MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
SHA3-384 hash:	0101fb26ee2a7234e14125caf8ee23c333219f1b3225590a358ec0b0f9bf8f41f1b06e4f80c19b3b58722fbbbe240ece
SHA1 hash:	fb49221ec3b9f65cdc8b2319b2ac1d27be9b5ea9
MD5 hash:	fcdfb383e22168fb547a5381b24e3c0e
humanhash:	delta-sink-massachusetts-table
File name:	fcdfb383e22168fb547a5381b24e3c0e.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	905'728 bytes
First seen:	2023-05-11 18:35:35 UTC
Last seen:	2023-05-14 18:46:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:Qy7h0N/W88XJuyLrVXb0Aa0CVFmKn4ZXXKtFoAt:XWW9JTft0F0eFmKOHKx
Threatray	352 similar samples on MalwareBazaar
TLSH	T1361523467AE84473ECF41BB044F613D72734BD716E38AB6B3393898A4C729989439367
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.161.248.75:4132

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

fcdfb383e22168fb547a5381b24e3c0e.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 18:47:40 UTC

Tags:

rat redline trojan amadey loader

Link:

https://app.any.run/tasks/97d49b7c-ac83-488a-97e8-8347ca3bcd22

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/388494/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.RedLineNET.6.30883.12673.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching a service

Creating a window

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83554/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll amadey CAB comodo confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/645d35bb8fe11ad385ef305e/reports/5633c015-6b3a-438b-80b8-df2be11acd6e/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1310591

Link:

https://www.hybrid-analysis.com/sample/cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6ae88aa-7f74-498f-9830-8884baea1197

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1231048

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-11 18:36:51 UTC

File Type:

PE (Exe)

Extracted files:

116

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z34o2c5ouwlx5sjkocbilzt5zbwijmmkn2whfzjwotk3twc7s7ta._file

Verdict:

malicious

RedLineStealer

127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb

RedLineStealer

28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63

RedLineStealer

8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73

RedLineStealer

86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a

RedLineStealer

8c6d489d8ecdd838af163fa9d7dca54122213cb7344e14496966c69e707f556c

RedLineStealer

aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da

RedLineStealer

e97c547cced7e272f3695066bf3086013be74e24a21bf7bbb9302982edf255ce

RedLineStealer

f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57

RedLineStealer

fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83

RedLineStealer

+ 342 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:debro botnet:gogen discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230511-w9b4tabg2w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

389c88af69acdd1a6211f2a983b3e46fb7fd4212799293a803b9dfe340670f5f

MD5 hash:

81e86042bdb2e0504ef951fd977d5598

SHA1 hash:

f158153bbf3cc04e7343f92a1972730d4111844e

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

SH256 hash:

2550a5839ed554039001288580fccc4f12df05c94e42c9e22b302094ac93dc02

MD5 hash:

299c969f9550e1e4ec7cef95a5a9caeb

SHA1 hash:

b3119fd7abbb34ff11d0f8c0029933fc849ada46

Detections:

redline

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

Parent samples :

d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
db1c8fc3822511f7e804660ea93dfe82713dc79a1d9d80cc6bbf236e415d644f
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
9095a896f5486e40ed6f168cc3feb1d6875ffc56e29a86143824b17632d7cc2d
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

b989cc88a1abfc89eea9af21533bb2e8eb851de24c69d6c8c181e9122171da45

MD5 hash:

5a168373e96962f780085a3cd04d0f16

SHA1 hash:

17dd503f42efc178601b66ef460e36906df84179

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

SH256 hash:

44180e2dd1b45d374c73d580aebbbb8f390f2c0f00765d138fb952300f68b0bc

MD5 hash:

14ab6de74614132db925ca1d6d628f76

SHA1 hash:

a05d4306a935bf09de0ab6025c7ab72d08925ef8

Detections:

Amadey

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

Parent samples :

2b4f06b5c00bfef8e1e83bfa46f822dedb09d05779d8171ff91d59994f9bca14
58a30e4769f449019d29b3458663cb51aced48cb23ae507e81c43afb5f8390e2
d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
d44985104da589aa6bb697827e5130180990444cef20cc7e18a5fa9e1847495c
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

b714978ebf438a828cea3d96781e975ab331cd6b35671d3e4cce3cc2e7f47ad2

MD5 hash:

55297698997d3b0453ae290e97f68843

SHA1 hash:

5f51f658f17a0100b6e92ee721399445c871baab

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

SH256 hash:

cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6

MD5 hash:

fcdfb383e22168fb547a5381b24e3c0e

SHA1 hash:

fb49221ec3b9f65cdc8b2319b2ac1d27be9b5ea9

Link:

https://www.unpac.me/results/14c08486-e150-4eeb-a91c-ecfbae5e269b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cef8ed0baea5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2627020/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388494/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample