MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f
SHA3-384 hash: 1cbf95a23a866d58aed6aea5a6d82d008fe1eadd7277af0b789af482680980585635114654d2df6f90ede39d684e542c
SHA1 hash: e92a06ca778547ff248c2d73d6c6038851529dfc
MD5 hash: b639244519764d606ac92428a744bfa0
humanhash: may-coffee-one-sink
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:899'584 bytes
First seen:2023-10-15 06:35:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:VygZpR/5ZCqbcUKGIyjq+ilI5HjPn7GZ2wv:wGR/rUGIyjzWO7
Threatray 1'518 similar samples on MalwareBazaar
TLSH T14B15230567E98423FCBD277159F7136306327CE3EDB8839A2782A99909B1D80E47573B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.249/navi/kur90.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-15 06:38:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57c1d618-855e-4d9c-967f-ea9cda167999

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454500/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/652b887d853e4f06480b9644/reports/ac1aa763-99c7-455b-ac3c-670fdc1c2016/overview
Verdict:
Malicious
Labled as:
Kryptik.JKR.gen
Link:
https://www.hybrid-analysis.com/sample/cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Healer AVKiller
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a1df134-0bcf-4103-81a4-0c7b5ef4bd75
Result
Threat name:
Amadey, Babadeda, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325853
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found API chain indicative of debugger detection
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1325853 Sample: file.exe Startdate: 15/10/2023 Architecture: WINDOWS Score: 100 165 youtube-ui.l.google.com 2->165 167 www3.l.google.com 2->167 169 11 other IPs or domains 2->169 193 Snort IDS alert for network traffic 2->193 195 Multi AV Scanner detection for domain / URL 2->195 197 Found malware configuration 2->197 199 18 other signatures 2->199 15 file.exe 1 4 2->15         started        18 rundll32.exe 2->18         started        20 rundll32.exe 2->20         started        22 twjsiar 2->22         started        signatures3 process4 file5 145 C:\Users\user\AppData\Local\...\zF9oD24.exe, PE32 15->145 dropped 147 C:\Users\user\AppData\Local\...\5Hg3au1.exe, PE32 15->147 dropped 24 zF9oD24.exe 1 4 15->24         started        process6 file7 133 C:\Users\user\AppData\Local\...\cM8af82.exe, PE32 24->133 dropped 135 C:\Users\user\AppData\Local\...\4yV889bJ.exe, PE32 24->135 dropped 247 Antivirus detection for dropped file 24->247 249 Multi AV Scanner detection for dropped file 24->249 251 Machine Learning detection for dropped file 24->251 28 cM8af82.exe 1 4 24->28         started        signatures8 process9 file10 137 C:\Users\user\AppData\Local\...\VJ0bu40.exe, PE32 28->137 dropped 139 C:\Users\user\AppData\Local\...\3tt64EQ.exe, PE32 28->139 dropped 253 Multi AV Scanner detection for dropped file 28->253 32 3tt64EQ.exe 1 28->32         started        35 VJ0bu40.exe 1 4 28->35         started        signatures11 process12 file13 181 Multi AV Scanner detection for dropped file 32->181 183 Found API chain indicative of debugger detection 32->183 185 Writes to foreign memory regions 32->185 187 2 other signatures 32->187 38 AppLaunch.exe 32->38         started        41 conhost.exe 32->41         started        43 WerFault.exe 32->43         started        117 C:\Users\user\AppData\Local\...\2hC6267.exe, PE32 35->117 dropped 119 C:\Users\user\AppData\Local\...\1BY19ac0.exe, PE32 35->119 dropped 45 1BY19ac0.exe 35->45         started        47 2hC6267.exe 1 35->47         started        signatures14 process15 signatures16 229 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->229 231 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->231 233 Maps a DLL or memory area into another process 38->233 245 2 other signatures 38->245 49 explorer.exe 38->49 injected 54 explothe.exe 38->54         started        56 Conhost.exe 38->56         started        235 Found API chain indicative of debugger detection 45->235 237 Contains functionality to inject code into remote processes 45->237 239 Writes to foreign memory regions 45->239 58 AppLaunch.exe 9 1 45->58         started        60 WerFault.exe 22 16 45->60         started        241 Allocates memory in foreign processes 47->241 243 Injects a PE file into a foreign processes 47->243 62 AppLaunch.exe 12 47->62         started        64 WerFault.exe 21 16 47->64         started        66 conhost.exe 47->66         started        process17 dnsIp18 153 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 49->153 155 77.91.68.29 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 49->155 163 3 other IPs or domains 49->163 105 C:\Users\user\AppData\Local\TempC01.exe, PE32 49->105 dropped 107 C:\Users\user\AppData\Local\Temp4DC.exe, PE32 49->107 dropped 109 C:\Users\user\AppData\Local\Temp\D923.exe, PE32 49->109 dropped 115 8 other files (7 malicious) 49->115 dropped 201 System process connects to network (likely due to code injection or exploit) 49->201 203 Benign windows process drops PE files 49->203 205 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->205 68 9DE8.exe 49->68         started        72 C106.exe 49->72         started        74 A115.exe 49->74         started        76 5 other processes 49->76 157 77.91.124.1 ECOTEL-ASRU Russian Federation 54->157 159 play.google.com 54->159 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 54->111 dropped 113 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 54->113 dropped 207 Creates an undocumented autostart registry key 54->207 209 Modifies windows update settings 58->209 211 Disable Windows Defender notifications (registry) 58->211 213 Disable Windows Defender real time protection (registry) 58->213 161 5.42.92.88 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 62->161 file19 signatures20 process21 file22 121 C:\Users\user\AppData\Local\...\oP7NG5oA.exe, PE32 68->121 dropped 123 C:\Users\user\AppData\Local\...\6vS60Qu.exe, PE32 68->123 dropped 215 Antivirus detection for dropped file 68->215 217 Machine Learning detection for dropped file 68->217 78 oP7NG5oA.exe 68->78         started        125 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 72->125 dropped 219 Multi AV Scanner detection for dropped file 72->219 82 oneetx.exe 72->82         started        221 Found API chain indicative of debugger detection 74->221 223 Writes to foreign memory regions 74->223 225 Allocates memory in foreign processes 74->225 84 conhost.exe 74->84         started        127 C:\Users\user\AppData\Local\...\explothe.exe, PE32 76->127 dropped 227 Injects a PE file into a foreign processes 76->227 86 chrome.exe 76->86         started        89 conhost.exe 76->89         started        91 conhost.exe 76->91         started        93 chrome.exe 76->93         started        signatures23 process24 dnsIp25 141 C:\Users\user\AppData\Local\...141k3zl7xa.exe, PE32 78->141 dropped 143 C:\Users\user\AppData\Local\...\5jI45Ty.exe, PE32 78->143 dropped 255 Antivirus detection for dropped file 78->255 257 Machine Learning detection for dropped file 78->257 95 Nk3zl7xa.exe 78->95         started        259 Multi AV Scanner detection for dropped file 82->259 177 192.168.2.5, 443, 49708 unknown unknown 86->177 179 239.255.255.250 unknown Reserved 86->179 99 chrome.exe 86->99         started        file26 signatures27 process28 dnsIp29 149 C:\Users\user\AppData\Local\...\Rc2XG5zK.exe, PE32 95->149 dropped 151 C:\Users\user\AppData\Local\...\4zm621Of.exe, PE32 95->151 dropped 189 Antivirus detection for dropped file 95->189 191 Machine Learning detection for dropped file 95->191 102 Rc2XG5zK.exe 95->102         started        171 www.google.com 142.250.188.228 GOOGLEUS United States 99->171 173 play.google.com 142.250.188.238 GOOGLEUS United States 99->173 175 10 other IPs or domains 99->175 file30 signatures31 process32 file33 129 C:\Users\user\AppData\Local\...\IZ1uQ8Hk.exe, PE32 102->129 dropped 131 C:\Users\user\AppData\Local\...\3ba3Te31.exe, PE32 102->131 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-15 07:01:16 UTC
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxrodbcugxqu3bma2dqvezhozmruy65x4ke2xry52xyh6f5fhuhq._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
RedLineStealer
48f7a5ea24629389edc536091f1926ebc0ed159a000f31e847e90c9fa5d5ab34
RedLineStealer
4fcea54a9c17fac90f3b6b0d80308d5f2b7ae10c2bf51e495aed311cf2dee18a
RedLineStealer
64219b448e6239125597fce4a61477bb627f5e5f25bbda18c1d332f3a7f335f6
RedLineStealer
7c5e9ace70e1d7b0e4b4b326839a1f1d82ae8c1c4136fe3e86b627b278d59b4a
RedLineStealer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
RedLineStealer
97a6ff69b40f3587e4a792235f4cddd5dbc76940ae8630e9e474c807ad1634e4
RedLineStealer
b3ef8346783b53a63fd52fa50cfba5f0322ee95dc1f723bee0405c4d5c44263b
RedLineStealer
c279bdf117c56f3ae2931ce5864df8d291f523c359342ef48ced08ed47b72127
RedLineStealer
f88cd251b69365735b28791a22f55c246039ea1358b594f08972ca465fae617c
RedLineStealer
+ 1'508 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/231015-hdazzsdc6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/8dfe6851-8af0-4bb3-9755-0dc63b7d74f6/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
1edf94f8f63f413c28d7bc9183b64b0e61880c376aac9a1722bf3491bea51aa2
MD5 hash:
50406e410e6d0bad85754773378a8cef
SHA1 hash:
eed419c4eec8d223ac1f97f43300477b059c911d
Link:
https://www.unpac.me/results/8dfe6851-8af0-4bb3-9755-0dc63b7d74f6/
SH256 hash:
bc7bce068b2038d44f074116dc35ccfbf45ae29a6eb9e04a84193b6f8338a6d9
MD5 hash:
2b4b0f5f93e5b564239aeaf93ab02d61
SHA1 hash:
ee79c7105538642c08cdb5708eee3fe237ef01df
Link:
https://www.unpac.me/results/8dfe6851-8af0-4bb3-9755-0dc63b7d74f6/
SH256 hash:
cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f
MD5 hash:
b639244519764d606ac92428a744bfa0
SHA1 hash:
e92a06ca778547ff248c2d73d6c6038851529dfc
Link:
https://www.unpac.me/results/8dfe6851-8af0-4bb3-9755-0dc63b7d74f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cde2e1845435e14d8580d0e15264eecb234c7bb7e289abc71dd5f07f17a53d0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715539/
Cape
Cape
https://www.capesandbox.com/analysis/454500/

Comments