MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d
SHA3-384 hash: c0dfa7a5f9978e2098fca9cc664147d40eff6fece8cb89a4c07029a4bc8748f6caef54a2190db22521b5e8c3d485b210
SHA1 hash: 63db1401af2d3d634ae291ac718ce327d611b5b5
MD5 hash: 898eed5b62b80060f62d7c09840128fa
humanhash: enemy-single-steak-sad
File name:898eed5b62b80060f62d7c09840128fa.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:602'112 bytes
First seen:2023-05-04 08:45:26 UTC
Last seen:2023-05-13 22:45:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:mMrXy90iORPxJHdh95WoUfzGz6bNo700p6wLZ2kQBfzpfTNwrkgFP:hydOh7fWTGzLI0p6wV2kQB7pb2rJJ
Threatray 3'051 similar samples on MalwareBazaar
TLSH T115D41207FBD98032E8B017B01CF717D30736BCB19D28439B62A5B54A4D32A94A57673B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://77.91.124.20/store/games/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
898eed5b62b80060f62d7c09840128fa.exe
Verdict:
Malicious activity
Analysis date:
2023-05-04 08:48:30 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/04893dca-5a0a-459d-af06-b7a02b509ecd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386416/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching a service
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Disabling the operating system update service
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82423/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll anti-vm CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/645370cb92903068e34f86ca/reports/f7038abd-b734-4582-bac8-e2ac63fad2a0/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1310591
Link:
https://www.hybrid-analysis.com/sample/61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Deyma
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edc5bff0-2a6f-4ad4-80ee-a8b668beefc2
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225954
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 858913 Sample: rIst1XmTfU.exe Startdate: 04/05/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 11 other signatures 2->40 7 rIst1XmTfU.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\...\x6054956.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\i9610891.exe, PE32 7->26 dropped 14 x6054956.exe 1 4 7->14         started        process5 file6 28 C:\Users\user\AppData\Local\...\h8086097.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\...\g4879806.exe, PE32 14->30 dropped 58 Antivirus detection for dropped file 14->58 60 Multi AV Scanner detection for dropped file 14->60 62 Machine Learning detection for dropped file 14->62 18 g4879806.exe 5 14->18         started        22 h8086097.exe 9 1 14->22         started        signatures7 process8 dnsIp9 32 217.196.96.56, 4138, 49695 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 18->32 42 Antivirus detection for dropped file 18->42 44 Multi AV Scanner detection for dropped file 18->44 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->46 54 3 other signatures 18->54 48 Detected unpacking (changes PE section rights) 22->48 50 Detected unpacking (overwrites its own PE header) 22->50 52 Machine Learning detection for dropped file 22->52 56 2 other signatures 22->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 08:46:10 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhxbotusp3amkemjrpydtpuvg5c6y6rdt5cdxrdi66y5bjrv7ywq._file
Verdict:
malicious
Similar samples:
162e7d9def571babef55901131e9835a8b0442b1a49df29358099e8333464abb
RedLineStealer
17d4b2c08d363c0d92687fe76d049b27610fa1ffe82f5d8906608fc71be72611
RedLineStealer
3189e5fd5c5ad071968b0966525581bdab5ca86d16af194d9a38452279c60543
RedLineStealer
9c682ea92d3595f703099116f400adbe1bc7c08a8cbd003ccf7df3b14d000bf5
RedLineStealer
bb27ee6322d5f15f929baecf74e1c8616f46d35571197ee46965a110762e4171
RedLineStealer
bd5e7c52d4dc3be4205620c532d926014d4aceab2dabed28e16553d9d1b3e559
RedLineStealer
dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0
RedLineStealer
e31670b1360e6f78e00ad558c2da9cebec2a44d91afe3f525a660801e1b715d4
RedLineStealer
ef35bb50d1328df4526a49ef3e02e2bf2a52629508ad6d767944a614606c36bc
RedLineStealer
fe08452040cf960e4d27560e18d8a8d6148301fb12ffb3024e5b33ff98f807ab
RedLineStealer
+ 3'041 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:daris discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230504-kpavgabb26/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
217.196.96.56:4138
Unpacked files
SH256 hash:
e8b80433b59b88ae2e46203201cc458f34993676e0cc57829c262848faa3f781
MD5 hash:
98f5c55a79f474dc2c18a1861d67ed76
SHA1 hash:
80c5058396c9547c5ee87a4a8469530dd9643a91
Link:
https://www.unpac.me/results/2b1475d5-f298-4621-8d17-c89c7036b875/
SH256 hash:
0e194a467d06199bfe5e93c562893ea36615e420f250bc906c45061ad60ce792
MD5 hash:
8d8c56e52a2c2f3aa039fedf523163f2
SHA1 hash:
e2447d13dafc22018a875dd4ca84ed0f42833575
Link:
https://www.unpac.me/results/2b1475d5-f298-4621-8d17-c89c7036b875/
SH256 hash:
f7069523adadbebb902cb3cae594d13ba58babb1d103199675f2d4bca3fffdaf
MD5 hash:
2eba40f46b89672b06d20d7e33b622c4
SHA1 hash:
99594eeea5ac8edbf0d9df207356698c27f92fc5
Link:
https://www.unpac.me/results/2b1475d5-f298-4621-8d17-c89c7036b875/
SH256 hash:
9a3c1809e4e5d1c532f12bdd3bbff409e7b49e12b095d01a42ee4d86c9fc3ae8
MD5 hash:
533f86762469101e11d220fde03bf7c7
SHA1 hash:
75795987b87b0587f9f8097d66dc09f80073797f
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2b1475d5-f298-4621-8d17-c89c7036b875/
Parent samples :
61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d
cb1db618ce36feea3e333e74e920a76332340f0094fe777aba6d95d08c80743b
92756cf2371ff7e78b9fc1d4a6eaad9282341b2093bc6d062c30f9b85d07842f
SH256 hash:
61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d
MD5 hash:
898eed5b62b80060f62d7c09840128fa
SHA1 hash:
63db1401af2d3d634ae291ac718ce327d611b5b5
Link:
https://www.unpac.me/results/2b1475d5-f298-4621-8d17-c89c7036b875/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61ee174e927e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 61ee174e927ec0c511898bf039be953745ec7a239f443bc468f7b1d0a635fe2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2623981/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/386416/

Comments