MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc
SHA3-384 hash:	e0c388b27e4ca0a6cb451a7a89b5291db8756712f87165155ab63c85e90b9053cbcb0236020f3d828a0ab4a3b4808db6
SHA1 hash:	9f57190ab2cb002f0cc7416fcc5d31ddd5b0e12f
MD5 hash:	afe411f62fa3d2a1f6f04848401a2758
humanhash:	wisconsin-hotel-shade-saturn
File name:	e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc.bin
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	788'480 bytes
First seen:	2023-05-14 18:36:53 UTC
Last seen:	2023-05-14 18:48:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	12288:vMrny90mcwwl8Suwiomg5khaxF0K0OANaggslg/DHeLLkH4dV/nlmKZHc:EySw28oMhIHANafB7evk4c
TLSH	T127F42312BAE54473E9B413B048F707D3063B7C9498B8929F3385595B6DB33C4A476B3A
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc.bin

Verdict:

Malicious activity

Analysis date:

2023-05-14 20:32:12 UTC

Tags:

rat redline trojan amadey loader

Link:

https://app.any.run/tasks/f33ee18e-15ac-48f0-80b8-8f41f64cacac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/389684/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Launching a process

Launching cmd.exe command interpreter

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll anti-vm CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/64612a8ced1a1a106592016f/reports/5e6c0cb2-0376-42e3-9bcb-5c2a1b44bf7b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/107896ea-6018-4f69-b3c6-e5a70e051442

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1233134

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-11 08:28:32 UTC

File Type:

PE (Exe)

Extracted files:

119

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ozjem7gu2sozl4wxjijtedo5pqs6jsenheisqg7ap7rlupwdxga._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:debro discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-w9ngvafc3t/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

389c88af69acdd1a6211f2a983b3e46fb7fd4212799293a803b9dfe340670f5f

MD5 hash:

81e86042bdb2e0504ef951fd977d5598

SHA1 hash:

f158153bbf3cc04e7343f92a1972730d4111844e

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

SH256 hash:

30242d11a393dc030ca87c26c6697275921d022aef45c7368feb8ba44de67852

MD5 hash:

ded5cc23ca0fdf18e31bb43fffbe433c

SHA1 hash:

c147df5cfb9e491dd8218cf57c0e74efc61fa171

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

SH256 hash:

1c4608523433d0c98a2d18d60099c952ca925373ecfcc7204d57256022d61620

MD5 hash:

e6867196c365070442f1f0ac94f65e75

SHA1 hash:

91fad5e06ccfa29f8082bdc97b54f66f85cdc5f2

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

SH256 hash:

65e3f9ea225f1c842cc71ccfaaa74174c38d4c624c821d57352914e1c4d09e66

MD5 hash:

d1338c90a84d234f218d6a2b1eb1c88b

SHA1 hash:

27397174456886505c24f5629eadab18c16086f0

Detections:

redline

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

Parent samples :

d639ec3a51acd0e1ccdb0b07f29bb3df7b930266a5ae7396c73fd2a1fe4859a0
fc398e0cde6a420898f914da59fe9f8efbf33a43a6721324d57e0cdac03d43e2
3be410255c0b945c92f4250353e13ec6aa07577ac89fee71a5a4cbaa4edd20e5
7c8364187a059506add600649e4b4b3115ac9dc4b171ec58ad542c5623fb2abd
9fde5ae1eb2789887b7513a950bd2fb41f5b44d6ec0756a081ccfa7d9b4d63fd
f7f243c095defbebffaac067bd9c1f965e506dd54bc515721c854b37b52b72b3
84d5652b3d648153816b5dd75dcb8a2c29a60e543446900135cded83cb0c0203
7917c41177e8899a1c61ad77133af340bd3d66f3a5fd2009d879aa154f5e84a9
1a6cb6a3ae4f0530a57855656c2d7a95fb89d222736aec9ba1471ef05d8ab82f
f080262d4ed0e5116ac26d9edef8787e8bd6c7ef73e023b69e386c25e1185c66
fec7bae13e41a9368eaa8ab467ec84f62121375def9c2ec5d792204d02b9b9cb
1b09ccde464d420c8e8ed40b21caf17150d8d94a922d98c7fd9fb5e80461b999
566a29b0549b4c9dff01cb805d07e8be2f177c0f7f6c134bfa6d00a9759eba50
fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23
c553d0cc29cfc2f0dedc5708534efa4e8c2d174281c6983759ef5e8c0534cfd7
c71a3942498f86078a3380785fa1bac76b4b011d574adab4dabad41af05a2585
cc6dbd7904b27ef40693f299447856756987d11f1c227d93663746685c2bbcc7
ce1a9fbe563e9c4e30454385cd5b9dbca2603e7075b6cb562a71100aa5165710
d63deec0483bdb5c7f5b0328113426d4f7cb058f4d8441d6472d9da4211734a2
d813e1bf0278094d48e5a504e0ec9dbe2aabb4bcf87aeae03317c72c7be89b10
dbbe21892c560d16dda10d1412804f756435f146bef6fbceb9f9d7d7cfe8dff4
e190bd71e3eff06d47f0345989cc8f2269fc592ac6060b5855331b3a3e5c577b
e20757a6d327dcc4bf152f62acc4eac6804d5682afbe9f2a94a3c095bfd30af5
e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc
e61cf44a66061151977ff95dca44b20d7d6d0059dea74c7adbb1b816b55d3036
f58b8c83ce4e438d8b31f288aa5d1e4d67e6423b78923fc03702356958177203
f9bb4c6448066e17d4a580b3adc299dc72b07c2b8366a4bb029742d35047081c
fe8cea0fa501f14dced5646340afd5ae6aab600e8efb2e8e552addf955f0a7e2

SH256 hash:

9268ca176564eaf3af72508868e20958b5d64ee672550ed9be7739eaffa9b702

MD5 hash:

ed123698afc4095920052530bcebb8e1

SHA1 hash:

796694746464a09fe3a67fa39ff8ec0e0e805aeb

Detections:

Amadey

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

Parent samples :

29f9c72cc572c4edf578d55774bc0eec146309370c6dd221d80c059e95648271
e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753
f7dbdcec3578afd1cda065472888da575420319e2d8b856f2253e4862686846c
ce8d6f372e19df727c8fd2da7add1bef0e69c96ef136dc22a1cc035182b38d6a
aecbf7bf99a187049f5740bf8625a6bc5860dde7004c5bc90abd319d2b6969d6
86763058cb4b7fbd0f0987e26f05faa054e174210507503cf27b79a1967963ea
96c756e98e7450f83927f62ab06fb7b552dbe454bae1a97a7b22cd866398b5de
47d722ff0a32f43c913b082ab5d6554b86a3b2908ef16581135b9c712c5f4001
d639ec3a51acd0e1ccdb0b07f29bb3df7b930266a5ae7396c73fd2a1fe4859a0
f83eb5d54bdd202e1982d76462c2fa721ddd4acdb6b8e7a4b01a0af6cc12b723
93d499d2273e090a6609e7630452201d6886f5e9f0d2be08ff26cdbf5ee477c6
1c504777b4068ad1f5dfded8d823fd3b8ae72430285bb4085cb3c0723e29c4b0
dee3a2072fcabbe87d1d6d7612886eec44d08e3e1087dbf838f4921daca07bba
57d7a1793d07ff7d9e06da04ae81b541309a98fe288308dcbdb17539d494f0cb
fc398e0cde6a420898f914da59fe9f8efbf33a43a6721324d57e0cdac03d43e2
3c5a7b5464443501aa99ce3540c6cba4e6640080c20ca3a85566fefe03b085b8
ebea38805402b3b2c00fceda76faaf4ecb36dac826fc08d489e0299830a13ab1
3be410255c0b945c92f4250353e13ec6aa07577ac89fee71a5a4cbaa4edd20e5
81d3eb8e866a2fee2f1d89c2348bcc52004ba9c292aa5c347e5b76706ac3866d
144f3fdba7155954e78cbd95792a99dd4e5f1ed8470376a1431039351042353e
31ab0319478a1610b24da018712f9985536f027d72c0f1dd4be8643d7eb40aa0
6418d24c83ce4e685aa9aa7b663f41eebffbbbbac76af77531ee2a559a8a5dc8
7c8364187a059506add600649e4b4b3115ac9dc4b171ec58ad542c5623fb2abd
4c5a8a8e93c6c178b3622f51b9380d42855e4b2964aa799a957c274fd5547ca0
89930a0c60b6bdfbd47e874f51db43c9fd07c1466f2b4011c3b6e8e4cbd31744
6bf25bae6bbd190d1ec7c7ad378295b0d0770ade6a1242dbe684c08c288656d6
a86ff5ae9603c86e84e8765285802f5c3aeeb4f50c0632741f42994907db2ed6
9fde5ae1eb2789887b7513a950bd2fb41f5b44d6ec0756a081ccfa7d9b4d63fd
edc300934c276b96ad1e2b338b57de9c352a8da6cee4910974bc9a535630b9a8
f7f243c095defbebffaac067bd9c1f965e506dd54bc515721c854b37b52b72b3
1b3f3bd0bb4dc5dbee39dd76f746ea342aa5e155ed529077ca7680ef504a914b
6df63c6f49144b0e0914f380133c52cd7a7b23bbcefa931c5d2d2b2c5c8524d2
6b39b939acf1f4aa5bebe7d32fd69de1389bdbfac2e15ee8c71e45ed4faebd8b
84d5652b3d648153816b5dd75dcb8a2c29a60e543446900135cded83cb0c0203
cf4fa9c480473d3419eb68f584d29de06dab99400ecfd2557100617ab7490c1d
f6156e781add70f932d821aa8ccb59363f9ac868148e0eeeb79c1d19540435de
52711e5022af45f6a5b14fd88578d5216087b84f5a2f5ff329273cd46d6f3cc4
7917c41177e8899a1c61ad77133af340bd3d66f3a5fd2009d879aa154f5e84a9
1a6cb6a3ae4f0530a57855656c2d7a95fb89d222736aec9ba1471ef05d8ab82f
50874f38fe203388e6b83c4db6140284099e53ef79b9e46e8dd15f135beb6eb7
f080262d4ed0e5116ac26d9edef8787e8bd6c7ef73e023b69e386c25e1185c66
8d0650f556a02d7e64c2569683e5c4786985c6f814e6cc24b24b8b8572d0959e
7b2bb81094e7101575a83998a08d5edb88f0559489b1515e7af29daf64b97117
ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf
fec7bae13e41a9368eaa8ab467ec84f62121375def9c2ec5d792204d02b9b9cb
1b09ccde464d420c8e8ed40b21caf17150d8d94a922d98c7fd9fb5e80461b999
566a29b0549b4c9dff01cb805d07e8be2f177c0f7f6c134bfa6d00a9759eba50
bf54195e7e6de7b9df522867dc4029d47fda0d3424b6aec12993ec293ed9922f
c49568920474576b9f841c14e04b64ba315395d15ed3e7056c83d0e883344796
c553d0cc29cfc2f0dedc5708534efa4e8c2d174281c6983759ef5e8c0534cfd7
c71a3942498f86078a3380785fa1bac76b4b011d574adab4dabad41af05a2585
cc50e5255115ac8357404098d8da8fa0c35ff816b0ccacff9779f8e1ccf2f77a
cc6dbd7904b27ef40693f299447856756987d11f1c227d93663746685c2bbcc7
ce1a9fbe563e9c4e30454385cd5b9dbca2603e7075b6cb562a71100aa5165710
cfb0ee5403ae8101f5dcf5aa27d399d58a743733c08d3526302075792efe2b01
d51ec5be8f5ee0e851931186da1e9585280feb3b419de3149b6890fcff313b79
d63deec0483bdb5c7f5b0328113426d4f7cb058f4d8441d6472d9da4211734a2
d813e1bf0278094d48e5a504e0ec9dbe2aabb4bcf87aeae03317c72c7be89b10
dac3393950edd77dc42ecfe5cff0081dd33673a7a37e1ce999d9b1e6fc6de879
dbbe21892c560d16dda10d1412804f756435f146bef6fbceb9f9d7d7cfe8dff4
e025e623e6d1494a330b5934fb2803467a4517ffbcb1a774c59b692598f4591b
e190bd71e3eff06d47f0345989cc8f2269fc592ac6060b5855331b3a3e5c577b
e20757a6d327dcc4bf152f62acc4eac6804d5682afbe9f2a94a3c095bfd30af5
e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc
e61cf44a66061151977ff95dca44b20d7d6d0059dea74c7adbb1b816b55d3036
ed045384cddc81667ea4f34f2cbb71bb62c3b4c1ac8a5e0e31e5914fcc2365b6
f58b8c83ce4e438d8b31f288aa5d1e4d67e6423b78923fc03702356958177203
f9bb4c6448066e17d4a580b3adc299dc72b07c2b8366a4bb029742d35047081c
fb93aacafc22e23ad44942febdc2a762132cec40f124872a0f4c6943896a2dbc
fc0b222de370ef4c55c6697cd222205073e5abd8e26b28ad5ab149e60937a6a0
fe8cea0fa501f14dced5646340afd5ae6aab600e8efb2e8e552addf955f0a7e2

SH256 hash:

bdb9658dc827b1e749eef40b8d5d99e4c665639552b42951d44e9cacc6ebe830

MD5 hash:

b602df74a9c6914e8fe6f30de28ee1a5

SHA1 hash:

18887e65dbf42783ba5bffc8dc1a6682ffdccef7

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

SH256 hash:

e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc

MD5 hash:

afe411f62fa3d2a1f6f04848401a2758

SHA1 hash:

9f57190ab2cb002f0cc7416fcc5d31ddd5b0e12f

Link:

https://www.unpac.me/results/4bd6de2a-3276-45bb-ac62-b11917c0a449/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample