MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753
SHA3-384 hash:	7a246b4bb54b1c9b399db33d6ef63b5d558e2db98eac8ad24ad56b310880ff5b4aeeb91bd493cba99299093dba16ac1f
SHA1 hash:	89f2b3087e9de5e16da74eb9852e01997fd56df6
MD5 hash:	84238bc383b82aef7cc67f29d1ed0714
humanhash:	minnesota-juliet-montana-quebec
File name:	84238bc383b82aef7cc67f29d1ed0714.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	499'712 bytes
First seen:	2023-05-10 14:20:33 UTC
Last seen:	2023-05-13 22:45:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	12288:FMrVy90mDtqu7Iu6HeRjBVPLZCkBld3SF6+S5b:gyxDUxPQxfDcF6+Ib
Threatray	297 similar samples on MalwareBazaar
TLSH	T16FB41202E7D88033DC75277458FB07D71A39FD625E74926F2B85AC4A0DB3A94A832772
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
217.196.96.102:4132

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

84238bc383b82aef7cc67f29d1ed0714.exe

Verdict:

Malicious activity

Analysis date:

2023-05-10 14:21:25 UTC

Tags:

rat redline amadey trojan loader

Link:

https://app.any.run/tasks/34650810-4a8f-4969-9cda-cebba53eec57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/388223/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.RedLineNET.6.30883.12673.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83398/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll anti-vm CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/645ba84ed054a0b0ef848d66/reports/d15e9fb7-9f44-4879-8ec8-82220ec1de6c/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1323756

Link:

https://www.hybrid-analysis.com/sample/e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec60095b-1338-4db9-8c45-0635de3ad1c8

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230239

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-10 14:21:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4xbgt6fa4a2urorbm7hlzqmnv2ltq6yo7hqydui7dvtaq4e5m5jq._file

Verdict:

malicious

RedLineStealer

127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb

RedLineStealer

28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63

RedLineStealer

8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73

RedLineStealer

86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a

RedLineStealer

8c6d489d8ecdd838af163fa9d7dca54122213cb7344e14496966c69e707f556c

RedLineStealer

aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da

RedLineStealer

e97c547cced7e272f3695066bf3086013be74e24a21bf7bbb9302982edf255ce

RedLineStealer

f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57

RedLineStealer

fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83

RedLineStealer

+ 287 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dippo discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230510-rny91agd94/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

217.196.96.102:4132

Unpacked files

SH256 hash:

1926ba7c73ab6a4ecc2ee4a7364267bce062766d506e11563756593e78d264fe

MD5 hash:

0df040326eee00382165537cc5ad6795

SHA1 hash:

bc905a2cc7e844b1a991047925dc2c9fda655444

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

SH256 hash:

30242d11a393dc030ca87c26c6697275921d022aef45c7368feb8ba44de67852

MD5 hash:

ded5cc23ca0fdf18e31bb43fffbe433c

SHA1 hash:

c147df5cfb9e491dd8218cf57c0e74efc61fa171

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

SH256 hash:

1c4608523433d0c98a2d18d60099c952ca925373ecfcc7204d57256022d61620

MD5 hash:

e6867196c365070442f1f0ac94f65e75

SHA1 hash:

91fad5e06ccfa29f8082bdc97b54f66f85cdc5f2

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

SH256 hash:

c93148770a6cd4651ea445e26c8a316f310ae5df3c2ff865820f5e8296f93190

MD5 hash:

400099477f3f2f96a450bf4a6b7ea591

SHA1 hash:

ad53b3b0fb60fd8c332a9a3ab138529ea7508a99

Detections:

redline

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

SH256 hash:

ec19cfd6a1934b9280fef2f5bc2d980a07c62721d4ebedd3c5cc07d71d250559

MD5 hash:

6ae59c916888c9f278e7a9f4ce4e3e3d

SHA1 hash:

8fa1f11ad24d582ea1e9ea0836d9cd2d5999d869

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

SH256 hash:

9268ca176564eaf3af72508868e20958b5d64ee672550ed9be7739eaffa9b702

MD5 hash:

ed123698afc4095920052530bcebb8e1

SHA1 hash:

796694746464a09fe3a67fa39ff8ec0e0e805aeb

Detections:

Amadey

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

Parent samples :

29f9c72cc572c4edf578d55774bc0eec146309370c6dd221d80c059e95648271
e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753
f7dbdcec3578afd1cda065472888da575420319e2d8b856f2253e4862686846c
ce8d6f372e19df727c8fd2da7add1bef0e69c96ef136dc22a1cc035182b38d6a
aecbf7bf99a187049f5740bf8625a6bc5860dde7004c5bc90abd319d2b6969d6
86763058cb4b7fbd0f0987e26f05faa054e174210507503cf27b79a1967963ea
96c756e98e7450f83927f62ab06fb7b552dbe454bae1a97a7b22cd866398b5de
47d722ff0a32f43c913b082ab5d6554b86a3b2908ef16581135b9c712c5f4001
d639ec3a51acd0e1ccdb0b07f29bb3df7b930266a5ae7396c73fd2a1fe4859a0
f83eb5d54bdd202e1982d76462c2fa721ddd4acdb6b8e7a4b01a0af6cc12b723
93d499d2273e090a6609e7630452201d6886f5e9f0d2be08ff26cdbf5ee477c6
1c504777b4068ad1f5dfded8d823fd3b8ae72430285bb4085cb3c0723e29c4b0
dee3a2072fcabbe87d1d6d7612886eec44d08e3e1087dbf838f4921daca07bba
57d7a1793d07ff7d9e06da04ae81b541309a98fe288308dcbdb17539d494f0cb
fc398e0cde6a420898f914da59fe9f8efbf33a43a6721324d57e0cdac03d43e2
3c5a7b5464443501aa99ce3540c6cba4e6640080c20ca3a85566fefe03b085b8
ebea38805402b3b2c00fceda76faaf4ecb36dac826fc08d489e0299830a13ab1
3be410255c0b945c92f4250353e13ec6aa07577ac89fee71a5a4cbaa4edd20e5
81d3eb8e866a2fee2f1d89c2348bcc52004ba9c292aa5c347e5b76706ac3866d
144f3fdba7155954e78cbd95792a99dd4e5f1ed8470376a1431039351042353e
31ab0319478a1610b24da018712f9985536f027d72c0f1dd4be8643d7eb40aa0
6418d24c83ce4e685aa9aa7b663f41eebffbbbbac76af77531ee2a559a8a5dc8
7c8364187a059506add600649e4b4b3115ac9dc4b171ec58ad542c5623fb2abd
4c5a8a8e93c6c178b3622f51b9380d42855e4b2964aa799a957c274fd5547ca0
89930a0c60b6bdfbd47e874f51db43c9fd07c1466f2b4011c3b6e8e4cbd31744
6bf25bae6bbd190d1ec7c7ad378295b0d0770ade6a1242dbe684c08c288656d6
a86ff5ae9603c86e84e8765285802f5c3aeeb4f50c0632741f42994907db2ed6
9fde5ae1eb2789887b7513a950bd2fb41f5b44d6ec0756a081ccfa7d9b4d63fd
edc300934c276b96ad1e2b338b57de9c352a8da6cee4910974bc9a535630b9a8
f7f243c095defbebffaac067bd9c1f965e506dd54bc515721c854b37b52b72b3
1b3f3bd0bb4dc5dbee39dd76f746ea342aa5e155ed529077ca7680ef504a914b
6df63c6f49144b0e0914f380133c52cd7a7b23bbcefa931c5d2d2b2c5c8524d2
6b39b939acf1f4aa5bebe7d32fd69de1389bdbfac2e15ee8c71e45ed4faebd8b
84d5652b3d648153816b5dd75dcb8a2c29a60e543446900135cded83cb0c0203
cf4fa9c480473d3419eb68f584d29de06dab99400ecfd2557100617ab7490c1d
f6156e781add70f932d821aa8ccb59363f9ac868148e0eeeb79c1d19540435de
52711e5022af45f6a5b14fd88578d5216087b84f5a2f5ff329273cd46d6f3cc4
7917c41177e8899a1c61ad77133af340bd3d66f3a5fd2009d879aa154f5e84a9
1a6cb6a3ae4f0530a57855656c2d7a95fb89d222736aec9ba1471ef05d8ab82f
50874f38fe203388e6b83c4db6140284099e53ef79b9e46e8dd15f135beb6eb7
f080262d4ed0e5116ac26d9edef8787e8bd6c7ef73e023b69e386c25e1185c66
8d0650f556a02d7e64c2569683e5c4786985c6f814e6cc24b24b8b8572d0959e
7b2bb81094e7101575a83998a08d5edb88f0559489b1515e7af29daf64b97117
ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf
fec7bae13e41a9368eaa8ab467ec84f62121375def9c2ec5d792204d02b9b9cb
1b09ccde464d420c8e8ed40b21caf17150d8d94a922d98c7fd9fb5e80461b999
566a29b0549b4c9dff01cb805d07e8be2f177c0f7f6c134bfa6d00a9759eba50
bf54195e7e6de7b9df522867dc4029d47fda0d3424b6aec12993ec293ed9922f
c49568920474576b9f841c14e04b64ba315395d15ed3e7056c83d0e883344796
c553d0cc29cfc2f0dedc5708534efa4e8c2d174281c6983759ef5e8c0534cfd7
c71a3942498f86078a3380785fa1bac76b4b011d574adab4dabad41af05a2585
cc50e5255115ac8357404098d8da8fa0c35ff816b0ccacff9779f8e1ccf2f77a
cc6dbd7904b27ef40693f299447856756987d11f1c227d93663746685c2bbcc7
ce1a9fbe563e9c4e30454385cd5b9dbca2603e7075b6cb562a71100aa5165710
cfb0ee5403ae8101f5dcf5aa27d399d58a743733c08d3526302075792efe2b01
d51ec5be8f5ee0e851931186da1e9585280feb3b419de3149b6890fcff313b79
d63deec0483bdb5c7f5b0328113426d4f7cb058f4d8441d6472d9da4211734a2
d813e1bf0278094d48e5a504e0ec9dbe2aabb4bcf87aeae03317c72c7be89b10
dac3393950edd77dc42ecfe5cff0081dd33673a7a37e1ce999d9b1e6fc6de879
dbbe21892c560d16dda10d1412804f756435f146bef6fbceb9f9d7d7cfe8dff4
e025e623e6d1494a330b5934fb2803467a4517ffbcb1a774c59b692598f4591b
e190bd71e3eff06d47f0345989cc8f2269fc592ac6060b5855331b3a3e5c577b
e20757a6d327dcc4bf152f62acc4eac6804d5682afbe9f2a94a3c095bfd30af5
e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc
e61cf44a66061151977ff95dca44b20d7d6d0059dea74c7adbb1b816b55d3036
ed045384cddc81667ea4f34f2cbb71bb62c3b4c1ac8a5e0e31e5914fcc2365b6
f58b8c83ce4e438d8b31f288aa5d1e4d67e6423b78923fc03702356958177203
f9bb4c6448066e17d4a580b3adc299dc72b07c2b8366a4bb029742d35047081c
fb93aacafc22e23ad44942febdc2a762132cec40f124872a0f4c6943896a2dbc
fc0b222de370ef4c55c6697cd222205073e5abd8e26b28ad5ab149e60937a6a0
fe8cea0fa501f14dced5646340afd5ae6aab600e8efb2e8e552addf955f0a7e2

SH256 hash:

e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753

MD5 hash:

84238bc383b82aef7cc67f29d1ed0714

SHA1 hash:

89f2b3087e9de5e16da74eb9852e01997fd56df6

Link:

https://www.unpac.me/results/87379ab3-6da3-4bc4-b48b-918f3c104fc2/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5c269f8a0e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2627019/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388223/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample