MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76
SHA3-384 hash:	97fe16712ee9a7e4bdb01b4c6fbf5b07ea2632c02eea7868f586b80bc95edfa31a6b2499451a4704f53be43551861024
SHA1 hash:	0101bade207e2108bd68a9f8b7b43d717caac05e
MD5 hash:	ce3e1acd04cc0b9381310809b641422d
humanhash:	wolfram-charlie-monkey-nine
File name:	ce3e1acd04cc0b9381310809b641422d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	831'488 bytes
First seen:	2023-09-05 05:22:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:pyBBwPoYJiN9tc70qOqnolNBh+OwoYrMjcpK/:c/wxJiN9tcYVqOhRYo4pK
Threatray	505 similar samples on MalwareBazaar
TLSH	T100051262B6E84033D9B61BB554F713A70F3A7DF05834816B3705A86E0D33A95B032B67
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ce3e1acd04cc0b9381310809b641422d.exe

Verdict:

Malicious activity

Analysis date:

2023-09-05 05:24:19 UTC

Tags:

stealer redline amadey botnet trojan stealc opendir loader

Link:

https://app.any.run/tasks/6cb72f38-2ca9-4607-8069-cf3d7fad88c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/446224/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Adding an access-denied ACE

Using the Windows Management Instrumentation requests

Reading critical registry keys

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer greyware installer lolbin packed rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/64f6bb3a4578d9c35e025568/reports/48a6712d-739b-4048-a9c5-d23e73d6b202/overview

Verdict:

Malicious

Labled as:

Crifi.Generic

Link:

https://www.hybrid-analysis.com/sample/e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10ef2e1c-bac4-49fa-8804-454f27891964

Result

Threat name:

Amadey, Mystic Stealer, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1303277

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected Amadeys stealer DLL

Yara detected Mystic Stealer

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76/

Threat name:

Win32.Trojan.Disabler

Status:

Malicious

First seen:

2023-09-04 22:24:12 UTC

File Type:

PE (Exe)

Extracted files:

155

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4trjxw2qxswp6alm5b6kndzg2ox6aukgsimxembupzwdxnipjj3a._file

Verdict:

malicious

RedLineStealer

20186f72de2f0571d762d6d253dc9d3193ceb8cd93a806c16383de02d08317e6

RedLineStealer

50d4937c5209f877dddf1a19b28e98421f58c6c2332850b9dede53edb9fab2fa

RedLineStealer

6bae2b9a7aebdde484309dcbd6ae0d5d71a2403184d58b7ebf7112d7eed83ef7

RedLineStealer

97acc40979e2c0035df522facaf12fcf594154899ea1c092c1cd9e802f6521f5

RedLineStealer

c6687cf86289be29bdf0c28b729c952b8305ae7fae44501dc2eec83b5340aab2

RedLineStealer

cae5f39a29434b4ef28e43df63d0c89612581432ff9bf1f51fde4f1691071261

RedLineStealer

dada1745b9f6b74b38d3283e7ff9e5b86057e1ae53d1ea80d44ae2e24f55a386

RedLineStealer

e71433ff6592e96e9182e19a58d2a521e55642f35483023df01cd6b89e3a4214

RedLineStealer

ea8929f0ad36abb8af8d27ad2dd381cc36c1c07a3a4ab35a306146c91203f682

RedLineStealer

+ 495 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:amadey family:redline botnet:gena evasion infostealer persistence trojan

Link:

https://tria.ge/reports/230905-f25s6add6w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Amadey

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

77.91.68.18/nice/index.php
77.91.124.82:19071

Unpacked files

SH256 hash:

bab2520411d2c3fe556e10402867e719d7e944e8c522d8ac152d292d3201be04

MD5 hash:

1a784df9022ccbed8f8dfdf147f144ed

SHA1 hash:

8a0f266bfdd3ebc3d04341befab97f4d2f5d7da4

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

431be214153fd5ffd4ff4fe2826276c8feb1459837eda7462a171c824bd63d31

MD5 hash:

94a8f3962afb223c692c8c8757e2b14d

SHA1 hash:

3d5a3f9bcd56b73a96a70cdfb9def93b54643c1e

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

3426a870418150027c32efc978ea99a736b6d35a44b1cdf32b03448ce94fb5f9

MD5 hash:

2b38ab636c5c16c622aca553d899ef03

SHA1 hash:

cbb6511bc3d5f042ed4f6114b4b8141f18411fa1

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

de5458858e1fddf733eed394ec1c3ac770b8208c707ba0ac675ad3e8264a00b0

MD5 hash:

f38620cd66e712ae19b938a605f14bd1

SHA1 hash:

6d5729ec8b93b7d60c53c0f348ff04668749db79

Detections:

Amadey

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

325a8a3772f7a3d4e3e6939df61ffcb47cc8317c4670ed2824bc95da6251cbdf

MD5 hash:

3bc9bc71dcf893288b10c463b53e53d3

SHA1 hash:

8577dca83cf3ef312564351170c9a9d6d33c4dc4

Detections:

redline

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

Parent samples :

3541acee9f8634f0bc847d01de37dab612e02a7966baf4a657b43cb95be745b1
651211f0b4071964a276be6cec49873e8d3b8b11b4210c42c35cb5352fce7bd5
e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76
ebef06cea93474ad22c962b3c42403df203f4142f0c2b2211066d17ce9b68c39

SH256 hash:

c3751ff0d3b3efbef9957760acfcc480de3c8c535b76515a06aa1d308a7b9962

MD5 hash:

b868aa0a12afbd329c3526c1664811ef

SHA1 hash:

d639ac9a0d6a303efb5b98fef1cdb7cbf9d1c1a5

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

647180cbad0937731482a7d62a5e16f9d764e057f57ac0d92ade9936fe4b4f1e

MD5 hash:

48c716124544b2aedc03404a56da0b1a

SHA1 hash:

324ebef16ba97fa7c8bebc6af1cfba3e65b8eb90

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

SH256 hash:

e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76

MD5 hash:

ce3e1acd04cc0b9381310809b641422d

SHA1 hash:

0101bade207e2108bd68a9f8b7b43d717caac05e

Link:

https://www.unpac.me/results/fc094737-9ae3-4fd5-b2a7-ab076db2e75b/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e4e29bdb50bc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e4e29bdb50bcacff016ce87ca68f26d3afe0514692197230347e6c3bb50f4a76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.