MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
SHA3-384 hash: cc91a25c63c2c414e49c3cc7fc18213e6b533d061bd05027256728efcacd9eedf225c32c411a302c56828b646e2d3955
SHA1 hash: ea9d691f7d8b022e0d683c4a8e50e66d50b03016
MD5 hash: 464a6a1a9ed3b868f36cfbcd6d3fbe34
humanhash: batman-sodium-six-bakerloo
File name:464a6a1a9ed3b868f36cfbcd6d3fbe34.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:563'712 bytes
First seen:2023-02-11 14:31:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:bMrly90iTWw2VioEQomakfqqI87fiKC5r3q5SMZ3jdORNQ9g:Wy/TWXVIUe87KKC5rkjdORNr
Threatray 13'259 similar samples on MalwareBazaar
TLSH T18EC4120BF7F88472D9B51B704CF603E32A367D519E38828B668FAD561C732A0613576B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.12:4132

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
464a6a1a9ed3b868f36cfbcd6d3fbe34.exe
Verdict:
Malicious activity
Analysis date:
2023-02-11 14:34:19 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/cb66a047-8e5b-4147-9541-efb740c2721c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364022/
Detection(s):
Win.Downloader.Amadey-9986882-0
Create hunting rule

Win.Downloader.Amadey-9986883-0
Create hunting rule

Win.Downloader.Amadey-9987078-0
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

Win.Downloader.Amadey-9987097-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Connecting to a non-recommended domain
Sending a custom TCP request
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68165/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll amadey anti-vm glupteba packed redline rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63e7a6e3968c222976bef513/reports/22283bb3-850a-4746-b439-a0d23dfde5c0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc792e23-a131-41c7-87e4-196975ad71fc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172109
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804899 Sample: Ifs6NAdsE4.exe Startdate: 11/02/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 7 other signatures 2->42 7 Ifs6NAdsE4.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\...\ndh27.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\dZk93.exe, PE32 7->26 dropped 14 ndh27.exe 1 4 7->14         started        process5 file6 28 C:\Users\user\AppData\Local\...\cjt76Lk.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\...\bLy99.exe, PE32 14->30 dropped 58 Antivirus detection for dropped file 14->58 60 Multi AV Scanner detection for dropped file 14->60 62 Machine Learning detection for dropped file 14->62 18 cjt76Lk.exe 3 14->18         started        22 bLy99.exe 5 14->22         started        signatures7 process8 dnsIp9 32 176.113.115.17, 4132, 49701 SELECTELRU Russian Federation 18->32 44 Antivirus detection for dropped file 18->44 46 Multi AV Scanner detection for dropped file 18->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->48 50 Tries to harvest and steal browser information (history, passwords, etc) 18->50 34 193.233.20.12, 4132, 49699 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 22->34 52 Machine Learning detection for dropped file 22->52 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->54 56 Tries to steal Crypto Currency Wallets 22->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 14:28:30 UTC
File Type:
PE (Exe)
Extracted files:
180
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuxukno6e4tcpbomojri2gqbaj7rlkxqh6imdfvunby6ahufk2iq._file
Verdict:
malicious
Similar samples:
117cacafcc61ca60b6c531789d0a8e34a2a29f90ca667776ae8bebc7a99fe22a
RedLineStealer
23847d735b899cd73b2af1a02bd9eef81aa341dc599157c3014bf38c687a6410
RedLineStealer
2c20173b3ed7976f5a8d3f12b299337c123557d4c142a29e0b05e4ca8a0d2b1a
RedLineStealer
6509ef9d3d0f59c8df5d7077b7ff5a5c909b0225091292e7118ffb818f4edf65
RedLineStealer
aa1cb37afa27ec286d22e67d20dd37d7b31aec2bbf71d017e3658fa7b0f3a7e4
RedLineStealer
b5fcfc4b0efabbc1f29d09484dfa3fb7134a147f7256afc112d7e98446f8870f
RedLineStealer
b64c0af97dd38f66b629456feba2b8761bc1e0d44b9c004bc2ae09016f6ef360
RedLineStealer
d48ceca350537221d5c786e2a4742c1fd79496ce467c2deb11be477779158c6c
RedLineStealer
e1b3356c3d46671e5552b19b3d332215a5e29da3c1228cce46cd41c52ddb8c7a
RedLineStealer
f7f4b9e876897503a2c2b4f8112b4ef19ec4ade9b98e0df7358bb63ebd6102b7
RedLineStealer
+ 13'249 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fusa botnet:nocrypt discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230211-rv9z3sfb4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
193.233.20.12:4132
176.113.115.17:4132
Unpacked files
SH256 hash:
6b4d16e01c08369370fe56af619f19668f5fb37b4e1c564c176cd70d8cf42a0a
MD5 hash:
d2392d71203d305a9781f417098d471e
SHA1 hash:
dac7fba3d38c0786fdfcc6eaa442025457c857da
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9ddb2b75-2b1d-41a3-aef8-c047908acd46/
Parent samples :
137654c88ae7b0cb44defc0645e64f001c788c309d85edd8741a8bdf178184f8
8fc2584df12ddc27b0e39698cab8f6ee32db1c63a663ca0f03b5c5ffa67db907
ef968021e8da6c80e3e79429578d321bf8a060e00297f02a085121a7f18ceaf1
09e0cb27fd892afe150f69c38a274730e18f690ef307ab6ba38a66943db03974
eb675abc2e04c68fb76851b497fb453b0d972bb7a9394d58a15739545f3e1415
aa1cb37afa27ec286d22e67d20dd37d7b31aec2bbf71d017e3658fa7b0f3a7e4
d48ceca350537221d5c786e2a4742c1fd79496ce467c2deb11be477779158c6c
b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
674eca8c51d7a44816192d8a639cefb4ff570b4b71f05605578cb7fa2ef9cc89
f2f1b99fb9aaf113970283eedd3706f617216812b6dfa957af1f6f45a6c4f951
105df0af6bb33fd87046448cece05686e78645dc4cdb3ad13bed1ae8ea9feece
SH256 hash:
13dd8de20e8fe15d26d24034435eaef526509b9d818e644f8664bfa410e67a3e
MD5 hash:
bd8eae27b9ab22e6f8b8b46941d09eb8
SHA1 hash:
a2cc68703a7579d7c22612efa5e1a171763081c7
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9ddb2b75-2b1d-41a3-aef8-c047908acd46/
Parent samples :
32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
68a8a9093c6a25752280d3e629c8b02aa6fa4fd5d36f11742c8ba19d6a1fccd1
aa1cb37afa27ec286d22e67d20dd37d7b31aec2bbf71d017e3658fa7b0f3a7e4
d75a93fc2e8197177de11d2ad6018ae39b63a257018788aab2e4ad5190bc3bd0
174b173b4881fe0609b3515c52cf0dd38b49c819908189e59ca485a2aef649bf
5c320657689c9dc217abc2a032dc3fa9617ec95aff85259f956f635afd79cf71
d48ceca350537221d5c786e2a4742c1fd79496ce467c2deb11be477779158c6c
7b719ce8b59b3049b14bd5976488349c82b8aa9140fb553ddd40644fe1eb44ae
38018f0726e6e421dfc319b411deaa9b08f474e6e6369edc10ef2a1b957ff2df
b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
674eca8c51d7a44816192d8a639cefb4ff570b4b71f05605578cb7fa2ef9cc89
9f071dd230c9e3949aef0c19023e9e23c0e764160dee32d2522114835e74404d
b8057a405a626ca25d5d5820e6795588436f810714941d3560900352410a8b8d
f2f1b99fb9aaf113970283eedd3706f617216812b6dfa957af1f6f45a6c4f951
7b3502683256532f1329798a57267c383c9e02f0d71f8d039ee852d49e39ac43
105df0af6bb33fd87046448cece05686e78645dc4cdb3ad13bed1ae8ea9feece
87ba81bd8ca15ca720539fca25f03617e527b2c2a428d543eefd1948d2d3211b
5a32fda75ce79b29aa79db7446e48f92532e949dd0e4d75de711b53292391481
d8c03eddd2c947563cd8ac2ad9ab904d44a011f26e327dcded5a6154814285de
1bafbb4b2bca5c74fe28b26270dc85d2db2a941fae187c23f069e97e52b00d89
69d10ce59d7555a18627f7e5ecb72ecec7f1480be3dd5ea4f85008a23e947258
33fe26cb7a9c571714042dbf7db131dafadd972267c3f681432e4296c12b1146
751ecfdc9e407c18104db883926c9336a798e48f582def9635952770b540f2dd
05ab2642368c4f186aecd0d572b0e32dbf4c3def955dd2a7e319a8adf4c1a86d
405a2325559cc3052af68e23a40e297f6ac3a51daad014ffe2c281d1b53bf178
853551be9bad033a9a707db1d3af2b873fa999ceb80ea87966cd25b2c5e73a66
506bee1559bb5da7a9e3de2ac024f55fe5c694f33b00c886c05b9e2ae8c824f3
1fff503c8bcdb3e20b67e8b0e065bcbe4ed10e9545700b0857f9fbde345693db
03089a0860b5ba452ddd8660d62c7f4d10d338944967bf7e81a2288d71952d35
52e61dfd09d4889cd275afffb823e0ab0123b3b6db831f2e8acaa482c029d142
65dcddc35af1ddf103e7bf1ddbb37b479c7debb1d49bda3cc258cf39dcaf0708
fe9c071c7415d5484ad9646f4a00efad2afecde959a39f4ecfd4087aa962f467
4f12d1d0c9d51b4626295fae6c9d1f80454f54e40eca62d6107a4e8a78e56e70
d0d170a869b57ee415618aec89177ac84969bba6dcb8689b0e20e91f95b26718
59cfbf139a6b344cb06e67d0c75180c808e27e5296a1d9673511f1b1b5a4a77b
68c119fca6578f5aaeff3021b81238979343f09c96e5f5277928a5c74cd009ce
564860f03614ce16f2045bad5c41d60e96c0b71716c69bf12eb5d11dea839e0a
ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
ff64bec126913655b7734e56819adc2d178e2104b0ec59ec98879292fafb5691
cd71a17b5f17c32a445e779dce68a9ae3985b57aaf6a80e012c929016b2a5da4
1f8a211762e1792e2739d600efcde80aacbf62dbb93fae257c700721b186e14c
811eb60a2fe6da8e92d739288505db79f1dfa7828cbd2c061f0766394cb06088
SH256 hash:
b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
MD5 hash:
464a6a1a9ed3b868f36cfbcd6d3fbe34
SHA1 hash:
ea9d691f7d8b022e0d683c4a8e50e66d50b03016
Link:
https://www.unpac.me/results/9ddb2b75-2b1d-41a3-aef8-c047908acd46/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b52f4535de27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2535691/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/364022/

Comments