MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
SHA3-384 hash: f8bf7fae7e59046054649ea96861b14e85d4307a63dd0a0423904ee91961c87bee27361157e3abe998ddcddb7f891950
SHA1 hash: 18fccedde4290e98bd58a4b271eb0020427e508d
MD5 hash: 7383fc6f03529d971ce0294f7ed95aa2
humanhash: hot-item-social-alabama
File name:c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'054'720 bytes
First seen:2023-05-18 14:04:25 UTC
Last seen:2023-05-20 14:54:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:0ylFNOFv1XZH/fDeAs8Xdi5TI3yGSqtCMy:D7QdXp3c8tcTI3yGV
Threatray 598 similar samples on MalwareBazaar
TLSH T120252302E7E9A473D8F51BB059F702A30E7B7E628A3C476F224155A90E73AC4B131767
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JaffaCakes118
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
Verdict:
Malicious activity
Analysis date:
2023-05-18 16:12:48 UTC
Tags:
redline
Link:
https://app.any.run/tasks/0c9e4efd-fa3f-4b5e-b66c-b4f761341af9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85479/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
78%
Tags:
advpack.dll CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/646631276a1947366b78efd3/reports/49f609eb-b678-4ec4-b871-c0de578c0405/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7b7e52b-bd2f-433f-b509-89e5ca79a376
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236263
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869260 Sample: LS4jymDlQ1.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 7 other signatures 2->49 8 LS4jymDlQ1.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 37 C:\Users\user\AppData\Local\...\x4106749.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\i5924628.exe, PE32 8->39 dropped 17 x4106749.exe 1 4 8->17         started        process5 file6 29 C:\Users\user\AppData\Local\...\x3055562.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\h0616671.exe, PE32 17->31 dropped 51 Antivirus detection for dropped file 17->51 53 Multi AV Scanner detection for dropped file 17->53 55 Machine Learning detection for dropped file 17->55 21 x3055562.exe 1 4 17->21         started        signatures7 process8 file9 33 C:\Users\user\AppData\Local\...\g5488529.exe, PE32 21->33 dropped 35 C:\Users\user\AppData\Local\...\f5448908.exe, PE32 21->35 dropped 57 Antivirus detection for dropped file 21->57 59 Multi AV Scanner detection for dropped file 21->59 61 Machine Learning detection for dropped file 21->61 25 f5448908.exe 2 21->25         started        signatures10 process11 dnsIp12 41 77.91.68.253, 4138, 49684, 49685 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 25->41 63 Antivirus detection for dropped file 25->63 65 Multi AV Scanner detection for dropped file 25->65 67 Machine Learning detection for dropped file 25->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 06:47:55 UTC
File Type:
PE (Exe)
Extracted files:
118
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyrlnwvi2zp7p5rkz7wnlxn7eda4qdgomzryxciqklyx566qzyuq._file
Verdict:
malicious
Similar samples:
0f91f82218d734d2f86b6a1fa0b6c8743e031caf1ce6481e138201309eaf224f
RedLineStealer
127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb
RedLineStealer
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
RedLineStealer
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
RedLineStealer
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
RedLineStealer
8c6d489d8ecdd838af163fa9d7dca54122213cb7344e14496966c69e707f556c
RedLineStealer
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
RedLineStealer
e97c547cced7e272f3695066bf3086013be74e24a21bf7bbb9302982edf255ce
RedLineStealer
f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57
RedLineStealer
fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83
RedLineStealer
+ 588 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dream discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230518-rd1ebabb7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.68.253:4138
Unpacked files
SH256 hash:
d7be22a0204cc3dae01691295543956d70ca8b4593393f62bad5395407488639
MD5 hash:
a8a86517204ff54de3ef7b0343b6e992
SHA1 hash:
efabb8de40fd13410dadfba205fe12b5e5e0800a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/efa5c596-1264-4901-ac03-114f176b35eb/
Parent samples :
6874579083866491914f0d0abeb7aa41f89984b23eba45d7e3d4c6b541d1590c
e62f15e2d2c2703aede889f62a0185f1c3293d91b394cdd814bcb3fc11ffd0ef
901bef1389535d2a88cca1e4786667bdd4f1b3f2ee57a8319fc79e3ffd81c291
59020905e7bc86aafc3ee35ab09b9bd2274db025cc1496ce60849bf68c4dfc91
