MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e
SHA3-384 hash:	89dae2d1258e5031dfc907517e57afdafe56c104d6b5be16d8f5e645d9dfed6204a0e6ea57bc7981611e485252d643ab
SHA1 hash:	9dcb18f6bdd500dbc6c4523a1062f1bf15ca0503
MD5 hash:	8647cf489772ee07ce5cf09158e72d53
humanhash:	salami-failed-beryllium-carpet
File name:	ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'171'968 bytes
First seen:	2023-05-14 18:38:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:wyyUmkp2roJ885ttaG/oQdamG3n0ynyICg1VP4qIRw1Pw:3Zm5rgl8SdamGXbXzPzIK
TLSH	T1FF452306A6E48875D8F52BB55CFB42470B3AFD91CC7443AB730598DF4CB26A0A5B1723
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e

Verdict:

Malicious activity

Analysis date:

2023-05-14 20:19:32 UTC

Tags:

redline

Link:

https://app.any.run/tasks/9b26c72f-433e-4b5a-8800-a117f73b574d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/389739/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll CAB confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/64612aebed1a1a10659201a7/reports/f7f17cfd-c854-4f51-bff2-8e9aac7d8391/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4ef7479c-1e0d-4784-8a71-d05cc6e0aa01

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1233075

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-14 08:33:56 UTC

File Type:

PE (Exe)

Extracted files:

115

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=55emeqgruz7jhfu2xijdidid37wdpiv2mvxbft6usukgt3rd5u7a._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:luka botnet:terra discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-xabvfafc6v/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

ec5691b05799648974ed0b811c9555c798b060cc26ced2700f53ecb556964448

MD5 hash:

a3b2b71167f20c5ef769e462b69086fb

SHA1 hash:

64a09d547cce7481f0d315223471b79bb8f97b26

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

46ec1c254853fa110a563d58a2c336671e003271394d170901b1779ebe0a0b54

MD5 hash:

c8cc801b85a28338687b92acec9ec813

SHA1 hash:

585895b0395c59c233af8f78003f55f25c12c622

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

aec1d41d1cceeea2a3212cbc36e6732294eba6c0f501db8563019099b185e94e

MD5 hash:

423f4e54df5c24dbbf5a5bd53f5a419e

SHA1 hash:

ed4e8ac786474db040429548eb3f5d9ecc96144c

Detections:

redline

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

e94031e265104f8f9093764a555ef0e119df7a26e4c30601fb03e06ee72d4918

MD5 hash:

5f00c1746ebae73f3c9a2fc2c6f7c796

SHA1 hash:

6351480ced3ae0788c4c3cf22b3f2f9cc079c2d2

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

be44c9fd9a25f4331521b1fe16fe6d59c58488f60ab33588c8ac947b172aa192

MD5 hash:

3576cbf587ccbae0350ac4088becffe2

SHA1 hash:

55b1aba6048e982132c582087e9a1494413ead16

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

cea8acc7ed1d5a364379a29f36c508f9bbd3f4d80382e3597cab1ab59e71847c

MD5 hash:

0ad10a101fc4e8a7e9edfd7496449949

SHA1 hash:

fa7147f2fdc1686d4fd870a6ffb85af80713a696

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

SH256 hash:

c7c7a514fe456cfa50f3f087d1be3f2825bbeeb27935c6673b105b82eac3d7fe

MD5 hash:

deb22ad1341863ee15e81dc3923e297e

SHA1 hash:

f50d891f82ee8b4b2a944e682873dabdc3b4eea8

Detections:

redline

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

Parent samples :

44c3a8da0ab137fdd6abd7cfb31627364b6b7610d0e3dd9604b03cc80d4f537b
d55f720efd4af3475edb05cafeda438cfd8dbd71366da7b187ba2c954258b5ce
813ce0745e3eb323b9c8371f145f33feacb64471b8fcf03f39dbd3ff25564774
56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1
c7d060c9074cca55e9e04d61d0caf3dd9934b45dedd890ad5a3208022a35425e
cbe41193bc11dca56d056b7eb34b0691768e42f53d78750d6efeb9d28143ba5e
bcebcb224dbe8bd0777174ae719cb70657a7feb1a19207098bd84d3209da5d49
bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304
bd57c9f6dadc4c62d7208db52f903c29aea6ff09f400cfa75a9851cc1aea427f
bf6596759ea62723d53032294de97c753fa51b46db9b49ff16cf14bdbef671f4
c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
c1ee5908dd2d0273bb18b08f0dcabe2a4614d894d69e81420a565be0f0c69ab0
c347081ec0d10ba6c004ccfc0fcad5b3e8f18c3dd03db909763f8558faec9f92
c46e12e7a08cfd17858543a034ae370ec8d3568c99e92d50913af07b365ca804
c62650b32d272546189183d4fe29418d58772a33c686a483589f03c2eb5ee2ef
c865344a337f66669c895acfc0d7aba9cf3d3998eb9cbb5c9825aa33d749f887
c91b34e20d6e23a75ce79c51bd6536f0366b759730476b0d6fdd2346efa04839
cb44d697cd120c0f9098e0b9b7faf2f5f67d5f426dfb225db47ee62684e45443
cc518ef8ab82d3cba40b797a5f6eacf36e7adae85589bb19de6a7e4687c2c119
ccb7d56726bf4f0ca6e15a21e49f35795cc56c101f4fb73e81f92e5d359c383f
d163b94088173bed10583e7faaa1213414dc07bc191560258eec01752edb87f2
d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52
d4dc7c680d5f51c46cf9e481bb985983751568bff4e7ce9dec1ad4367456862d
d4f7cf3a18686482f4f291c5a6fea4167e94a8bdaddd123a7998eff4c684c90b
d685952efbbd0aaf4155529b459c57cd3dd1d175419fa85fe4c2a4d7163fde45
d6860a6523e88ee8f973f45731e45b66902188f9ebea7debbcbbf9e1081e5b91
d89994b944d7f411b207f0d39b39f5310b6c8bae77561fb48a30c71449fc559c
dbe683197f6a83939cbc1b0f212eeb76a0f714b67ccefd264452928e1232a629
dc0d7d5fba6ac5cf9a83f5ad5c5519c3a622cd2aea74324a6a26c4b60cfb14d9
dc12c4a904161e71e11c66421513be3c6714944bc8c0d7521d395879c361e213
dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6
e03a9e1e1776e4b867750ce2fedb93d2cea0b843b570e62839c16e451a8ca9bc
e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a
e196972679d31597c23fd5d24d6cf341abf8a8c5d3ad5c7b677d81db11f54377
e1c1f35c0befb6a2e46e18b28ad1f0b9dcf963706aa0d78e26e2aa76fc93c65f
e29a3d17ce56a890473462e4ba1babb97061fe6f2f41d14db3da72dfe5ddcb8a
e2ced1a635687dbe9b4ba8643db8c072696b952bc51310dc1e33b776b5651233
e3e82c868b618e76a560f315097bf6fe9ba10c909abb1b51aad942a16a9c525b
e495614edb892fe7b0ed7749f34a7679c48109a84a95e39d6cc66d8592b0692d
e72524b767d99a436abbea479aadcb7588c1e7e498955432aca2a54344f7093a
e8746a37d1389b3c1d722c790501d9e5f9a8c94af218dccceb17eaae05975bde
ec2d066e99962a25f3db7a6f839c5bab2b090889be6f30406bad596e0eddbff3
ec5e496a96609c27c8adc62ca27fa259c308c366ff3a662e7135103324db67c1
ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3
ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139
f2ce5991176a97cc5689dfb920c255b77de2e221d0f25ccecae5254a40a6d1fc
f67f0dbce979330570d7cd60dea97c59919c3496b09c4485a2ad2c1fe9f04ccd
fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
fe2b1b0feaa71d353720ba9872a3f74979194d47214457ae430d6e5a4104b8ad
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf
5186b8b15914efa186c1d5141a15b8fe6a5dce062583cc0c17e839dd170f011d

SH256 hash:

ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e

MD5 hash:

8647cf489772ee07ce5cf09158e72d53

SHA1 hash:

9dcb18f6bdd500dbc6c4523a1062f1bf15ca0503

Link:

https://www.unpac.me/results/64dc2484-665c-4a1d-a395-da78d6a061c6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef48c240d1a67e93969aba12340d03dfec37a2ba656e12cfd4951469ee23ed3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389739/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample