MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997
SHA3-384 hash: e02a915fc0312677b698f92b81bfb9093ff0fa91b6b14674402fb0c4290b9b00b88f3114a3d34c59002b412e0cc7a05f
SHA1 hash: b1c44d698d30fe40a4cc1e187d1e76325d984648
MD5 hash: fbc173f8b7d8b38dabee565aa85fef22
humanhash: hot-uranus-steak-oxygen
File name:fbc173f8b7d8b38dabee565aa85fef22.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:248'097 bytes
First seen:2023-10-17 22:25:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3865972614d44e518713c9a6183fed14 (92 x Amadey, 1 x RedLineStealer, 1 x Backdoor.TeamViewer)
ssdeep 6144:LEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:LE32xpoaxBFg1ugMeS
Threatray 144 similar samples on MalwareBazaar
TLSH T1953419657912C032D660A5B619F4BFF2C19DA815ABB149EF2B800F77DA112F33970E39
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
171.22.28.239:42359

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
fbc173f8b7d8b38dabee565aa85fef22.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 22:28:37 UTC
Tags:
amadey botnet stealer trojan opendir loader
Link:
https://app.any.run/tasks/ffbb0780-9d28-40b2-94c1-819f9319a140

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455487/
Detection(s):
Win.Malware.Doina-10001799-0
Create hunting rule

Win.Downloader.Amadey-10008996-0
Create hunting rule

Win.Downloader.Amadey-10011458-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Sending a custom TCP request
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay shell32
Link:
https://www.filescan.io/uploads/652f09fbafc17c7912f73687/reports/c8faa5ed-09e0-447f-bc0b-c610b46b5a96/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e20ead2d-cf98-4260-978f-6691db5b4a02
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327613
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1327613 Sample: cSkMWWD7r4.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 8 cSkMWWD7r4.exe 4 2->8         started        12 explothe.exe 2->12         started        14 explothe.exe 2->14         started        16 3 other processes 2->16 process3 file4 44 C:\Users\user\AppData\Local\...\explothe.exe, PE32 8->44 dropped 66 Contains functionality to inject code into remote processes 8->66 18 explothe.exe 17 8->18         started        signatures5 process6 dnsIp7 46 77.91.124.1, 49712, 49713, 49714 ECOTEL-ASRU Russian Federation 18->46 40 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 18->40 dropped 42 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 18->42 dropped 56 Multi AV Scanner detection for dropped file 18->56 58 Creates an undocumented autostart registry key 18->58 60 Machine Learning detection for dropped file 18->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 18->62 23 rundll32.exe 18->23         started        26 cmd.exe 1 18->26         started        28 schtasks.exe 1 18->28         started        file8 signatures9 process10 signatures11 64 Contains functionality to modify clipboard data 23->64 30 conhost.exe 26->30         started        32 cmd.exe 1 26->32         started        34 cacls.exe 1 26->34         started        38 4 other processes 26->38 36 conhost.exe 28->36         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 22:26:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 21 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ur423extfbe3vxfn5pafimu3vwpa3ycoiiqmqg7zo2j4w3bhglq._file
Verdict:
malicious
Similar samples:
15cba6399670fb23e90939e012db772adc6922cd160d5dddcf6f4eed2c888d43
RedLineStealer
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
RedLineStealer
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
RedLineStealer
488b9084451ceb07b7b18b45ac27ba066d76d81aad5c484c5c13a692345c7bf6
RedLineStealer
68c52b5d06a02d8382c159de27eceb800d1c5f8ca21c03b00f17a9af11ee250d
RedLineStealer
6d9b4a93f740f8bfcb75f34163e4a8e5eba03c0a61b187c356011f7f367246d4
RedLineStealer
6ecf835556c666d9c17c11473060876684c92536382867c591c66110ff225f7c
RedLineStealer
ba3ca45f59a351649b82a187dab6af4b79462528d2d5355dd85ff107a726e76c
RedLineStealer
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
RedLineStealer
fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b
RedLineStealer
+ 134 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/231017-2chszshg9w/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://77.91.124.1/theme/index.php
Unpacked files
SH256 hash:
dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997
MD5 hash:
fbc173f8b7d8b38dabee565aa85fef22
SHA1 hash:
b1c44d698d30fe40a4cc1e187d1e76325d984648
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0dfc8a0-8e43-468e-9ee4-28756cddc8c3/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd23cd6c9799/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Amadey_7abb059b
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dd23cd6c9799424dd6e56f5e02a194dd6cf06f0272110640dfcbb49e5b613997

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2654757/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/455487/

Comments