MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
SHA3-384 hash: 6a12adee3283e31b49737f16e4ae008caf64f1175c2eab252ac0fbd9ef8c171493beb81ba6ef2f3db385aa15097b0552
SHA1 hash: 8bed0b5da45422d839446df8f87dec514b88b848
MD5 hash: 6029b53a99c95c89f05348134130ef59
humanhash: jersey-bakerloo-solar-summer
File name:6029b53a99c95c89f05348134130ef59.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:786'432 bytes
First seen:2023-07-16 07:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:1MrOy90ds4JKIlZCuYpzqJ8x0KfiaI/e1lDsyCPLVD+trmFGEkh4aWF:LyAkgC0pKVIIDUPhCtrmFk4RF
Threatray 639 similar samples on MalwareBazaar
TLSH T134F42287B7D90075E8B66B3048FB01A32735BDE05D78822B36D1E99F1CF2289A571367
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.68.56:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6029b53a99c95c89f05348134130ef59.exe
Verdict:
Malicious activity
Analysis date:
2023-07-16 07:57:02 UTC
Tags:
rat redline amadey trojan opendir loader
Link:
https://app.any.run/tasks/0350a92a-e041-4427-90e6-be360c1846b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/420860/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Creating a window
Launching a process
Launching cmd.exe command interpreter
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB confuserex control explorer installer lolbin lolbin packed packed replace rundll32 setupapi shell32 stealer
Link:
https://www.filescan.io/uploads/64b39c097a9c6ddebf0ae909/reports/0a6eb068-71d7-4c8c-b492-d4353ae59fff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf20dc98-95a0-4daa-9ede-64d45a90aa07
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273963
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273963 Sample: Xt2zj6OYjw.exe Startdate: 16/07/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 15 other signatures 2->86 11 Xt2zj6OYjw.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 6 other processes 2->18 process3 file4 70 C:\Users\user\AppData\Local\...\x4682297.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\Local\...\j5194231.exe, PE32 11->72 dropped 20 x4682297.exe 1 4 11->20         started        process5 file6 58 C:\Users\user\AppData\Local\...\x1802191.exe, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\...\i7551417.exe, PE32 20->60 dropped 88 Antivirus detection for dropped file 20->88 90 Multi AV Scanner detection for dropped file 20->90 92 Machine Learning detection for dropped file 20->92 24 x1802191.exe 1 4 20->24         started        signatures7 process8 file9 66 C:\Users\user\AppData\Local\...\h4111073.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\...\g2449513.exe, PE32 24->68 dropped 102 Antivirus detection for dropped file 24->102 104 Multi AV Scanner detection for dropped file 24->104 106 Machine Learning detection for dropped file 24->106 28 h4111073.exe 3 24->28         started        32 g2449513.exe 5 24->32         started        signatures10 process11 dnsIp12 74 C:\Users\user\AppData\Local\...\danke.exe, PE32 28->74 dropped 108 Antivirus detection for dropped file 28->108 110 Multi AV Scanner detection for dropped file 28->110 112 Machine Learning detection for dropped file 28->112 35 danke.exe 17 28->35         started        76 77.91.68.56, 19071, 49692 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 32->76 114 Found evasive API chain (may stop execution after checking mutex) 32->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->116 118 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->118 120 Tries to harvest and steal browser information (history, passwords, etc) 32->120 40 conhost.exe 32->40         started        file13 signatures14 process15 dnsIp16 78 77.91.68.3, 49693, 49694, 49695 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 35->78 62 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->62 dropped 64 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 35->64 dropped 94 Antivirus detection for dropped file 35->94 96 Multi AV Scanner detection for dropped file 35->96 98 Creates an undocumented autostart registry key 35->98 100 2 other signatures 35->100 42 cmd.exe 35->42         started        44 schtasks.exe 1 35->44         started        46 rundll32.exe 35->46         started        file17 signatures18 process19 process20 48 conhost.exe 42->48         started        50 cmd.exe 42->50         started        52 cacls.exe 42->52         started        56 4 other processes 42->56 54 conhost.exe 44->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2023-07-16 06:56:11 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztvt3qnfjvhbjz5s3lberhs42ymuyd2rwbspnzzgekp3pgg6wiha._file
Verdict:
malicious
Similar samples:
104399b794bac1d21011dac49b4b665180424ac938eecc1be37026a011daea96
RedLineStealer
28304a7d6787e28ffcb4985fbc4cd70b327621c4a6c2e21a7585ddb8699dd91a
RedLineStealer
3d779f55ce6590dd09d25c9e63367d408da923845c734e3bdcfc2058e937012a
RedLineStealer
415eb1fd925f853e9042e20a65421e1cbf85617c94e3cea88621d2a9c1d8652c
RedLineStealer
49a8afe0e88e497b4673eb06fbd8898facc3bee2e1830ca556be94b6d75a7047
RedLineStealer
5339db49221a69b2723c19804390ed986019b07b064f370bf5317962c235cccf
RedLineStealer
54c875e1aa037bd5644740807a2db58a096e1e61afe938f407b90aa0884878cc
RedLineStealer
589598f28559e972e9cfe2b17798a77c91d90dfc4c6abcbec2ce2f84cd972216
RedLineStealer
c0e8f4969bba14ab50315506d2afcce58104d1c493bb62b3fd7ca86c25723a41
RedLineStealer
edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706
RedLineStealer
+ 629 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lamp infostealer persistence
Link:
https://tria.ge/reports/230716-japveadh3s/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.68.56:19071
Unpacked files
SH256 hash:
86f8ea40f5d81d04538041c144bb063796ddbbe705a483a1e1625369f03d4ef0
MD5 hash:
a7900a9e6f9ff2fe413753c011534d43
SHA1 hash:
867dd921d4617171c49fc167d5e05765cf18777e
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
SH256 hash:
d3ced892fe912e4daa227cd24aba36fbad5a68cde1c80a53ad7d28406ee14d2b
MD5 hash:
db683c2b1e5eb020e9f6b56c346660ca
SHA1 hash:
718603712af0ab661fdd40d8dd2d3c7e3ea9efc2
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
SH256 hash:
5768c4fef91c28786ef0a7f166f84cf6039779a43707f9bc0836d961523ee951
MD5 hash:
4a99d0ab092c7409a20e312f62b1e3ff
SHA1 hash:
a2ee6fb96bf3053144663a709d128bb11eced3c5
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
SH256 hash:
814a68993645dbb727ca80c7e840eb10c427929d5859ce97a39ec52f882ea3ae
MD5 hash:
d74d37df9cc9b7a45517e8dda6fc0833
SHA1 hash:
0dd99bc506c4ce7b41ff40925e6e1b363478c59c
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
Parent samples :
96357b5ab44f1feadf33064dd5bb5be64e15051acb9bf7d14c5c708225ffb7df
5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6
c723ad5514f1c882ec25abe3f86f8c37845ca600747a258a5d54ac596d27f6df
6c411da48b1bf36ea29f2f6e02278bb6caaf29ab4feece5daabe4dbbf50772d2
fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
2cd70321a7f4a39e0fa291841d388eb1f565c800d45aea6db90af9081462fd17
75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af
SH256 hash:
cfc5ebd6c9457d8215311b3a3d98f5d8766f1aeeadd763234da8ab996b00b8dc
MD5 hash:
11425e3192385a95ee8b0353d2986a33
SHA1 hash:
70a7e5bc0094e15fcb85156d8be6759a8a64c4ac
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
SH256 hash:
9a282fffe68bc8ca774fe483fcd722f75c5c021444f3be21d4bfac63099a60c1
MD5 hash:
aa8edc43331072065051c97bb9309ed4
SHA1 hash:
15a63e18fc3f0578d4319d8cba47ff6430e72c88
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
Parent samples :
7ced3fc7a5e6c84bfdfc4f341e1fa780e32461335f9ff2e271a537dfd1517796
c723ad5514f1c882ec25abe3f86f8c37845ca600747a258a5d54ac596d27f6df
6c411da48b1bf36ea29f2f6e02278bb6caaf29ab4feece5daabe4dbbf50772d2
2b0c74155065ebee97b8bdef3b76c62a66664b2c27f6becab3483a1eacaee1ab
cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
eae2ebbd7384f13f7ddae701193b9c408f5b7b831268f0029bf72e137ba2d0d1
SH256 hash:
cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
MD5 hash:
6029b53a99c95c89f05348134130ef59
SHA1 hash:
8bed0b5da45422d839446df8f87dec514b88b848
Link:
https://www.unpac.me/results/28523995-af56-43e3-8455-6574048ed121/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cceb3dc1a54d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2675634/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/420860/

Comments