MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
SHA3-384 hash: 214881abf0ae08a7b346e17f8f241e5197118887cf2cb8d604a7750910a719b3224d46d6505bb248d8cfe4b98b42fca3
SHA1 hash: 6a399fc242b2040e1cbf515e5366bdb2457c30db
MD5 hash: 6d7fa58e7e42b34000a543097964dfe3
humanhash: queen-white-kentucky-eight
File name:6d7fa58e7e42b34000a543097964dfe3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:485'888 bytes
First seen:2023-02-14 18:37:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 6144:Kmy+bnr+Ep0yN90QE5hOwjMwg9CK+9tOxotZEt+DVTW2HFiCf+rkKGdaUI1rGsI:eMrsy901OwjM79uNPEtPMU4IdTdGt
Threatray 2'641 similar samples on MalwareBazaar
TLSH T1E9A4025BF7EC5031DCB413B01DF612C31636BEA15B39825B278EAC5E1CB2664A63136B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6d7fa58e7e42b34000a543097964dfe3.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 18:52:55 UTC
Tags:
redline
Link:
https://app.any.run/tasks/06554e1c-cf3c-43ff-8e6b-1188bf3a1642

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365986/
Detection(s):
Win.Downloader.Amadey-9986882-0
Create hunting rule

Win.Downloader.Amadey-9987078-0
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

Win.Downloader.Amadey-9987097-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69805/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63ebd50d55a8f3b961924c5d/reports/cbe06a1f-157b-4307-9757-930d592cfbf9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd40397a-e407-4391-94b3-b68c83757666
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1175431
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 06:17:33 UTC
File Type:
PE (Exe)
Extracted files:
93
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y5y6thvbpbjzjbv3nv7uo27jpfbltb4tyaudam2n7kocdxaj5na._file
Verdict:
unknown
Similar samples:
0e375952de1156c54b66a85423d63a073845e288cb64028d4cb3a0dba8fecad3
RedLineStealer
14f00b3509a0ab5830b0a7e673c27d5032642741bf990312038ca2cb2068954d
RedLineStealer
495c4f3319242797afd9d2e0a6fd711ee31fe2a335687f404e6b82f596555ae6
RedLineStealer
73e0b2b371fb911f5d7ec7a685e745684ad7974c5578ff1cb8daa1186a67ab18
RedLineStealer
8817c5e16f243310c07089fc170c08b523be6b39493d2d69f7c1508c16fd9199
RedLineStealer
ad0e107541d2f061b6829332f828ee9ed625368e066386e0ab2ae4a6ab681c57
RedLineStealer
af706d6d037708334735f3c5f6f4cca1ac2ede90cda729b50e1d087c7523fcf8
RedLineStealer
dab0d575cb650dae64243a3e53d3e2de98e25d819d1f87212fcbe38e54135cc0
RedLineStealer
ef35bb50d1328df4526a49ef3e02e2bf2a52629508ad6d767944a614606c36bc
RedLineStealer
fe08452040cf960e4d27560e18d8a8d6148301fb12ffb3024e5b33ff98f807ab
RedLineStealer
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fusa infostealer persistence
Link:
https://tria.ge/reports/230214-w92dpseg4x/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
193.233.20.12:4132
Unpacked files
SH256 hash:
13dd8de20e8fe15d26d24034435eaef526509b9d818e644f8664bfa410e67a3e
MD5 hash:
bd8eae27b9ab22e6f8b8b46941d09eb8
SHA1 hash:
a2cc68703a7579d7c22612efa5e1a171763081c7
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3aa81989-6e4f-4560-aa0b-95ba52b47a35/
Parent samples :
32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
68a8a9093c6a25752280d3e629c8b02aa6fa4fd5d36f11742c8ba19d6a1fccd1
aa1cb37afa27ec286d22e67d20dd37d7b31aec2bbf71d017e3658fa7b0f3a7e4
d75a93fc2e8197177de11d2ad6018ae39b63a257018788aab2e4ad5190bc3bd0
174b173b4881fe0609b3515c52cf0dd38b49c819908189e59ca485a2aef649bf
5c320657689c9dc217abc2a032dc3fa9617ec95aff85259f956f635afd79cf71
d48ceca350537221d5c786e2a4742c1fd79496ce467c2deb11be477779158c6c
7b719ce8b59b3049b14bd5976488349c82b8aa9140fb553ddd40644fe1eb44ae
38018f0726e6e421dfc319b411deaa9b08f474e6e6369edc10ef2a1b957ff2df
b52f4535de27262785cc72628d1a01027f15aaf03f90c196b46871e01e855691
674eca8c51d7a44816192d8a639cefb4ff570b4b71f05605578cb7fa2ef9cc89
9f071dd230c9e3949aef0c19023e9e23c0e764160dee32d2522114835e74404d
b8057a405a626ca25d5d5820e6795588436f810714941d3560900352410a8b8d
f2f1b99fb9aaf113970283eedd3706f617216812b6dfa957af1f6f45a6c4f951
7b3502683256532f1329798a57267c383c9e02f0d71f8d039ee852d49e39ac43
105df0af6bb33fd87046448cece05686e78645dc4cdb3ad13bed1ae8ea9feece
87ba81bd8ca15ca720539fca25f03617e527b2c2a428d543eefd1948d2d3211b
5a32fda75ce79b29aa79db7446e48f92532e949dd0e4d75de711b53292391481
d8c03eddd2c947563cd8ac2ad9ab904d44a011f26e327dcded5a6154814285de
1bafbb4b2bca5c74fe28b26270dc85d2db2a941fae187c23f069e97e52b00d89
69d10ce59d7555a18627f7e5ecb72ecec7f1480be3dd5ea4f85008a23e947258
33fe26cb7a9c571714042dbf7db131dafadd972267c3f681432e4296c12b1146
751ecfdc9e407c18104db883926c9336a798e48f582def9635952770b540f2dd
05ab2642368c4f186aecd0d572b0e32dbf4c3def955dd2a7e319a8adf4c1a86d
405a2325559cc3052af68e23a40e297f6ac3a51daad014ffe2c281d1b53bf178
853551be9bad033a9a707db1d3af2b873fa999ceb80ea87966cd25b2c5e73a66
506bee1559bb5da7a9e3de2ac024f55fe5c694f33b00c886c05b9e2ae8c824f3
1fff503c8bcdb3e20b67e8b0e065bcbe4ed10e9545700b0857f9fbde345693db
03089a0860b5ba452ddd8660d62c7f4d10d338944967bf7e81a2288d71952d35
52e61dfd09d4889cd275afffb823e0ab0123b3b6db831f2e8acaa482c029d142
65dcddc35af1ddf103e7bf1ddbb37b479c7debb1d49bda3cc258cf39dcaf0708
fe9c071c7415d5484ad9646f4a00efad2afecde959a39f4ecfd4087aa962f467
4f12d1d0c9d51b4626295fae6c9d1f80454f54e40eca62d6107a4e8a78e56e70
d0d170a869b57ee415618aec89177ac84969bba6dcb8689b0e20e91f95b26718
59cfbf139a6b344cb06e67d0c75180c808e27e5296a1d9673511f1b1b5a4a77b
68c119fca6578f5aaeff3021b81238979343f09c96e5f5277928a5c74cd009ce
564860f03614ce16f2045bad5c41d60e96c0b71716c69bf12eb5d11dea839e0a
ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
ff64bec126913655b7734e56819adc2d178e2104b0ec59ec98879292fafb5691
cd71a17b5f17c32a445e779dce68a9ae3985b57aaf6a80e012c929016b2a5da4
1f8a211762e1792e2739d600efcde80aacbf62dbb93fae257c700721b186e14c
811eb60a2fe6da8e92d739288505db79f1dfa7828cbd2c061f0766394cb06088
SH256 hash:
d5bb57b71ea82c0caba83463199b041d2f81e0055ef4bce19ce46a314daac729
MD5 hash:
3eeb0761d2710e0977b014aaa63552fa
SHA1 hash:
298ab385b336bd76dd71534dbfc4ffea6ad82035
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3aa81989-6e4f-4560-aa0b-95ba52b47a35/
Parent samples :
69d10ce59d7555a18627f7e5ecb72ecec7f1480be3dd5ea4f85008a23e947258
79b7017ae1c67b5cfd2bcceb4f6ebaac440d7ae460dd4a72f36b2d56c742ca4c
f949f43cb0a051dd2b8986c093cf1d5d6b452bc9b410aef78d43cfb0ab81212f
32296c4479cb1a6124baf168a247824d1068b269ac88f690d0d437a018c1e858
18b8e4d98289f36117d2a2cac153a7a9231a28b3a7b2ef98b17b7729666a11ff
dd4a71c426d17cac635b5e47b113a5159a981ddeecf74f49e30f7ec7e23539c2
bff73ef26c410d89b352b6f6a33897fce077d951db59735155ff6e7a0e71209c
ce30c6c1b0168c376dca8094978f5256349e1d6da9d1cb62aa4c5fdf97e7d602
8ddc703be06eb9dcff06322321f9a99ec09f2fe7b5c4be11a7250c58302509de
d788344e06f6628773b2ee753728aae8ad38dd4a76342c473a843437d01f5c36
d0d170a869b57ee415618aec89177ac84969bba6dcb8689b0e20e91f95b26718
ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
811eb60a2fe6da8e92d739288505db79f1dfa7828cbd2c061f0766394cb06088
SH256 hash:
4c828877678ed2e5b440d0a2183053f4aaccc515ba56ba4834813cb6c98911a1
MD5 hash:
2e0b7488b6608bb1ab1b714ac21152a6
SHA1 hash:
3445d7a0c24b004fed01ec8a833dbf4f9eddba75
Link:
https://www.unpac.me/results/3aa81989-6e4f-4560-aa0b-95ba52b47a35/
SH256 hash:
ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a
MD5 hash:
6d7fa58e7e42b34000a543097964dfe3
SHA1 hash:
6a399fc242b2040e1cbf515e5366bdb2457c30db
Link:
https://www.unpac.me/results/3aa81989-6e4f-4560-aa0b-95ba52b47a35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ee3b8f4cf50bc29ca435db6bfa3b5f4bca15cc3c9e0141819a6fd4e10ee04f5a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2535691/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/365986/

Comments