MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23
SHA3-384 hash:	9cf3926e271a0eae82e3b94f9cc1b3aa8ee2b12cbc3f7fc59ecd292d3439c5e50cc0cdf6d46ba540b4777e94edbc743e
SHA1 hash:	556095f382cfcfc04feebee70b284b3364c6c8d3
MD5 hash:	ea4ed17e7cd2c766c735ff060eeae43d
humanhash:	leopard-blue-floor-delta
File name:	y9430837.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	323'584 bytes
First seen:	2023-05-13 22:58:44 UTC
Last seen:	2023-05-14 18:43:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	6144:K1y+bnr+Jp0yN90QEz6vZrMgX3eYK41E8OBURKaJn:jMr5y90xmN3rKWOmEaF
Threatray	146 similar samples on MalwareBazaar
TLSH	T17764F103B7D88073D8B917B058F603830B3ABDA15A78835B27456D9E1CB32D4A97677B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

112

Origin country :

GB

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

y9430837.exe

Verdict:

Malicious activity

Analysis date:

2023-05-13 23:08:35 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/0a5906e8-b429-487d-9030-793b1e519e62

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/389276/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Alert

Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/84074/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

advpack.dll CAB confuserex greyware installer packed packed rundll32.exe setupapi.dll shell32.dll stealer

Link:

https://www.filescan.io/uploads/64601656e6ddc946fb8217e3/reports/695bee21-3de8-4015-baf1-d9c8d4c9a6ba/overview

Hybrid Analysis HEUR/AGEN.1323756

Verdict:

Malicious

Labled as:

HEUR/AGEN.1323756

Link:

https://www.hybrid-analysis.com/sample/fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8915b6f0-8ac2-4f1f-8523-29747211b7b9

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1232295

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23/

ReversingLabs TitaniumCloud Win32.Trojan.RedLineStealer

Threat name:

Win32.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-11 05:01:37 UTC

File Type:

PE (Exe)

Extracted files:

41

AV detection:

18 of 24 (75.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pifdcqoihnb37zymal4dgebobod6ynd47czixxwj4a7hqnahmrq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0d0fa8f27461ba22f67c0f01438f07d5b4d21408fb6814c1e20229937e54856e

RedLineStealer

29f9c72cc572c4edf578d55774bc0eec146309370c6dd221d80c059e95648271

RedLineStealer

2b4f06b5c00bfef8e1e83bfa46f822dedb09d05779d8171ff91d59994f9bca14

RedLineStealer

58a30e4769f449019d29b3458663cb51aced48cb23ae507e81c43afb5f8390e2

RedLineStealer

86763058cb4b7fbd0f0987e26f05faa054e174210507503cf27b79a1967963ea

RedLineStealer

a1ef544bf51b12a099ccb7d97dac88e5df02ca8b9afda8759b427eb8d228ad4c

RedLineStealer

aecbf7bf99a187049f5740bf8625a6bc5860dde7004c5bc90abd319d2b6969d6

RedLineStealer

ce8d6f372e19df727c8fd2da7add1bef0e69c96ef136dc22a1cc035182b38d6a

RedLineStealer

e5c269f8a0e03548ba2167cebcc18dae97387b0ef9e181d11f1d6608709d6753

RedLineStealer

f7dbdcec3578afd1cda065472888da575420319e2d8b856f2253e4862686846c

RedLineStealer

+ 136 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:debro discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230513-2ykjpscb91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

UnpacMe redline

Unpacked files

SH256 hash:

389c88af69acdd1a6211f2a983b3e46fb7fd4212799293a803b9dfe340670f5f

MD5 hash:

81e86042bdb2e0504ef951fd977d5598

SHA1 hash:

f158153bbf3cc04e7343f92a1972730d4111844e

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

SH256 hash:

1c4608523433d0c98a2d18d60099c952ca925373ecfcc7204d57256022d61620

MD5 hash:

e6867196c365070442f1f0ac94f65e75

SHA1 hash:

91fad5e06ccfa29f8082bdc97b54f66f85cdc5f2

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

SH256 hash:

8d87b55d40abb0e13ab0cd973cd04f4ade621b240a859985242f27f68929b1b2

MD5 hash:

259fef391d7e5148b164b19a2b6526d0

SHA1 hash:

