MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
SHA3-384 hash:	dfa6c541716eea89c75b8053503f12bd5356c65e4828a1195170e9589cd8e1d6138bcce65e51a2346895a0bc41600534
SHA1 hash:	a212a3baea64741141701934d7dd143d81dfad13
MD5 hash:	fd4c5588866fc90beb0e4085789da1c9
humanhash:	blossom-moon-green-stairway
File name:	c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	788'480 bytes
First seen:	2023-05-14 18:31:30 UTC
Last seen:	2023-05-14 18:45:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:iyXaFbEVG9hRgPtjseKAMliB9YCj4b0hZGHI:J+bEVU6lY9bi14b+c
TLSH	T110F41257BBE89073DD7527B004FA07430F3ABCA29E38425727859A6E0CB16C458B676F
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e

Verdict:

Malicious activity

Analysis date:

2023-05-14 19:12:24 UTC

Tags:

rat redline trojan amadey loader

Link:

https://app.any.run/tasks/ca78eb0a-0aa0-423f-8f99-29b58830343e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/389494/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching a service

Creating a window

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Blocking the Windows Defender launch

Disabling the operating system update service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/64612939c91c7e59599bc29b/reports/8b82bc0b-4e2a-49f7-adb5-2ffd53c4d35e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec278f35-baa3-4aa2-a48c-83bb1150e9cf

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1233392

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-11 12:00:54 UTC

File Type:

PE (Exe)

Extracted files:

119

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yuto4dj35rvkuad34th6opuzqozpikpeeuedzth2ieaq3je42kha._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:debro discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-w6ny7scg74/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

389c88af69acdd1a6211f2a983b3e46fb7fd4212799293a803b9dfe340670f5f

MD5 hash:

81e86042bdb2e0504ef951fd977d5598

SHA1 hash:

f158153bbf3cc04e7343f92a1972730d4111844e

Link:

https://www.unpac.me/results/2d2e9982-c9ac-49b2-a25e-562c09de8029/

SH256 hash:

2550a5839ed554039001288580fccc4f12df05c94e42c9e22b302094ac93dc02

MD5 hash:

299c969f9550e1e4ec7cef95a5a9caeb

SHA1 hash:

b3119fd7abbb34ff11d0f8c0029933fc849ada46

Detections:

redline

Link:

https://www.unpac.me/results/2d2e9982-c9ac-49b2-a25e-562c09de8029/

Parent samples :

d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
db1c8fc3822511f7e804660ea93dfe82713dc79a1d9d80cc6bbf236e415d644f
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
9095a896f5486e40ed6f168cc3feb1d6875ffc56e29a86143824b17632d7cc2d
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

44180e2dd1b45d374c73d580aebbbb8f390f2c0f00765d138fb952300f68b0bc

MD5 hash:

14ab6de74614132db925ca1d6d628f76

SHA1 hash:

a05d4306a935bf09de0ab6025c7ab72d08925ef8

Detections:

Amadey

Link:

https://www.unpac.me/results/2d2e9982-c9ac-49b2-a25e-562c09de8029/

Parent samples :

2b4f06b5c00bfef8e1e83bfa46f822dedb09d05779d8171ff91d59994f9bca14
58a30e4769f449019d29b3458663cb51aced48cb23ae507e81c43afb5f8390e2
d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
d44985104da589aa6bb697827e5130180990444cef20cc7e18a5fa9e1847495c
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

bdb9658dc827b1e749eef40b8d5d99e4c665639552b42951d44e9cacc6ebe830

MD5 hash:

b602df74a9c6914e8fe6f30de28ee1a5

SHA1 hash:

18887e65dbf42783ba5bffc8dc1a6682ffdccef7

Link:

https://www.unpac.me/results/2d2e9982-c9ac-49b2-a25e-562c09de8029/

SH256 hash:

c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e

MD5 hash:

fd4c5588866fc90beb0e4085789da1c9

SHA1 hash:

a212a3baea64741141701934d7dd143d81dfad13

Link:

https://www.unpac.me/results/2d2e9982-c9ac-49b2-a25e-562c09de8029/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389494/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample