MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e
SHA3-384 hash:	45bf0209f873a5580a6bfa040c7f25eeadec6c067b1946894c891642c888e25b525809e3cf3a6c979f6fea09869a3efa
SHA1 hash:	a2237463185f5aeedeba292ad5f6e4c3ce99b844
MD5 hash:	b08afcb9036a3cdbe855d1a62bfa7f44
humanhash:	vermont-speaker-tango-black
File name:	f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e.bin
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	799'232 bytes
First seen:	2023-05-14 18:39:12 UTC
Last seen:	2023-05-15 08:06:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:Wy0EPNeuh6WYuHBMk9QN5kvZblWcBCCI:l0Es1zakAxXEC
TLSH	T1E7052243B2E5C073DCF06B7428F607931A397DE06E79476F338A64561932A98A531F2B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

54

Origin country :

GB

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e.bin

Verdict:

Malicious activity

Analysis date:

2023-05-14 20:28:14 UTC

Tags:

rat redline amadey trojan

Link:

https://app.any.run/tasks/2709ebb8-1160-42a0-960d-8060d159c873

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/389776/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Alert

Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Sending a custom TCP request

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

advpack.dll anti-vm CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/64612b23ed1a1a10659201c9/reports/4fded5b6-c8a1-4dfc-b0a7-0efc5a9df2a8/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Amadey

Malware family:

Amadey

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63031fad-6b1b-4b8d-9e24-d1c68548e9f2

Joe Sandbox Amadey, RedLine

Result

Threat name:

Amadey, RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1233002

Behaviour

Behavior Graph:

n/a

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e/

ReversingLabs TitaniumCloud Win32.Trojan.RedLineStealer

Threat name:

Win32.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-11 08:29:38 UTC

File Type:

PE (Exe)

Extracted files:

119

AV detection:

26 of 37 (70.27%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=63s7utvum34wblsmgrjld5topqjs65ipmwfdusqk5occyuauguxa._file

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:amadey family:redline botnet:lessa discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-xa4kfsdb54/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Amadey

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.161.248.75:4132
212.113.119.255/joomla/index.php

UnpacMe redline Amadey

Unpacked files

SH256 hash:

ab09fca77a41e1a298417c75e637ed824321ae8a787969fbca9775fef87cb5ac

MD5 hash:

0ce61f820e3e3768456fae69a3adc822

SHA1 hash:

4798006dc7a08a468c42e5097724248a017e9b7b

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

SH256 hash:

1c4608523433d0c98a2d18d60099c952ca925373ecfcc7204d57256022d61620

MD5 hash:

e6867196c365070442f1f0ac94f65e75

SHA1 hash:

91fad5e06ccfa29f8082bdc97b54f66f85cdc5f2

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

SH256 hash:

8d87b55d40abb0e13ab0cd973cd04f4ade621b240a859985242f27f68929b1b2

MD5 hash:

259fef391d7e5148b164b19a2b6526d0

SHA1 hash:

43cd8218c3fedea9d5f68b783cae2f13bfd054fe

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

SH256 hash:

4af7f777fc38f37d6610127c244e499e4cfb2bf49318f735fc8208ce1b945b59

MD5 hash:

38e26fcf40366cdfda12037213271498

SHA1 hash:

480153b9d77d554c78b4f692f096e3ce114b34f3

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

Parent samples :

5fe1bc00d255691c7a2cd1a30f903538e3bce1cba7996d5b49bcf78dac1917ff
f91a73af3965046c61f70df2c8fece00e7213972c26def42bd0bf706ecd66324
d5017341d9ec265ae3d3ac0c23e522191b5026260f653628d2e6b280d85cd315
a97ad7281baa6b0de4b68c6da01948cc641b16cf23caeda4834bf81e5b519ab3
88e1ca51c9a1c57f25368bf239d0c6d4fe629ecc6bc4842d5afde85718c24de7
00cb1e076eadc486166ce91e9e7532c742078fc1989f1c05aeb7cf6e0707cb4a
63445e53b96bf629dae1d73a0a2237383c0b5413c6f853b8d391268c96634f5a
c1369a03eb8015db8e474ae1afb7e9a3773f455da3f4795b34ff428017f1fd31
c4fa2f7088f5b8e59f83c6d7542f6f8e16c9e52a3295c35f78fc16fb1749ff81
e56dda4ca0a4b76f6ff760867db4b55e644ccc2cc2252e327ad2417a30b48ff4
f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e
fd3b6f58aa99b2ada2408494530baafd67d68da86796ea46570a01b55f7bb3b9

SH256 hash:

1e1499200c834f4c0703d1f345de342928fa970fcb1a6e6faa5f45b7e1fc1507

MD5 hash:

0873875ddb0cb671d7388a683a1ccc77

SHA1 hash:

1d1405c5eda1e42dc270380c7ae08453ed5d63ba

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

SH256 hash:

9189f4823f9b9fb55695fb06b28fea8ef46d368a2fa6144154e03819babb3020

MD5 hash:

a563c4911abf21c7c04938f3e823dd7d

SHA1 hash:

c4974508af99d0963b31d7b345ff6f19431e0ecb

Detections:

Amadey

Alert

Create hunting rule

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

Parent samples :

5fe1bc00d255691c7a2cd1a30f903538e3bce1cba7996d5b49bcf78dac1917ff
f91a73af3965046c61f70df2c8fece00e7213972c26def42bd0bf706ecd66324
8217be8d38b6ff597ae5b01ee3b185a149d97f4cc55c700610b27d04af19b9d0
d5017341d9ec265ae3d3ac0c23e522191b5026260f653628d2e6b280d85cd315
a97ad7281baa6b0de4b68c6da01948cc641b16cf23caeda4834bf81e5b519ab3
88e1ca51c9a1c57f25368bf239d0c6d4fe629ecc6bc4842d5afde85718c24de7
63445e53b96bf629dae1d73a0a2237383c0b5413c6f853b8d391268c96634f5a
c1369a03eb8015db8e474ae1afb7e9a3773f455da3f4795b34ff428017f1fd31
c4fa2f7088f5b8e59f83c6d7542f6f8e16c9e52a3295c35f78fc16fb1749ff81
e56dda4ca0a4b76f6ff760867db4b55e644ccc2cc2252e327ad2417a30b48ff4
f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e
fd3b6f58aa99b2ada2408494530baafd67d68da86796ea46570a01b55f7bb3b9

SH256 hash:

f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e

MD5 hash:

b08afcb9036a3cdbe855d1a62bfa7f44

SHA1 hash:

a2237463185f5aeedeba292ad5f6e4c3ce99b844

Link:

https://www.unpac.me/results/7731b871-9f01-49f7-9751-d1d71b662526/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6e5fa4eb466f960ae4c3452b1f66e7c132f750f658a3a4a0aeb842c5014352e

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389776/