MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
SHA3-384 hash: 450b833b26f00cbe7b8151295ba1b5812e1f8aa5a03af562110e9af7264586fc5b4b3726fd2dcef42f5f65ffdade7313
SHA1 hash: f43d3445b8fb31461870265acc7e943da5d7a481
MD5 hash: fe68c6db610d15931ad740d93cb58f7c
humanhash: may-pasta-snake-oranges
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:875'008 bytes
First seen:2023-06-08 20:08:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:vy1elPne8Arqw4hfW2FB9yPPEUKBT5A7OXZYSDOvhyP:61CeJr8fWuW8BT5Aapnt
Threatray 677 similar samples on MalwareBazaar
TLSH T1FA15231267F59131DDB7277098FA13531F39BCE198688B1B3362DE9E1872681B932327
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://83.97.73.130/gallery/photo250.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-08 20:11:32 UTC
Tags:
amadey
Link:
https://app.any.run/tasks/9464f2bb-7efe-468b-ab40-0122347632fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397075/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Searching for synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90036/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6482355e42643c8ff4f006f2/reports/883b2773-dad8-41a3-8e32-268da5e86e1b/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1310591
Link:
https://www.hybrid-analysis.com/sample/ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6582d8cf-38b2-436b-8cf8-14444f4d57ac
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251514
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884534 Sample: file.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 13 other signatures 2->82 11 file.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 64 C:\Users\user\AppData\Local\...\v7526372.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\Local\...\e3440634.exe, PE32 11->66 dropped 20 v7526372.exe 1 4 11->20         started        process5 file6 56 C:\Users\user\AppData\Local\...\v1083289.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\d4308774.exe, PE32 20->58 dropped 94 Antivirus detection for dropped file 20->94 96 Multi AV Scanner detection for dropped file 20->96 98 Machine Learning detection for dropped file 20->98 24 v1083289.exe 1 4 20->24         started        signatures7 process8 file9 60 C:\Users\user\AppData\Local\...\v6417704.exe, PE32 24->60 dropped 62 C:\Users\user\AppData\Local\...\c6468813.exe, PE32 24->62 dropped 108 Antivirus detection for dropped file 24->108 110 Multi AV Scanner detection for dropped file 24->110 112 Machine Learning detection for dropped file 24->112 28 v6417704.exe 1 4 24->28         started        32 c6468813.exe 24->32         started        signatures10 process11 dnsIp12 70 C:\Users\user\AppData\Local\...\b0883307.exe, PE32 28->70 dropped 72 C:\Users\user\AppData\Local\...\a6974990.exe, PE32 28->72 dropped 114 Multi AV Scanner detection for dropped file 28->114 116 Machine Learning detection for dropped file 28->116 35 a6974990.exe 1 28->35         started        38 b0883307.exe 1 28->38         started        74 83.97.73.129, 19068, 49726 UNACS-AS-BG8000BurgasBG Germany 32->74 118 Antivirus detection for dropped file 32->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->122 124 2 other signatures 32->124 file13 signatures14 process15 signatures16 84 Multi AV Scanner detection for dropped file 35->84 86 Machine Learning detection for dropped file 35->86 88 Writes to foreign memory regions 35->88 40 WerFault.exe 23 9 35->40         started        43 AppLaunch.exe 3 35->43         started        46 conhost.exe 35->46         started        90 Allocates memory in foreign processes 38->90 92 Injects a PE file into a foreign processes 38->92 48 AppLaunch.exe 9 1 38->48         started        50 WerFault.exe 19 9 38->50         started        52 conhost.exe 38->52         started        process17 file18 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->100 102 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->102 68 C:\Users\user\AppData\Local\...\lamod.exe, PE32 43->68 dropped 54 lamod.exe 43->54         started        104 Disable Windows Defender notifications (registry) 48->104 106 Disable Windows Defender real time protection (registry) 48->106 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 20:09:05 UTC
File Type:
PE (Exe)
Extracted files:
152
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3w6h6p5mwi3pxpl3adagsagbbnnsfg35isxeos6bcyr3zkytb4q._file
Verdict:
malicious
Similar samples:
0255a02c133cb1d514378732b2c7c99c107d69e81251a9fe6693b4dbe51a27d6
RedLineStealer
2ee168cc3abb081951ffc83d0844f482a76ae7b744f256bc2bff8e9469061b88
RedLineStealer
59a1ad57a529e313eee89fa220db9b08333e3b1a73305cd5444ac82acd6d09ee
RedLineStealer
7c0bb648d1a1a0a280e31513517db887f8ff710b1404ed471637f44fe5a561af
RedLineStealer
96d9c5386dd5a16a75211e05f2f6b937f78fe6613f42438e65f8bd927bae3ea8