79069213cd560829256de065e5bde668b2b09df0462eacaa9c58cbcd43803bb6
f01e4e13ab7d2e115099c3e3ae1dbf5f211bd17c6afd20db84bbdf18866224d6
6b4037a48d116b95097079a9abe02e5ef2dfad10eb1b6d6e3ab1fb8d056fe119
6975da6b09ba946b5ff4fad98eddb1b3ac61cc6290a6cd1849a84fde7eb95687
582922fd4434763473a1e8e5327c9d8f5650ad6f142aa39acacd2ee580e45684
96c0720b5a196a65f3ffa56bb6ae827241f410c0b051f784014e3ec554b05a01
0c4f1f1cc2ef5d0588330c31f21b5f0b5be5e78b3550d0031083ee22f18d51b7
e779ae0bb123600cdf943f6d68902efbc657e52a18d2049aa970eedbe3d459de
e1232c7a472043dae0e1ed2d5c6ffefd218f7e0e2b02b774a0f2fd7b9b6fc397
488f47913ebc1a517ff7e667457e109f85013665e7410e704468cfddf8f957f1
027e637e5002680c93e3e06b6aa052ab9615b09ca109ca978a30d680463bfaa1
12497aaf8b60780593cbaf2ce31bc6af26dfb71879aa41ad91fc6a7de4863584
15c0b7692e6816d0eee98cfb1e47d26c43ee3773478972bf00b9dc539caee3f7
1b3e72fc4627178d84a0d6fda53ea20ba7dc5ed1d04db282709e864bcbe502f3
2301a101d76ee2c1692ea788f4bee0d5904b1a869f4b28a9b4f53d9451991146
2a69af708cda37f77096756690a5249b4a64fb67f43c2bf3e6e5a2d8bd8b19e6
2cf5fbedccd0b6778bea65b3e86f83bd69bf9387ccdbe7ca06ea49f544413b7d
379025fd7a8792612d77977b9009ff47d7e0931bcae558f45e2eff07b6290015
3f41f04a9de43e495da231f0680fa14e736499f9256a2db57a2d6ff59d3551e8
417b380175bbfc3563297c45a26d14107ecd863606673b9f8b620a28c3beff84
42da8606faa8969db395c1e0ac6e84edde19e4c41d1e7bf36bf4e7479446518b
4ee6e6d2729dd2679af3069295a3b8bc006e7e952d0f184f2a5357db60e24b88
64772f2a439ab590be6915af4a26d084e17c3cc171806890a1d0c9e72178dd68
66cba3ded9ec39d9c1d1941388c78a8d4ed8fdcb12da5dcc2329f759bca154c3
694de2387416a117585d2f532595b99fdf63ec22e8581b0be74bee1e28bb1bca
6997523146cd7b528c63d5957d40402be15fe7759f7f6fea5ab559ceab1605c9
69cf5244fae9086a4da934107cbeaed93618408b20b3ac456c8407072d7db6df
6ff6304475351b27a30175798eda50187b6e5a71a3b3bf5c40fb341af2047f98
76935baedca16a33a2b049c8e72e1db2de5f7cd9de4126f35636bf1e7755118b
7d2ca14a698c1af1c81bdc2cef46583e869eb6e022f90e23a738d0042baa7f64
7dba885452b86f5d61b0666d366e21046613d914e5006a4e73ec6d9d71487e0e
80f35144988b230ea1c07b91d56b20329a34aab1d98b80d2bb425e58fcf94ef7
84497835c6c6c3e3f33958ba841e7fc2c1a03b1380873189e719e9699bfb4551
84656341abca1a255b71fba3415b830cae85a814b546f5b2d103216711813d1f
879b05437b8aaa02a1608ee7c070905714df31e4d2a17067be0371dcc86c6e5b
8969ab290f6afdd03a4bc78d82548b878f4f352c37a2f93cd255145c6621c110
89ee7b2e8e3fcd2968f29612f43a166cfafd2c1a15f5925f493531b4617eebd0
8c1f2a62eb7fb91124fd4f149529562b1259d9603f5e3b2e9f149447a302b186
a09f454432091d94acc1b023b9dcad9263256721f7ec197491fc264dc6f3c5c4
aa92073e04f7a4f4214b55a5e86cfbaf7c828cf52634bc655300d956c742a064
ac4160020cddb3c20f349f3ac3fe2ba8e43c933a894a46bd091ca97506786230
adcf10d6f25a16acdde6c6936c580355d2f4176a8c36ad077d036e2c462955da
b23b54788c4d54968b920121ef5e6a88cb502dd95ad34749920dc9def4879f06
b7999a0c803b356aa65cf4050360a95cda60a05ba2eae04771a9c633eb836e3b
c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
d96696ec0d30216eb16dfeac15215c25baea61044e45b76b5ee3347501950350
da866012d0f638dcd44de30eac7fe7cb62fcb121cbc1adbe23b9d426ff364541
dc8a58d1b646cf1498952d53b950e4e44af2cd448a41ee9f42f1d64036739cf9
e0eca07aea1f524cb3db5c39b062bfed640da3a6baf528ce423857f558ce1ef1
e4d14984da7282c7822a4522daa79894c4247bb1b57131ff177bbd2b3cfddba0
ed7bbaa4419792f6bbca87431665b52eb18e888ab11b2c9121dc36051d7d5e85
f2ee05062e086c891664d55b30f823230d8c5e60e748279c1dea29840926de65
f6c1258653cf5108b1b26073a4fea9717c8e54d4a77958ac2c322fed4d8a0545
fa58852087c17d55009b5ffa5f9da7e6aa3c9ca0a718f3b0bb96f65d912aeafc
6feb4c24a3b46245e6b4df19e587d0b04323466cfcc7ddd7d5e75272f1ee918f
SH256 hash:
2cc94c247c7223109c0d4949a75c1119911ea16282e90340bc1b53c5eb859bc2
MD5 hash:
e4669f26748c85edc6218aca883f515a
SHA1 hash:
608d6ecadda7248347ab72836ac982bcba0e52df
Link:
https://www.unpac.me/results/efa5c596-1264-4901-ac03-114f176b35eb/
SH256 hash:
dc509d5febf641026c8ceec8efeb4ed9f0f7b06f47dd5f2295cc17d9c01d4690
MD5 hash:
f0e8431aab48e8ed374cc58496c35aff
SHA1 hash:
5081e6d15c26065a9dbc964836239e5a1b4e331e
Link:
https://www.unpac.me/results/efa5c596-1264-4901-ac03-114f176b35eb/
SH256 hash:
c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29
MD5 hash:
7383fc6f03529d971ce0294f7ed95aa2
SHA1 hash:
18fccedde4290e98bd58a4b271eb0020427e508d
Link:
https://www.unpac.me/results/efa5c596-1264-4901-ac03-114f176b35eb/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c622b6daa8d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c622b6daa8d65ff7f62acfecd5ddbf20c1c80cce66638b891052f17efbd0ce29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments