521e55642f35483023df01cd6b89e3a4214
RedLineStealer
ea8929f0ad36abb8af8d27ad2dd381cc36c1c07a3a4ab35a306146c91203f682
RedLineStealer
eabe37f98d7df43c579020482a2c6ade8f8c65b0fa6bdb90e2a863a70498d656
RedLineStealer
f6b5984b1960124a91cbb2bc5c6d7fa28c92d63e66edbcf0d605800ebe9df6a5
RedLineStealer
+ 2'440 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:redline botnet:regta dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230815-p4mj2aah34/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Amadey
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.68.18/nice/index.php
3.87/nice/index.php
77.91.124.54:19071
Unpacked files
SH256 hash:
94a496f6717f61594892021d41970e82fbcf17126e9e350650ca272306d8c83e
MD5 hash:
a52d8484afa85d13cdc16f99ec9f08f1
SHA1 hash:
452ba039df88c543b7ba03bde5298cd08f8a6ec6
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
SH256 hash:
5253d255bc704d11b4ac3e4c7272b1145c82937bcaa902088750ff13e5b0c3a2
MD5 hash:
cfcfee2710f7ce82c995a03edc66b979
SHA1 hash:
5fe1862363b1cd6e0be4e7eb757f104554bd40ae
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
Parent samples :
c6687cf86289be29bdf0c28b729c952b8305ae7fae44501dc2eec83b5340aab2
e71433ff6592e96e9182e19a58d2a521e55642f35483023df01cd6b89e3a4214
5cbf8eef93e4fb2f74fd28e9cfbf31e9b719b27e53d305d02bbb15c92cc774e9
452f8a80f631d6cefac1a61e6a631540f257825432c2135b74fafcf3d8bd299c
dada1745b9f6b74b38d3283e7ff9e5b86057e1ae53d1ea80d44ae2e24f55a386
f6b5984b1960124a91cbb2bc5c6d7fa28c92d63e66edbcf0d605800ebe9df6a5
7b8897660f34caac9a556a0a3071e7e268cd1229fde3977ffd5d47ed4f91a627
8a9981df9869042488f2940d31e4927d4c1e3483363eaa3c4eed35a8f8fc54dd
c8412f49cbe82d10e22d888f8626dd2c43d5e98c20524530aa6d45e09f74bfb7
9eafb7111c4e8777127bbd0cb884b9e0cc80efdbab663e31d390043c8d0c2c68
783eb782e95c55f80d6e355a05f97364708ff31b908d764d953a1c69cb9a3c45
632ce516ac99df30f7c09d70c070c45b7d82fbee77aa59a118fb9f0dec0f1221
b80bf3a20f884450d50c51208ea13bd20b47e3b8dc6f0d988dde0efea773f409
1fba98b98271a2382191aa4e48d7a668acbcf165176322916453d87101fa0c3a
ef3a4dc041071d0f0ddd2a000a993d43afa44162445dda4a3462eddd33b44da3
90874786ba35c410b06275c4c7d70c20fbbfcf8c73351bc22c2265aac4736045
ddcaa2edd53d06020a19bb40fd6e0ec001c0de100817834f6a66e64e37c7568b
1ee58c19b2b34e6be97b748f752057fedba196a9a7807938f28628ff96f0a618
6431634cc590e7b85bb0ea74d6de23a5ca98ab968808250fcd56d729b2de3391
bbddc31b1781832d094a913745fc2eead35eeb8a21add5814f61db70e5083667
a69bb669fe29c2f1e4d1fe359be72c14dd706d9b8b104fad238ecfd520f857f8
cb71cd598de6347d1203f5a2c1cefcc11d7c512476369265f364a114ad676711
ef988eb35edf3fface9432252f324a4bd2fe092c8db8cdd3dd683268f5a1e729
46ee904d8039794ac5164193eeeb3323beb68f7427cf178785862887f86d736b
2cc2e7c27818a21bbcd41a56b34fd232a51f4e160aa0d52f1a92b4cd5111be26
99d50ce969ce4e922d0e00907d51b150fdb9862bef4b8cc9f6212dafbe2b58f9
a2fdf432888f1a636d7e03510d52200e7a1203686464e9618f1c2b7a6593623b
7513bc9ba9b31a826ff140ea1c2bd3c9beb2dc321da0e3624dd42c27d8187379
335e379d5bd7d6d0806496fb22e6ac26175cd18db545b9787aa103e600fbaf42
1a8c2cf38916fc9d2c6888df45086df7ac15f1a73cf42e2d6a444e1beb0b74a2
abe54beed630eb9ae07bd299461a9c649cb3f73188ed5e790cd860a49f72b4ee
2d06c9868ec253ad3e2e8c379c1377fcac611f09150ac07569e272a5f4c8c26f
7804df2b47fe28a9801028d960548cdb9dca7fba588b60a5f5a74386234e8a12
142638c122d716a64e31a3ab55b215e7bf3a13ea454e266b9704d0ce4c724e97
1189d1311ab79674dee87d2422f6317ac3571bb30e465efbd1db4565c3f79772
d68e4588b01722a3841147bd9ea89fb56c9e022ac2a1d25341d5dcaf214873f0
1e4adb7323febda74ddc0a06d2e18ebfd241fce73ee859ad6f400e1260885aa7
f6c3252e9bc9bf67fc42d254e794391a02b8d0b645c70018a40e85defe19cc53
d126d510d5c177c4ac453fa21d574446320fe00d8cdb1ae23db37f92645398ce
8c84bb79c9b22daaac95f8a39eb46c58ff95bc7dfb92594b173ac429ffe00aee
34ae0fb3c76d1051dc2d70733e3d317ec1a995b318060d05a26571e207e5c1d2
7dfc00c107c0896da7f2b6cccd7493d7d1f0b760f32983c71219ae736e2b36d5
95d565bb86a4ed3ca5de3c574bc0a61e0c85b9e923a0d8374a59cce9270e1bd6
648a24a4513a5923536c5993a9289458a372e73b2f75709059d0123f1ceb8198
792c5a14383c93288737cb8ae096aa1b14d669c296338c1999fafe738eafae65
6a7ba277617d5223e7ff3cf394d5ffaa9ff3d7dda3ff854cd894f79780871c46
56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71
8526201eb7f5542dca86b8e300a00e11e4c99fece846ddab438af50304e4e649
734363b47338061008a1e7825e7226ad7069047181fa09eace44b437fdcf1ccb
d5485e185b4663753bf65b8b1e31a292b6fd569feacd6cd7053c80a1f66cd92b
91ce003e2891e0c52aaa51a18626b570c3eeab59790e33219f66b22aa71372a5
0b9d7b6d0c4d970b20ddb4a48696098c628acaeb6bd502a9d2ec0a4123a80144
c35d875ea4abc7e2d3a2858413ee1add9e7328879450e5cd71eadaf57274298f
8542ed680f596fdecef71eeab1b0ac058e5a7683fe92f540df536ba165356243
bc7bcda6a6b8361aded606418f33e8c40a660635003afb92b9a49f355f3843d7
28b764b4ca9f71ff78a489976ea9c932a62637ed1b804f952dfe1d983af072f1
33ea9c83fa78c7902708f73a99c21bae8fa29f8fcdc0ef7b80f7c2412a2a381d
ea3710a55c4cde3cb50754c50c10d7e10f10ff3c6f23d02e314bec75bd39e0b9
3873b278ea97db1505e1c4361249932cb564419f7470908c796edf2fa802d9ed
8d1f4f22d170d4e5d650dd9419c7e132f2eca0ad8be1f6f5245be7c784459eb8
dc36d236b0cd06bb2c434e3f0c26c9cd28d5eeacf0b628c64a3b5619e04aaae5
d3e90fc7809f3158eb140359e68b4ae7b42e79dc2587fde781834e8fccdf2dd4
6715a9c1cba4b5cf2bfadf2727d12a42972676b879bbd4b8c083e1ed70e1e13c
5095fe48af76e4c5277ecdaba3ff1398cde238bba34cfda3dbd4938293704e4f
db5f51b54427a60c74a90f227023de17bbed8bf2346b660ad205deff6ff46084
4d9f42aaba9bf5fd0e76ba66a5631ad38854db2345752a7f814eaadabfc59fe1
8d81194dbb3cf8182cec8de0f3f7d3a652810c1b42340934668b1d50a6257a3d
bd094b4e1f177739a07aa7cff4f8a725a84722edab632cd9b9c96aebe99634b3
af99d83af8ae41fd85402683369d61728d8bcb43d1044eb13583b02f107c7352
511dc622ac89d315a7fc8ceb415c301e78b40e224930bc4b944446c153dec119
2f585b8e45d9bda9766146061c3591aba5009942a83cf657c61e393e22656885
e6b839b34e53364803297851665fc38c33601222498b873eddcbb88832d75c54
5c0501d7eed6a65ff666c5b83683189de2036e0b9ae1faef802075352582a702