43cd8218c3fedea9d5f68b783cae2f13bfd054fe

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

SH256 hash:

ec19cfd6a1934b9280fef2f5bc2d980a07c62721d4ebedd3c5cc07d71d250559

MD5 hash:

6ae59c916888c9f278e7a9f4ce4e3e3d

SHA1 hash:

8fa1f11ad24d582ea1e9ea0836d9cd2d5999d869

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

SH256 hash:

65e3f9ea225f1c842cc71ccfaaa74174c38d4c624c821d57352914e1c4d09e66

MD5 hash:

d1338c90a84d234f218d6a2b1eb1c88b

SHA1 hash:

27397174456886505c24f5629eadab18c16086f0

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

Parent samples :

d639ec3a51acd0e1ccdb0b07f29bb3df7b930266a5ae7396c73fd2a1fe4859a0
fc398e0cde6a420898f914da59fe9f8efbf33a43a6721324d57e0cdac03d43e2
3be410255c0b945c92f4250353e13ec6aa07577ac89fee71a5a4cbaa4edd20e5
7c8364187a059506add600649e4b4b3115ac9dc4b171ec58ad542c5623fb2abd
9fde5ae1eb2789887b7513a950bd2fb41f5b44d6ec0756a081ccfa7d9b4d63fd
f7f243c095defbebffaac067bd9c1f965e506dd54bc515721c854b37b52b72b3
84d5652b3d648153816b5dd75dcb8a2c29a60e543446900135cded83cb0c0203
7917c41177e8899a1c61ad77133af340bd3d66f3a5fd2009d879aa154f5e84a9
1a6cb6a3ae4f0530a57855656c2d7a95fb89d222736aec9ba1471ef05d8ab82f
f080262d4ed0e5116ac26d9edef8787e8bd6c7ef73e023b69e386c25e1185c66
fec7bae13e41a9368eaa8ab467ec84f62121375def9c2ec5d792204d02b9b9cb
1b09ccde464d420c8e8ed40b21caf17150d8d94a922d98c7fd9fb5e80461b999
566a29b0549b4c9dff01cb805d07e8be2f177c0f7f6c134bfa6d00a9759eba50
fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23
c553d0cc29cfc2f0dedc5708534efa4e8c2d174281c6983759ef5e8c0534cfd7
c71a3942498f86078a3380785fa1bac76b4b011d574adab4dabad41af05a2585
cc6dbd7904b27ef40693f299447856756987d11f1c227d93663746685c2bbcc7
ce1a9fbe563e9c4e30454385cd5b9dbca2603e7075b6cb562a71100aa5165710
d63deec0483bdb5c7f5b0328113426d4f7cb058f4d8441d6472d9da4211734a2
d813e1bf0278094d48e5a504e0ec9dbe2aabb4bcf87aeae03317c72c7be89b10
dbbe21892c560d16dda10d1412804f756435f146bef6fbceb9f9d7d7cfe8dff4
e190bd71e3eff06d47f0345989cc8f2269fc592ac6060b5855331b3a3e5c577b
e20757a6d327dcc4bf152f62acc4eac6804d5682afbe9f2a94a3c095bfd30af5
e3b29233e6a6a4ecaf96ba5099906eebe12f264469c88940df03ff15d1f61dcc
e61cf44a66061151977ff95dca44b20d7d6d0059dea74c7adbb1b816b55d3036
f58b8c83ce4e438d8b31f288aa5d1e4d67e6423b78923fc03702356958177203
f9bb4c6448066e17d4a580b3adc299dc72b07c2b8366a4bb029742d35047081c
fe8cea0fa501f14dced5646340afd5ae6aab600e8efb2e8e552addf955f0a7e2

SH256 hash:

fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23

MD5 hash:

ea4ed17e7cd2c766c735ff060eeae43d

SHA1 hash:

556095f382cfcfc04feebee70b284b3364c6c8d3

Link:

https://www.unpac.me/results/b7ccb95f-18a2-406c-9cae-ee6d63393f5c/

VMRay RedNet

Malware family:

RedNet

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fbd0518a0e41/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbd0518a0e41da1dff386017c19881705c3f61a3e7c5945ef64f01f3c1a03b23

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389276/