MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a
SHA3-384 hash:	9f3fe3b146aec5666b092ea804c7ef4dd3e17bb9355442f28a4fcd12ab51f857e4d5a852bac39219a00437ae5eab8800
SHA1 hash:	390a19176fcb7fd72fc9574c8d1b9287ded9480c
MD5 hash:	758fad11fecdc3551039bcd2027c0a9d
humanhash:	summer-vegan-mississippi-montana
File name:	fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	1'172'480 bytes
First seen:	2023-05-14 18:39:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:yyg0zhbMgpEag9voDbHiXlUlgd9tYBkrneSmtse6:Zg0VbMgpEag9veiV+CYarn7m+e
TLSH	T10F452306DFC99032E4F657701CFB22C32A357CD29E74933B6326996A1CF25A9097871B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

55

Origin country :

GB

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

Verdict:

Malicious activity

Analysis date:

2023-05-14 20:04:07 UTC

Tags:

rat redline trojan amadey loader

Link:

https://app.any.run/tasks/32473235-b4d6-466c-8fb7-9d1db7892074

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/389786/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Alert

Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Sending a custom TCP request

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/84505/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

advpack.dll anti-vm CAB confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/64612b33c34569b727984128/reports/b8f2ecc6-614d-4688-9b4e-fc956407058b/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Intezer RedLine stealer

Malware family:

RedLine stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8086bb9b-2d55-4a4b-8a46-7b8ca50486df

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1232990

Behaviour

Behavior Graph:

n/a

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.RedLineStealer

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-13 16:16:19 UTC

File Type:

PE (Exe)

Extracted files:

115

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7iaghvu62ns3dqn7sixravcffctrhuw6upsray2e7r3enj22xvna._file

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:doma botnet:fuga discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-xa61ksdb64/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

UnpacMe redline

Unpacked files

SH256 hash:

23537d6316fd5419fe71f28761ac2118afff65f56ab66e203933366c371bc026

MD5 hash:

6f844271adcbf206112e1cba5aab4fd7

SHA1 hash:

e362bdf36a18cd4f1fdf64b3c098388a246feca1

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

SH256 hash:

296ac9463a2dacb2e14099d4306317b38993b26335b9f4c6e2a272d94936e905

MD5 hash:

1a0efadbb446c51c39029d46ad815f85

SHA1 hash:

207473f13c69f0dc0c1d20f3422e556882d2d0de

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

SH256 hash:

65c6f4cac2e7217ed7c902d844fa8847a8e625d33b40b83797bcb3bbd261f9ec

MD5 hash:

d54cb98ea958489f1f15d41a3586e71f

SHA1 hash:

bb7f9d0e249a6e16ec028d9342d7a3347d6652a6

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

Parent samples :

65da107ffa5b54026fb6110d43af922c285cba5ff26beea496c8ca8f74cbf8d6
bd1102cdf51134a27caec79c2aeaf4c030b974d43b6616872f2974fd5690c8dc
d9cd3cc8b8b5f1108c4ad502aeb3f94f468978206080c78a65266c02dc9faf44
e3f7cf58dcb207b01b5cb48364c7870133e2f18a8a272fbc41f8ed6613500d7c
e424eaea895de876ce2d1d514715183cefae3885590be9a0a680d36f4b31cc93
e9c838c3f25516edcf03174b2eb6a230069bdf565985efd27b76a5bbfb20a204
ed483b721e647a7c69948956c878ab495726454f1e8f10c1f73922ce358783b1
f1fadab2546031f3f602333352e6e12a44c9e41b156c2989ec6baec3a8fe0467
f3233262acdb501e20a1febefd8a379d3a88b1c1ced7a1da36b56eef194c267a
fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

SH256 hash:

35b778aba27ab5ddcdd69b5869eac3b2a53f380ea75fdfd4821e1c3e9ed60243

MD5 hash:

6172dd865ec5e057fb5e85d53d8d8607

SHA1 hash:

6ea29a0113f36197d41ec7090287ffe216f8ef6b

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

SH256 hash:

5a26e3fb1c944330c58549275cd483590e452b00fd1e53dadbe7321d27f9a821

MD5 hash:

542aa13cd546171d514cdd35a7a0fe19

SHA1 hash:

42e5bbd1276ac912880d63cde43981813b648c30

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

SH256 hash:

7638443aa376ad133932be665849c8353353d71a76899b7c496987317c2f90d9

MD5 hash:

3446967add49c81e41c2d0f5153368fe

SHA1 hash:

c6ef84d14063d8248e91eed78197175b51b8c630

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

SH256 hash:

fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

MD5 hash:

758fad11fecdc3551039bcd2027c0a9d

SHA1 hash:

390a19176fcb7fd72fc9574c8d1b9287ded9480c

Link:

https://www.unpac.me/results/0ee45957-a566-40e5-9de1-630db00f2b28/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Redline

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe fa0063d69ed365b1c1bf922f10544528a713d2dea3e5106344fc7646a75abd5a

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2627019/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/389786/