RedLineStealer
97e4bada64e2d85c561f64547f17845ecd6c8c3e214717eca8db5a3d5f215a92
RedLineStealer
ad425b0ff0675acf79c211e6cdaff9d36fcb0ecae7b51f685ffbe6b146a3bd24
RedLineStealer
bec7545e47cb2434996e76018d36da93bbadd69e1f6435d2e194b512e85a46c5
RedLineStealer
d576dd6fa10cbf78cceb4680fc96038e6b7ca19bb0145767cdbd70bae2b844a5
RedLineStealer
e5511ae9806847560af106f25caa3ad0a9b125ba811679a393a48ef310f32ee1
RedLineStealer
+ 667 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:crazy botnet:muha discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230608-yw4m1sag2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
83.97.73.129:19068
Unpacked files
SH256 hash:
c2ac3f9ca0b91418459da0c74b4f5d7aadc3a875a580ce749f896019fc60a450
MD5 hash:
363e9645343b5158a269b03fa34ac778
SHA1 hash:
4b45d08c03970a7f42bf5f0b7bfc9bbbc7d1f390
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
SH256 hash:
7a71b22a7f12c688d892043cd7057ada0e582cb348699903c0cc1d62096c474e
MD5 hash:
98da280b69b89070e0ff2322e546a59f
SHA1 hash:
1f4b5a5a007ae47cf7f41c8c83ce293ef51859a1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
SH256 hash:
5f0d85489ff43a09d04e25ef855dbce4ec44c2b53be38e00e857fdae3b4dd4eb
MD5 hash:
71f42efaec26348bfa0b361087b4231e
SHA1 hash:
d3045626587623ce08f9831aaa94c97049eefadf
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
SH256 hash:
c740d12f8da4104ce6d9e307f477f08062c74676ef445e85078692245e895df2
MD5 hash:
d945dbb6d411f38f792eb87a9df0865b
SHA1 hash:
faecdb19a4cc7392d646125e8bc621a8142eba5b
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
SH256 hash:
0929aed00ea0291b4166a257b40ae2b0af076993d0bfba78fa41e82ad9933399
MD5 hash:
46b7002e9828fe04b958da3a1e9ab7a6
SHA1 hash:
720c30f4661621598b525666eb7b9cd6db3f86ca
Detections:
HealerAVKiller
Create hunting rule
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
Parent samples :
c79a41202d72d2a6c8d58689ba8096ea126c588bff1f1696efc0eae3fed2986e
52295749526fdbff59e549e9480b5de8d4b3cde5a5a51722a9d61a7efb0ac05a
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
ca3ae8596a43fab969da8cad4cc20a02cfd3ffd65dd2b1a05d2a404e281a9ac2
de69842d0b844c1b7d75ecc08050b9c35ab4c587c4eccef966b82df6c65c6be7
742e7df621fd61cc2634b0e4ffde3976c847fcfdc95348a4dff591eeedb3234d
6c751b88ec0494c0848a7b01904a38a5ccf46bb6901404b178a6d5b51f75b14f
723b82e93dd8feae6b17eb5a7577328b81303fc36fbb557dca29a9233b989486
203554d11cd8d9a8fcad90f71604ed56e55fc587e0f10528e3a711117106e097
df22d21151daa9e2c32fedfaf67ee7b13913f8a650153443dc3d2fbd9d8fa732
38e591ce57ce0e4237c7ae9a3097cbeafaa14800ba43f76e59205e41cbe12f16
e3bfd095dde915136422887e63f1fc3b5bde09f587ca98c9f6a00b06fc6e6256
c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad
8b00e8342d9c518441471b108c7a34bf2b5e3095d588ef085127079a6d82761d
3118bebd18a67e11e2780e62f0256e4be8c67b24f9fc1fbdb5c201cf6860c5af
d906130b9b1841c940b973ca80127f599247f877d31892bfabf4bade8b603c8e
5d805379d8c091cc9aabb17156df24becf5b1e3f15c2bcf5a55c7ef93f8d20e3
2e7bbc0fd717a4f9e31985dede8bfc127a8a21c9656f9b8dc8be02ed93eab93c
1cb72edc0f1a84fb53e7a921c94bc95648ac55675d149a961cbcbffe44e1c304
59808576771e48d1a31b076748d691ae039a856dc43765c73ec362fa754e6415
19c2391800ad2eebcf2d04f271e6e331d88c9f1bcaff62f5b02f1cccf9c4a7ff
06c8c0ee65c80247e4adb9b03dadfbd311de9ea01de5a8a349cc717528b7cd4f
678ace6d8456a0b5c3db92e8873dc01858bd98bc7a08f993db5bc754910e4499
cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
e899b408f2cb7ba552bc1eabfa6ed858215dbfc2c3974196367ccdcb2a444ecc
7becbd225d65be7dfda500f924bfb9070d068ecf3a34f6ba490fa0e1ba6497f0
e9bc1461c10946308fa4a0fb16f274108d80c351068ca95b5698a5a51d3b6de7
d7e1af2362cb778e3ba97174915da73fcd8fb4df49363fb09267eb28db27e77b
71a35fe403a4e41182eb707e3a7d76821034b494551ee67432afd6e7fa82e864
a387529289f01378ad79a948e7989817510c8d0b5de04921f65d21309ddb8a3c
81d0f5a0e99bc1f96d20b5aa4e8168cc0e50d58af04fa0bf52625a9cf7731fa2
98b544cb9a160813bd7758ca417c4d458625a75f2fcbbc148c6fbd9bd7221cbe
50ee7ab95de8e4a91c87f0b161cd2cdb593f7083645511b2f012a8451e776903
bde590ce8aad046c624f2b8b588d872f905e7f12acf69d49eca7299f60c7b906
a973c5027fe4ab592558a1cbc9e69e4aba9795badd326d29a46c7029e975a16b
e363f52ff771a575a98e3fb0b711c9f54978ebfc9b3a119939a57ca545e67356
ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
e96dd0b309b24dcd980fd017ed7190631541e1c2190a5a428d1ee456d1e18f2f
8b6ae8309efba64783aa15aeb7b5aad7ab4071211139e6e119082840ca06e023
a328a4e8510854022165818038f1b0578aa34f483cd7f65c548f4e2b6d99ccb1
SH256 hash:
ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
MD5 hash:
fe68c6db610d15931ad740d93cb58f7c
SHA1 hash:
f43d3445b8fb31461870265acc7e943da5d7a481
Link:
https://www.unpac.me/results/bd4d6fbe-35bb-4b07-b121-4d2f42bc2938/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ceede3f9fd65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/397075/

Comments