MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA3-384 hash: aab47807149e657f7318c18aaf0b5711a85e5ce5ecf1d9d898a00fe8258252797250a13b85b09fc2f8cab71f4cbfa341
SHA1 hash: 295f06794b26ba5ac7c73fbf636c581624f897cd
MD5 hash: b466f58861bb4069db99312de146a2e8
humanhash: berlin-massachusetts-connecticut-california
File name:b466f58861bb4069db99312de146a2e8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:246'784 bytes
First seen:2022-11-09 18:50:02 UTC
Last seen:2022-11-09 20:50:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e8ff15d652fa4cfc3097ccc64aa2fa0 (6 x Amadey, 3 x RedLineStealer)
ssdeep 6144:kR69jvgMRufd/piq5aIiS87fSujpDBL1u:iKjmX5ag8+ujpDvu
TLSH T1DE3407207912C031D56091B729A9BFF2C59CB8259BB049DB7B800F7BDA122F67971E3D
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b466f58861bb4069db99312de146a2e8.exe
Verdict:
Malicious activity
Analysis date:
2022-11-09 18:52:08 UTC
Tags:
trojan loader stealer
Link:
https://app.any.run/tasks/6d0ea537-200e-4bfe-b660-e326ae0cb951

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331408/
Detection(s):
SecuriteInfo.com.Variant.Lazy.158178.31070.19006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a window
Creating a file
Sending an HTTP POST request
Delayed reading of the file
Adding an access-denied ACE
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey greyware shell32.dll
Link:
https://www.filescan.io/uploads/636bf66082dd9f2e265332d0/reports/5b161055-fa26-4f89-8f52-0e4416d190e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81521f5e-5a14-4e97-9157-9cc72876489f
Result
Threat name:
Amadey, Eternity Worm, Raccoon Stealer v
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109626
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742303 Sample: qqiOLQZ0Pc.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 111 Malicious sample detected (through community Yara rule) 2->111 113 Antivirus detection for URL or domain 2->113 115 Antivirus detection for dropped file 2->115 117 11 other signatures 2->117 10 qqiOLQZ0Pc.exe 4 2->10         started        14 rovwer.exe 2->14         started        16 9-111.exe 2->16         started        18 6 other processes 2->18 process3 file4 89 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 10->89 dropped 91 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 10->91 dropped 157 Contains functionality to inject code into remote processes 10->157 20 rovwer.exe 2 26 10->20         started        signatures5 process6 dnsIp7 95 193.56.146.174, 49698, 49699, 80 LVLT-10753US unknown 20->95 97 77.73.134.245, 49700, 80 FIBEROPTIXDE Kazakhstan 20->97 81 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\20K.exe, PE32 20->83 dropped 85 C:\Users\user\AppData\...\myupdateee.exe, PE32 20->85 dropped 87 5 other malicious files 20->87 dropped 129 Multi AV Scanner detection for dropped file 20->129 131 Creates an undocumented autostart registry key 20->131 133 Found stalling execution ending in API Sleep call 20->133 135 3 other signatures 20->135 25 myupdateee.exe 20->25         started        28 rundll32.exe 20->28         started        31 9-111.exe 3 20->31         started        33 3 other processes 20->33 file8 signatures9 process10 dnsIp11 137 Multi AV Scanner detection for dropped file 25->137 139 Writes to foreign memory regions 25->139 141 Allocates memory in foreign processes 25->141 143 Injects a PE file into a foreign processes 25->143 35 vbc.exe 25->35         started        40 WerFault.exe 25->40         started        105 192.168.2.4, 443, 49698, 49699 unknown unknown 28->105 145 System process connects to network (likely due to code injection or exploit) 28->145 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->147 149 Tries to steal Instant Messenger accounts or passwords 28->149 155 2 other signatures 28->155 107 45.15.156.37 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->107 151 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->151 153 Tries to harvest and steal browser information (history, passwords, etc) 31->153 109 151.80.89.233 OVHFR Italy 33->109 42 conhost.exe 33->42         started        44 conhost.exe 33->44         started        46 cmd.exe 1 33->46         started        48 5 other processes 33->48 signatures12 process13 dnsIp14 93 raroford3242.xyz 185.231.222.185 ABELOHOST1NL Netherlands 35->93 73 C:\Users\user\Desktop\HQJBRDYKDE.exe, PE32 35->73 dropped 75 C:\Users\user\Desktop\HMPPSXQPQV.exe, PE32 35->75 dropped 77 C:\Users\user\AppData\...\tmpD622.tmp.exe, PE32 35->77 dropped 79 19 other malicious files 35->79 dropped 127 Performs DNS queries to domains with low reputation 35->127 50 remcexecrypt.exe 35->50         started        53 racoocry.exe 35->53         started        55 redlcryp.exe 35->55         started        57 wscript.exe 35->57         started        file15 signatures16 process17 signatures18 119 Multi AV Scanner detection for dropped file 50->119 121 Writes to foreign memory regions 50->121 123 Allocates memory in foreign processes 50->123 59 vbc.exe 50->59         started        63 WerFault.exe 50->63         started        125 Injects a PE file into a foreign processes 53->125 65 vbc.exe 53->65         started        67 WerFault.exe 53->67         started        69 vbc.exe 55->69         started        71 WerFault.exe 55->71         started        process19 dnsIp20 99 157.90.145.151 REDIRISRedIRISAutonomousSystemES United States 59->99 101 geoplugin.net 178.237.33.50 ATOM86-ASATOM86NL Netherlands 59->101 159 Installs a global keyboard hook 59->159 103 87.236.161.20 EXCELLGB unknown 65->103 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 17:28:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt7f7zro2yamolchjzw75zv6ncohjkba66e7xsjrb6vr62fioqqa._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:eternity family:raccoon family:redline family:remcos botnet:@redlinevip cloud (tg: @fatherofcarders) botnet:bf3346f8b90a3b56b998fed7451ba685 botnet:remotehost collection discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221109-xgyb1schhn/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Eternity
Raccoon
RedLine
RedLine payload
Remcos
Malware Config
C2 Extraction:
45.15.156.37:110
157.90.145.151:14075
151.80.89.233:13553
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
157.90.145.151:1441
http://87.236.161.20/
Unpacked files
SH256 hash:
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
MD5 hash:
b466f58861bb4069db99312de146a2e8
SHA1 hash:
295f06794b26ba5ac7c73fbf636c581624f897cd
Link:
https://www.unpac.me/results/1efb03b2-72b2-4dc2-ae7c-dfac27d8d196/
Parent samples :
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
bfd68b428d7401ece09a3aff4a699f318525c839819f5195f15607e9cb374878
e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
c789ca3ed461209333b4c26d23acf76b41477d88a8b876f17da140b3a0bea8b8
4531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
ba7bf06a8b747e5082507f30ae70292d8aa3155d87750d7c9ddc7cc95cb06f94
b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
18a67aada4aaab03d59d1ecf9c42e1286c3d40e767f7e9f009f1f866a170ebe6
845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
70f60b192056d200088fdcd3863de5c26b6e10e7e7b38ca71375a930d6645014
2e07beeb6a66649833601f88a8c63e8e380a7dafb36acd8cef3c1d5fdf1f0555
824747565954291232e0fff5be86f4166c49de5f0f8bfcb1bf04ed69c6697b56
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
cbf9b5fd0f1fbd2b41c923287845fd459d141f64ded5aa1620d1d5780b24b0c2
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6
ba7ae4d81230ea130fc253909c9a37c3c72a3ec900377210d3ae87182e545408
2229a1a3d8304e6a593a89c2e097555f3770470437d5d471d7d326f5dfd13fb3
45ec34129540da364345c3dc3c1a246462c8f76930a034fa0a0c19fb4289847e
a6f0c3dbc66f5d1ce4818da224a8d5d6a7e2b1e93c687494ed5a9049234cb73e
9c7884b63c08116d6c919dc8636fce73000b2453b55a5861e02d8397369e0069
e38620780c23a4bb011ee90b51d2aaae03d722f03b28dcefcef8f4ad583c805b
9e47afb1cbf75b95f534cab3ff1f601c047547ff64013aba8c10bacef62a0044
8093d23afdf0f4921b31a3a4c2d17482521de0c07f0ee865679cfc7457e9283a
f82bb72225fe436d0b618d95cb6da52042e51241efdc27b612941bb24c716183
534dd0693956756a462f502e0addbf053bd6aefafc22c7df333bc129e43765a7
688e0e51fc93a9a896e43890f249e40e60a6c4f8ee4d3b7a035963c0da06387b
a40eab56ef04ae09635c11e70aceeb33c1782604d1a6d8746ace012d6a579d1d
484ab954f747e0bc01e75197f4d25f36cca6547f9b956651592d2a18973c8004
98edd304b1097aca9d03e627a67b2c51e96cab302f8cbcf5bb01413ab7bbdf0b
514d80c3be555ac9e7f4075eeb0969cb851b271741c99a08f609c2a1368492d6
0300f874f15411c653b56297f89ae92bd9f905f808e6c0011ae9974d96da23a3
3fc60c0a4262d3c138b685f4bbb66dc9433c06c16354c209043b4151ec62c8ea
6c8b75923adb87b5d61d618d655dcafbfa076cbd492fa6ad933c60dd8167bc32
eeaec536b77eeec1a4324ec70bf2d9413cf0a077b6ed2a3de2fcb00fe5c84ed9
f8211ce16a689baf63b208437d1d1da3afe251c3e74acd34baa3307cfeb21e86
5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
b1a48ea44a8dce7fb5b4a86926992933f9beb0a570acb311cd0ac1c1c277b4d6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2406078/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331408/

Comments