801d10a862b8a0a2b425589af8de24a55271d4c0aa28927932993927e2cfc58c
9629e332197351fb74e30f443ea185eded5b91f0a5aa4950a2f45e7329848de3
0c62762676659013d36805ba179c3ed84d999b502e66bb313e37dee5d13ec65f
52ca25f716f9ababb913425f71566b83757a486c716c62515802de2c003d5e85
3a7eef62095145f6d36318bf6822f235f4d901af7b1d1bc792a6ccb02138baf8
6038649f4827e624afc2701c4f4bddd54513ead2bcee54fb37f6bd8ce85ccc22
05795168f1101d23a3221cc5974ba1e505e0592f6884d47d0e83914a7c9d2522
4dfe98ddc170b840c7adec0a75f26c82ff6a4721b07d0c9eca258cc9ae14851b
54e61680dd56e5d59666c5b507b988b14ae03f4ecdb945343971f3f481564a34
0d1a72aa53a28f4f408c2eac59ccce58d3f9d8e22d57a351b981aab49c23e077
12da01e0dd4183f27ac316d4e8889a249df778610dc574fd624e68e287693146
91697dd3b1a3f2aadb6d39040426552d64e94673b44f479b23916892004da8af
83a6e817501b035c4d46ab98af2a5c4403f082a02a0a4c80068feb580d2c3a24
0544dfdf17d7b8fdea45f69e34e0fc06ae651d00311005e7565ca9221a3270eb
9ec3595393fd637f8b10f63edb28b5e3b745f3be24b84fa4101f222da85ddb8f
de9e7ac8ecb0658998b36df6a2c2ad2a5cd20cf047990e28b28c67a9c964d77b
86323a80511c7c3cfcb6525592366efe03866cc196101d58d2157ea1bcdaf6aa
5fa3a45d39a16a617d2c0b7658e7ca53ad73294ace5d7f293518ad3d54049377
9a1041ee840a569488aa3aa05ed422bfdb293811a30a9bf950188c355c7d3a4f
04d64ae10c0b908413d5249cbab7e5ac255085a6e45b8fe16d3f6bc9cfddb2e6
e004a8f20ec23a53c6af9623d3d681aee4648312ba26c516b555a62109f0ef35
a647409c07ea6ea0636b4e5eac9253e7b86b1580da0ed14bc86734f12ab58b2c
c09af2c1cef1f819c0da5a4d4524b3ef166aaf1b5528081eda8464bfdb9e2a99
ec6e08c281ff76c4b4116bf5dda6d7c5e7b83e98a82560c4c36938937556e46e
e5f5dd1351fc046439bb7d556519711007fcef1ed039653d6f5b22f60053449e
0675eb851affce4c46771381494aae43c5dcaf4e6a4da171d003d04d1af1cd0f
a34fc3155fa14a46756b68477949b2653663604648c2d1f27833194cd498047f
8cda420ecd4677794d938f0f9f16eee8c7c3960ac8fb125d70f025e590ed137d
84d2e41a62f6c710bae88b5751a40f4642e6525949bc614fcaf1233f8f85912c
2e39b3498486b4438f31db90875f8ae884d2ec996b9ca08a4505f9f09c5a28aa
fdd7679fe1646099a29b5a1684b0ff3782ae80e828473af7bcd83b4beb573bad
f64aab996d106f87fb99df98f31a63f7598681ba1bb13e46868ae3238802650c
57b1f1964c73f00d136711c129347288a7cfb1e7cd61ff4f29095eac718fbdf0
92334114bd06e338628d83ea777f0ef3a1e8ac68e6791289e7b468e05c6ccba8
3a90ba33dfb384f2e4f5f3bba25643bda5743ebbc0c767e45892bc55926fa107
b192059ce3958b9b7437bd659e646091de3d8d155a8f8c469463f6acc97b578c
dcd6c2caae4d8b3ad7f0499be47858348829d9c4323542053f932e555f0373bb
3ed7b76a458193d9702307553f24f7aa68e005e0db4dd1afac4b07833eec277a
99234f3044fe808dbc939e4e0df4198d7aba7a589054dec06df6391dea6a4c09
da7fb30bf785c8c9473edbb5fa728b17edd715215e5cffe9bf3230c2cce93a74
b264b9fc19407a37fc1e4095263ffa25c71a25e7c9aaee276e2050b6698d750f
7fdb94e4e8ac2e1d6b0fae70e63a78bab3c86ab66725d74bcdcc6ea4d35c406d
f1304ac59c31cc15ccedcb57a14ee7e98c09b424f2473845031a2da55f64a7c5
945084dbe654f4950d321344ff1084d836889070657c2ba123f751211eb897f5
0831953010fe0abafbfb2500fff8db6a9d0f9d18908e6690371c611c43995b3a
a38509141c482dd5c93c8b6fd3b3bbb467ba4f4a45511e9a3408f4c638493faa
a280890ce5b841957f5a590584aa29b41e7bfa629ee14c048301dc2f855b9d2d
b65826cfd7087c8ad51e5bff5f5e2bb371d9be06e4a48ae5d9b60b874781ace3
f3506d56b8c342ef31c2e886c66794b6dd952a6fa632e86e4d0fc1f10cc21e06
64a0da701afcf800a58c0bbc86d01d0f1079cdf9e936c27545f69e818ae5efba
a8d4826c1da6642df5afe2544e7a101e4fedfe15f89b136785fdaf66e61d9315
20a4e6d5390960e2757af27bd2baa194641f7be7092fab9f05cdcca254a05cbe
61e69a8bb5904c8d9d6f2d50f00a7255485c392d1f4b59d428a441d06a1642d7
5a92810316d0786bf3ec1896d3a1fcac04a9fac71aeddc063f24ea085dab8549
49eef199e58bf8a60267d58ece816e6d9d162b184dea2ebb2172c22068738098
0243201e709bb9b159bd6f89e83debb1eee7d395cab746813bb42ec72190bc75
73535d4d992bf86b98d83cd5811fad723fdead2fc12c0dd8e2c35f3741fd8f6d
94875390ebd3276de89cd5acf96a043f39c3d449ddd13d750b5294ee6a271c0a
fc7472626bdaa92b539a22f97642f03225bbc54cfebdcc8ea75c5eae0112d3f6
2da24f5ed9daf55fd224ab5d7aaf370ccbfd98079884a0128d8780f7eb0ae2ce
58ecf56c80a70f00166fefa3873c5e3434dc213a73cb03e3e3f17f584903fb32
0d8e64c713c628063cbe4f20a1a6b89f02badd694f5f3da1ffd1c362ca147f0b
fbf8eaa5dad65e0a820d544cdddb3dccf992c52cf3d692b381b69243ecf8775a
480e3c699ae3ab49153fb15399b4611acb6ee86241acaba2fdf9d998d81951a5
6f6f9e5a991267cb340fd49fd23dd4fa1e361af186b9a3ce55a15c4c9f227434
752a338a2f7230efdb447ffb0c711aa39b9c824b6e7ee0e232633b923abaadaf
8ae0d54a44c038c8d5dc60276258eed4ebf397cae66bb27d9e043ab64be54e06
247982ea06f9bf1d810a0215b35831c0785b8538fb21341f5d9c318069b0625f
61af867d68aacfa7f83ed71910e161fbe5ad24578a614c3356228f3e5e9ad2b0
c02fdb887fe88dc7a359fdaf9f6fc42e14786da051e3c28e0a8abc9f9d590f5f
a557c6c107b6bc572e4809b2f9e673566da0e7fbcb2419f69ef0836d7f711454
3979a6680315c384e2ef7563a0528678e8640fa96bb435279613bb3866f1788d
35ca784235e315d879cd680645e2dcd75705fdbcbcce6b05d97a70f4b5b1b90d
309e26b0de74d73a4513f6cd9bbda07d168129591a27e1472474b8695186f22c
a8a932d2c475bbcda7bb5939b9c7a22831fc45a4353add6b6bd7548eae8b9e5d
b8b37dc42c4458a81d11225c29472192b3bf6f2e14ab1bd4d5e37b0e58bd97eb
508cda537724777cb3c026b3f05867e5a9c951740b3721e51fde2eacbaa1e754
a8cd534bc310d41758ca3b8cb7a0ad2c45bea7ed6f8367c5869aafac84a0831a
25e2d7bc4a2acd35f041fc32ac79a3b916677da53dbcd4cdb248cbff853fdd9a
aa4d4d1de666870d49ff542b95d935dea9beec8e88163b96a30e549a98365369
45422c62ce77e250d432d0a7804063682913948e39871b21fe55178fcf849b56
4cf9878e6f4e556a288b165dee9f11adcc596e0c2514be7881b592f533daefeb
d6cd765d1dae29b953e769cdd9af44838d97b541e5e2aeb0d58f22e4d6935a5b
011858af6c9e47c477f3acb091ddb7c81a1f7ba6686a5d0f1efa805c247726d5
4ca8867c73413aa8cf68d0f5598df56bcbdac57ae45a187a70d7db57013ce00d
8796f8a62b6beeebba7b46d308a63c203d4675d19af71b6ebdf54db9ad0f22e7
b72d4716e46bccdcd0a00a93e689778a4a0f0e638e441471dc97c5e670f1854b
b21d4a3c5b1589655459140ccce7ee8b26d290a11f10c9576ab23eec097a0873
10d0d92a35eba63a908abd91dcaf0f6edd6dcd7fb5b4f69eb5a34c828622a823
337e1723d8e1f99d33f16c9f2bedbc23ad4b3f3bead10e1b32a97f5c5f092c00
b1b3a02d6c950c9d8ba038932d8bcfca54caa9d8eec3e09db2a01e7a2cd72fc2
727ab834d2ed168f523cddeb64833547f751f3dcd3d3d381d3be2e209fd165f3
7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524
ec71f8b1de9ab853a519c2984cd086f1c85600dd38b77e6491e406597c7254db
9c4efdcc794f3607c6e1b604075f5eb82061b4e437a609677eecc2a9834f0ae6
2881880b13157c1973b7581a12181955f4cdc7e3bf83f51fb98bedbcb9f0a1d5
2288f74f56cd376862001d460688693eb97f19e2340f7a0a6a11bbc2d62c7940
a2b12b3c794503c2a72841b51d6d56ec4ea6335618cba2609ee68220376cf73f
528483384df0426da85ef7a6d94a87f47d9fad555b012743ca7fb796d1bc5595
51cb42250be947f6acf9a715f565403b07f6334dc138d4412aa44020eb5619c7
465d976ab0b979a9dc45f87e2658546fccbb2e6e4b1f2fa426dc884d6d038e22
ae0e98bd0887c557672ae7f5133ed6c2a90ed48de351f22c9d27160ec2dee207
372ceea0b43319ac8181d46c9dc73183d9bf5a91026d9edb8aff247fc66917d6
bbaa18e9c4b31ed2e0ead82d2db8e3a44817b2aa5a8db5fa6182ebca425e80cd
3b41e204919a03e624eeb43b065db76739d9ea80e9be61ec1a3813573d9fcc42
7d02afe4ff9ae4d97eefa6f635ef34deaa2ddf6f0b071edf3ad68195fba9a5ce
46de841fe8f07e8f478c3a6c90fd527eee18aa221092560038eed6dd015f4b08
e6d31dd30aff14d5beb306d174437b76140423c3ed65714b8594aa2452195903
c88360a8205165581cfc778a8d937581ed2b542c07abcf2114b08a93dcd8d27f
0e1f142eea32390b2d2f0781e2f6e2e25125b0672102207fc07517096c5622c8
6af6185583b5e245c411f99934b8cfd6b7978e0824e273940599c9bd13e7c672
3fcdca70ff15ae127205e5414070bbd4d77c84c2d199c6c95825d35c77ad1c92
7f0325d4217054cdab8d35ac1adb47ba8ea7e2ec01b7dda452e65d0dc742dc2f
1877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d
SH256 hash:
e27a8e61a38e7b929607cb39f3871c99fe9a6c9289468e9506c02ddfaaffd2fd
MD5 hash:
fb6988edc00b075986a1dff9b77757cf
SHA1 hash:
2ceb038a985b504be1cb6df7702fcccab0a38298
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
Parent samples :
792c5a14383c93288737cb8ae096aa1b14d669c296338c1999fafe738eafae65
6a7ba277617d5223e7ff3cf394d5ffaa9ff3d7dda3ff854cd894f79780871c46
56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71
SH256 hash:
0617076efba622b0c4c20cdb24aa956ad68c441def4599395cad7ff7f4f4d335
MD5 hash:
f333d2fb9066c2beb4db3069bf77bc59
SHA1 hash:
3fe611f06f7a9a866b7a66e666c0bcff40b51c0c
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
SH256 hash:
8b781da76108eab608c079f922cbc679fc8c240e5d6820101368ff39710dc510
MD5 hash:
343c1de90e73f958ba9a936cfbaa31d5
SHA1 hash:
e08a631a731a3132ec1beb8e34cdeaae0e9eb494
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
SH256 hash:
56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71
MD5 hash:
d9cc85558d134e556b76368bf54aef06
SHA1 hash:
456695d1339d707a7a70defda03128f0bbbcf86b
Link:
https://www.unpac.me/results/049d03d2-73c2-4859-91ee-7c6ff32a8542/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56955836c8cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 56955836c8cb4048312c9aff29dd845e6a45df99741f1c6b946a23bf9439ca71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2701549/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442834/

Comments