MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
SHA3-384 hash: e1bfa70889a982586e0b6784485ddf2e9ece052a2a2da521fd00ac00f3d497f994f58cf0d5dfd8724754db47d1f27dae
SHA1 hash: 9ba93f55a17ff1e5daabc30371aec450357e2f8d
MD5 hash: 596bd809fd8c97a9a436ea78d96ad059
humanhash: nineteen-hydrogen-tennessee-robert
File name:c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'172'480 bytes
First seen:2023-05-14 18:30:55 UTC
Last seen:2023-05-14 18:45:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:oy7OEJvQlSfQOhgvzVnnc5Ds8k22IZQiI+1TQKM6g+nl85Fn7Nrlep04:vCI7YOhSzxYFZ2AwKM/5B7NhA0
TLSH T1E5452216E6E8C435DCB857B45CFA03C30F367AE25DB8865767869C9A1CB36C1463232E
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JaffaCakes118
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
40
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389468/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack.dll CAB confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64612908279d34f5dc64c3fd/reports/2891a0c7-70c0-426d-8063-5a1ecd075b2d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22e6b415-d802-4d1b-8d06-7202cb454cee
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232867
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865849 Sample: 3YvGn4ffum.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 7 other signatures 2->51 9 3YvGn4ffum.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 41 C:\Users\user\AppData\Local\...\z7461539.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\s6587509.exe, PE32 9->43 dropped 18 z7461539.exe 1 4 9->18         started        process5 file6 33 C:\Users\user\AppData\Local\...\z6042720.exe, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\...\r2201990.exe, PE32 18->35 dropped 53 Antivirus detection for dropped file 18->53 55 Multi AV Scanner detection for dropped file 18->55 57 Machine Learning detection for dropped file 18->57 22 z6042720.exe 1 4 18->22         started        signatures7 process8 file9 37 C:\Users\user\AppData\Local\...\p2188383.exe, PE32 22->37 dropped 39 C:\Users\user\AppData\Local\...\o9044513.exe, PE32 22->39 dropped 59 Antivirus detection for dropped file 22->59 61 Multi AV Scanner detection for dropped file 22->61 63 Machine Learning detection for dropped file 22->63 26 o9044513.exe 9 1 22->26         started        29 p2188383.exe 22->29         started        signatures10 process11 signatures12 65 Antivirus detection for dropped file 26->65 67 Multi AV Scanner detection for dropped file 26->67 69 Machine Learning detection for dropped file 26->69 71 2 other signatures 26->71 31 WerFault.exe 24 9 29->31         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-14 12:07:28 UTC
File Type:
PE (Exe)
Extracted files:
115
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybdkhk33a6g6gcwgkytl5td62chyrr4kvffqa47v3bl5hfhnxhjq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:luka botnet:terra discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230514-w58l8afa6z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
185.161.248.75:4132
Unpacked files
SH256 hash:
aa457ca304f9e9a1d97fdf959fe796f861fba53a4e0cd948ad3d80a3ac179850
MD5 hash:
a498a029c37db05b4d23d0defdf7c37b
SHA1 hash:
bb893a3f1f138f3f241e67acf6f9b18c239480b3
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
ec5691b05799648974ed0b811c9555c798b060cc26ced2700f53ecb556964448
MD5 hash:
a3b2b71167f20c5ef769e462b69086fb
SHA1 hash:
64a09d547cce7481f0d315223471b79bb8f97b26
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
c7cc5be61e8cd77f12450508bcae49f4f0c42d18d779bf9c47a2571f36060fce
MD5 hash:
c53d99afa73a4f5f7e21f6eab39b942f
SHA1 hash:
7b405370ac9915b40d00da38323da63138b7cd81
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
e94031e265104f8f9093764a555ef0e119df7a26e4c30601fb03e06ee72d4918
MD5 hash:
5f00c1746ebae73f3c9a2fc2c6f7c796
SHA1 hash:
6351480ced3ae0788c4c3cf22b3f2f9cc079c2d2
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
be44c9fd9a25f4331521b1fe16fe6d59c58488f60ab33588c8ac947b172aa192
MD5 hash:
3576cbf587ccbae0350ac4088becffe2
SHA1 hash:
55b1aba6048e982132c582087e9a1494413ead16
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
cea8acc7ed1d5a364379a29f36c508f9bbd3f4d80382e3597cab1ab59e71847c
MD5 hash:
0ad10a101fc4e8a7e9edfd7496449949
SHA1 hash:
fa7147f2fdc1686d4fd870a6ffb85af80713a696
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
SH256 hash:
f4118141f772d469066b1285f99e2cfd940f20677683b89ba85c8b44ec98c3b6
MD5 hash:
8b0aced39e275f156c6936c73000549b
SHA1 hash:
5657c526c8224cb4e93c24b396a07f8eac7ff5f2
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
Parent samples :
44c3a8da0ab137fdd6abd7cfb31627364b6b7610d0e3dd9604b03cc80d4f537b
d55f720efd4af3475edb05cafeda438cfd8dbd71366da7b187ba2c954258b5ce
813ce0745e3eb323b9c8371f145f33feacb64471b8fcf03f39dbd3ff25564774
56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1
c7d060c9074cca55e9e04d61d0caf3dd9934b45dedd890ad5a3208022a35425e
cbe41193bc11dca56d056b7eb34b0691768e42f53d78750d6efeb9d28143ba5e
bcebcb224dbe8bd0777174ae719cb70657a7feb1a19207098bd84d3209da5d49
bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304
bd57c9f6dadc4c62d7208db52f903c29aea6ff09f400cfa75a9851cc1aea427f
bf6596759ea62723d53032294de97c753fa51b46db9b49ff16cf14bdbef671f4
c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
c1ee5908dd2d0273bb18b08f0dcabe2a4614d894d69e81420a565be0f0c69ab0
c347081ec0d10ba6c004ccfc0fcad5b3e8f18c3dd03db909763f8558faec9f92
c46e12e7a08cfd17858543a034ae370ec8d3568c99e92d50913af07b365ca804
c62650b32d272546189183d4fe29418d58772a33c686a483589f03c2eb5ee2ef
c865344a337f66669c895acfc0d7aba9cf3d3998eb9cbb5c9825aa33d749f887
c91b34e20d6e23a75ce79c51bd6536f0366b759730476b0d6fdd2346efa04839
cb44d697cd120c0f9098e0b9b7faf2f5f67d5f426dfb225db47ee62684e45443
cc518ef8ab82d3cba40b797a5f6eacf36e7adae85589bb19de6a7e4687c2c119
ccb7d56726bf4f0ca6e15a21e49f35795cc56c101f4fb73e81f92e5d359c383f
d163b94088173bed10583e7faaa1213414dc07bc191560258eec01752edb87f2
d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52
d4dc7c680d5f51c46cf9e481bb985983751568bff4e7ce9dec1ad4367456862d
d4f7cf3a18686482f4f291c5a6fea4167e94a8bdaddd123a7998eff4c684c90b
d685952efbbd0aaf4155529b459c57cd3dd1d175419fa85fe4c2a4d7163fde45
d6860a6523e88ee8f973f45731e45b66902188f9ebea7debbcbbf9e1081e5b91
d89994b944d7f411b207f0d39b39f5310b6c8bae77561fb48a30c71449fc559c
dc0d7d5fba6ac5cf9a83f5ad5c5519c3a622cd2aea74324a6a26c4b60cfb14d9
dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6
e03a9e1e1776e4b867750ce2fedb93d2cea0b843b570e62839c16e451a8ca9bc
e196972679d31597c23fd5d24d6cf341abf8a8c5d3ad5c7b677d81db11f54377
e1c1f35c0befb6a2e46e18b28ad1f0b9dcf963706aa0d78e26e2aa76fc93c65f
e2ced1a635687dbe9b4ba8643db8c072696b952bc51310dc1e33b776b5651233
e3e82c868b618e76a560f315097bf6fe9ba10c909abb1b51aad942a16a9c525b
e72524b767d99a436abbea479aadcb7588c1e7e498955432aca2a54344f7093a
e8746a37d1389b3c1d722c790501d9e5f9a8c94af218dccceb17eaae05975bde
ec2d066e99962a25f3db7a6f839c5bab2b090889be6f30406bad596e0eddbff3
ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139
f67f0dbce979330570d7cd60dea97c59919c3496b09c4485a2ad2c1fe9f04ccd
fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
fe2b1b0feaa71d353720ba9872a3f74979194d47214457ae430d6e5a4104b8ad
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf
5186b8b15914efa186c1d5141a15b8fe6a5dce062583cc0c17e839dd170f011d
412bd8c4546d08c9c75382080465565edbddc407221934823da9bf4ff123d115
ce9782e93e8f68a9cf4b8b810707e1e03dcca7f0f20468c16262a04aafe0d238
1c5177fb42c882a050c42f17c50369c995afd1e508e625408b56808add5d7379
ac15e8a71bd22b0baa16d9e4b221ce5b35350131eadb5a05f06c40983becbe9b
7a9aa6351156d2fc4db012247c813ead641df257369e140e040e3cea95233c31
b56eca4a9950a689b2946758f15c2911b865a1f06b73439f67d5de6d9ca601ca
5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65
SH256 hash:
c7c7a514fe456cfa50f3f087d1be3f2825bbeeb27935c6673b105b82eac3d7fe
MD5 hash:
deb22ad1341863ee15e81dc3923e297e
SHA1 hash:
f50d891f82ee8b4b2a944e682873dabdc3b4eea8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
Parent samples :
44c3a8da0ab137fdd6abd7cfb31627364b6b7610d0e3dd9604b03cc80d4f537b
d55f720efd4af3475edb05cafeda438cfd8dbd71366da7b187ba2c954258b5ce
813ce0745e3eb323b9c8371f145f33feacb64471b8fcf03f39dbd3ff25564774
56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1
c7d060c9074cca55e9e04d61d0caf3dd9934b45dedd890ad5a3208022a35425e
cbe41193bc11dca56d056b7eb34b0691768e42f53d78750d6efeb9d28143ba5e
bcebcb224dbe8bd0777174ae719cb70657a7feb1a19207098bd84d3209da5d49
bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304
bd57c9f6dadc4c62d7208db52f903c29aea6ff09f400cfa75a9851cc1aea427f
bf6596759ea62723d53032294de97c753fa51b46db9b49ff16cf14bdbef671f4
c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
c1ee5908dd2d0273bb18b08f0dcabe2a4614d894d69e81420a565be0f0c69ab0
c347081ec0d10ba6c004ccfc0fcad5b3e8f18c3dd03db909763f8558faec9f92
c46e12e7a08cfd17858543a034ae370ec8d3568c99e92d50913af07b365ca804
c62650b32d272546189183d4fe29418d58772a33c686a483589f03c2eb5ee2ef
c865344a337f66669c895acfc0d7aba9cf3d3998eb9cbb5c9825aa33d749f887
c91b34e20d6e23a75ce79c51bd6536f0366b759730476b0d6fdd2346efa04839
cb44d697cd120c0f9098e0b9b7faf2f5f67d5f426dfb225db47ee62684e45443
cc518ef8ab82d3cba40b797a5f6eacf36e7adae85589bb19de6a7e4687c2c119
ccb7d56726bf4f0ca6e15a21e49f35795cc56c101f4fb73e81f92e5d359c383f
d163b94088173bed10583e7faaa1213414dc07bc191560258eec01752edb87f2
d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52
d4dc7c680d5f51c46cf9e481bb985983751568bff4e7ce9dec1ad4367456862d
d4f7cf3a18686482f4f291c5a6fea4167e94a8bdaddd123a7998eff4c684c90b
d685952efbbd0aaf4155529b459c57cd3dd1d175419fa85fe4c2a4d7163fde45
d6860a6523e88ee8f973f45731e45b66902188f9ebea7debbcbbf9e1081e5b91
d89994b944d7f411b207f0d39b39f5310b6c8bae77561fb48a30c71449fc559c
dbe683197f6a83939cbc1b0f212eeb76a0f714b67ccefd264452928e1232a629
dc0d7d5fba6ac5cf9a83f5ad5c5519c3a622cd2aea74324a6a26c4b60cfb14d9
dc12c4a904161e71e11c66421513be3c6714944bc8c0d7521d395879c361e213
dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6
e03a9e1e1776e4b867750ce2fedb93d2cea0b843b570e62839c16e451a8ca9bc
e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a
e196972679d31597c23fd5d24d6cf341abf8a8c5d3ad5c7b677d81db11f54377
e1c1f35c0befb6a2e46e18b28ad1f0b9dcf963706aa0d78e26e2aa76fc93c65f
e29a3d17ce56a890473462e4ba1babb97061fe6f2f41d14db3da72dfe5ddcb8a
e2ced1a635687dbe9b4ba8643db8c072696b952bc51310dc1e33b776b5651233
e3e82c868b618e76a560f315097bf6fe9ba10c909abb1b51aad942a16a9c525b
e495614edb892fe7b0ed7749f34a7679c48109a84a95e39d6cc66d8592b0692d
e72524b767d99a436abbea479aadcb7588c1e7e498955432aca2a54344f7093a
e8746a37d1389b3c1d722c790501d9e5f9a8c94af218dccceb17eaae05975bde
ec2d066e99962a25f3db7a6f839c5bab2b090889be6f30406bad596e0eddbff3
ec5e496a96609c27c8adc62ca27fa259c308c366ff3a662e7135103324db67c1
ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3
ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139
f2ce5991176a97cc5689dfb920c255b77de2e221d0f25ccecae5254a40a6d1fc
f67f0dbce979330570d7cd60dea97c59919c3496b09c4485a2ad2c1fe9f04ccd
fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
fe2b1b0feaa71d353720ba9872a3f74979194d47214457ae430d6e5a4104b8ad
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf
5186b8b15914efa186c1d5141a15b8fe6a5dce062583cc0c17e839dd170f011d
SH256 hash:
c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
MD5 hash:
596bd809fd8c97a9a436ea78d96ad059
SHA1 hash:
9ba93f55a17ff1e5daabc30371aec450357e2f8d
Link:
https://www.unpac.me/results/2e524f04-9c6c-448c-a2a1-d11df0f448dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389468/

Comments