MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42
SHA3-384 hash: 44a81be4fb0dc761443b25fa6201d9e6eb2f091a92a963e772d360098fcdfdb4e159a777212209e4f33801b692f41184
SHA1 hash: c3e590f1d9482f57f483ceb63b02a30f0bbdb189
MD5 hash: d811d45539ce6fb7c666688afdc06226
humanhash: wisconsin-arizona-pasta-blossom
File name:d811d45539ce6fb7c666688afdc06226.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'667'520 bytes
First seen:2023-01-09 14:15:00 UTC
Last seen:2023-01-09 15:37:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:nOK0Yldn5RbkX/UYzQ8kpoBmxdd0DyjSnIhjiX2m2KGq1rzA85RQay/xK6WhU5/v:nf06f2UmQ8kpoYdUyj2qUmWAezYp
Threatray 14 similar samples on MalwareBazaar
TLSH T117B63FDC366072DFC957C876DEA82C69FB64647B830F4623906716AD9E0D887CF580B2
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
Verdict:
Malicious activity
Analysis date:
2023-01-09 09:46:08 UTC
Tags:
trojan amadey rat redline loader evasion stealer vidar
Link:
https://app.any.run/tasks/c4af3b1d-8dad-427d-bea6-4fa39c211853

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351139/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.18503.18387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63bc216b5f356e00329cd638/reports/e3265a7f-b2dc-4ed5-99e2-d327252cad0e/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ac6f7e4c-b8d8-423e-a340-7cf8a0458379
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148018
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-08 01:07:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
213
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3xb7vyffyfdd5pihq2fg4xzyx4ezgoxst7kxfsihkaezrsxpjba._file
Verdict:
malicious
Similar samples:
2160a2fba2efc22751b82cebb9d4ce21dfe35782cfb21bbf512687f413b80e65
RedLineStealer
3b791d58083b7a958b8497c956803b0c1504d0f8ca974f124f45ae8976b16a40
RedLineStealer
6319c7eb7248f45c351456b175b3cc82ccdf5e85d8058d317bca1a1536bfed9c
RedLineStealer
7c0e90c15c64f5929f682a190f06d1e1882e06e6cbdceceb3193c0353bacc219
RedLineStealer
84ebc64b48ecea825050c7691c86a0c05902f87727ee35988819a6d07af111bd
RedLineStealer
867204c01e6d4bc8938eb2faa954bb39b0cc1640c98fb7a7211885991892edb8
RedLineStealer
cbba3a76832ca533bccd400adcceb5e7f9f06098f2bd2c476951964edd552d5c
RedLineStealer
d30fdcf3c1e63aa03fad165cf11e1006bcc6c52330592fa11cd8d8a1eedc3646
RedLineStealer
ef399849449ea137a53b0769960c4fdd204fea9153d89b96fdd5a7ead13927d8
RedLineStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 infostealer spyware
Link:
https://tria.ge/reports/230109-rkkx7shh71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
80.66.87.22:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4b752829-b1a4-42c0-96f7-2140c7f22ce7
Unpacked files
SH256 hash:
c95f241ab72ab3d04174054cb7a01e74ba9caf16843fe5e36ab09ae75182eb65
MD5 hash:
f700dcd67adad92cc07b4976b87f325b
SHA1 hash:
3734104a67c7f2b6f6a8cca54bcb9421b3b8fec4
Link:
https://www.unpac.me/results/c2f535f6-1c75-45ee-8a13-b7fa80540131/
SH256 hash:
f00c32b9b3dc6bda084cc333c03a6dc7f057a772d29ec015f6424b19779ef5b5
MD5 hash:
bd7168523ba548e78effc8458bc334b0
SHA1 hash:
0ce26f8b155a7e48f91560a10b97fa13b5643ca4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c2f535f6-1c75-45ee-8a13-b7fa80540131/
SH256 hash:
ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42
MD5 hash:
d811d45539ce6fb7c666688afdc06226
SHA1 hash:
c3e590f1d9482f57f483ceb63b02a30f0bbdb189
Link:
https://www.unpac.me/results/c2f535f6-1c75-45ee-8a13-b7fa80540131/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ceee1fd7052e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/351139/
  
URLhaus
https://urlhaus.abuse.ch/url/2502198/
  
Delivery method
Distributed via web download

Comments