MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0
SHA3-384 hash: 441028b9dd7ad268cdb254d00fd83487cb655474854c0278f1d346fa2a0f95e2c5cc39b07c735345804f393278d95e11
SHA1 hash: 6bedec39bcd100763ab909ecc8c266968b470d6f
MD5 hash: b609ff3043cce55de06305281a780fac
humanhash: orange-ten-speaker-colorado
File name:b609ff3043cce55de06305281a780fac.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:37'742 bytes
First seen:2023-12-20 04:50:15 UTC
Last seen:2023-12-20 06:18:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
TLSH T11503D08A1C219A78FE1542F7169C8FD4533DD8CB61F3AF4D4A36893764CB7B482342A9
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.26.192.132:12343

Intelligence

File Origin
# of uploads :
2
# of downloads :
491
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
b609ff3043cce55de06305281a780fac.exe
Verdict:
Malicious activity
Analysis date:
2023-12-20 04:52:08 UTC
Tags:
loader smoke smokeloader stealer redline
Link:
https://app.any.run/tasks/10580183-5670-467f-a83d-dff57f5bfc38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468590/
Detection(s):
Win.Packed.Jefpimb-10016846-0
Create hunting rule

Win.Packed.Razy-10016942-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed smokeloader xpack
Link:
https://www.filescan.io/uploads/658272b7b4e856b72820878a/reports/0e8508df-0d17-41b0-81d9-51922dd2fabf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aaa33140-a046-4e89-b96a-c586a604a3ec
Result
Threat name:
Glupteba, Petite Virus, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364910
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Petite Virus
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364910 Sample: tx2WEPjzLS.exe Startdate: 20/12/2023 Architecture: WINDOWS Score: 100 150 host-host-file8.com 2->150 152 host-file-host6.com 2->152 154 8 other IPs or domains 2->154 180 Snort IDS alert for network traffic 2->180 182 Multi AV Scanner detection for domain / URL 2->182 184 Found malware configuration 2->184 186 24 other signatures 2->186 14 tx2WEPjzLS.exe 2->14         started        17 sgrfjjg 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 signatures5 218 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->218 220 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->220 222 Maps a DLL or memory area into another process 14->222 21 explorer.exe 15 23 14->21 injected 224 Checks if the current machine is a virtual machine (disk enumeration) 17->224 226 Creates a thread in another existing process (thread injection) 17->226 26 WerFault.exe 19->26         started        process6 dnsIp7 160 185.215.113.68, 49735, 80 WHOLESALECONNECTIONSNL Portugal 21->160 162 5.42.65.125, 49738, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->162 164 4 other IPs or domains 21->164 116 C:\Users\user\AppData\Roaming\usrfjjg, PE32 21->116 dropped 118 C:\Users\user\AppData\Roaming\sgrfjjg, PE32 21->118 dropped 120 C:\Users\user\AppData\Local\Temp\DF9F.exe, PE32 21->120 dropped 122 9 other files (4 malicious) 21->122 dropped 188 System process connects to network (likely due to code injection or exploit) 21->188 190 Benign windows process drops PE files 21->190 192 Deletes itself after installation 21->192 194 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->194 28 289.exe 6 21->28         started        31 DF9F.exe 4 21->31         started        34 28F1.exe 21->34         started        37 5 other processes 21->37 file8 signatures9 process10 dnsIp11 138 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 28->138 dropped 140 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 28->140 dropped 142 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 28->142 dropped 144 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 28->144 dropped 39 tuc3.exe 28->39         started        42 toolspub2.exe 28->42         started        45 InstallSetup9.exe 38 28->45         started        56 2 other processes 28->56 146 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 31->146 dropped 244 Found many strings related to Crypto-Wallets (likely being stolen) 31->244 246 Sample uses process hollowing technique 31->246 48 RegSvcs.exe 8 4 31->48         started        50 RegSvcs.exe 31->50         started        156 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 34->156 248 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->248 250 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->250 252 Tries to harvest and steal browser information (history, passwords, etc) 34->252 254 Tries to steal Crypto Currency Wallets 34->254 158 176.123.7.190 ALEXHOSTMD Moldova Republic of 37->158 256 Checks if the current machine is a virtual machine (disk enumeration) 37->256 52 RegSvcs.exe 37->52         started        54 RegSvcs.exe 37->54         started        58 2 other processes 37->58 file12 signatures13 process14 dnsIp15 124 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 39->124 dropped 60 tuc3.tmp 39->60         started        196 Detected unpacking (changes PE section rights) 42->196 198 Contains functionality to inject code into remote processes 42->198 200 Injects a PE file into a foreign processes 42->200 62 toolspub2.exe 42->62         started        170 api4.ipify.org 104.237.62.212 WEBNXUS United States 45->170 172 91.92.254.7 THEZONEBG Bulgaria 45->172 174 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 45->174 126 C:\Users\user\AppData\...\nsz21FA.tmp.exe, PE32 45->126 dropped 128 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 45->128 dropped 130 C:\Users\user\AppData\Local\...\INetC.dll, PE32 45->130 dropped 132 2 other files (none is malicious) 45->132 dropped 65 nsz21FA.tmp.exe 45->65         started        69 BroomSetup.exe 45->69         started        176 195.20.16.103, 18305, 49739 EITADAT-ASFI Finland 48->176 202 Found many strings related to Crypto-Wallets (likely being stolen) 48->202 204 Tries to steal Crypto Currency Wallets 48->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->206 208 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->208 210 Detected unpacking (overwrites its own PE header) 56->210 212 UAC bypass detected (Fodhelper) 56->212 214 Found Tor onion address 56->214 216 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 56->216 71 cmd.exe 56->71         started        file16 signatures17 process18 dnsIp19 73 tuc3.exe 60->73         started        228 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 62->228 230 Maps a DLL or memory area into another process 62->230 232 Checks if the current machine is a virtual machine (disk enumeration) 62->232 234 Creates a thread in another existing process (thread injection) 62->234 148 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 65->148 108 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 65->108 dropped 110 C:\Users\user\AppData\...\softokn3[1].dll, PE32 65->110 dropped 112 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 65->112 dropped 114 9 other files (none is malicious) 65->114 dropped 236 Tries to steal Mail credentials (via file / registry access) 65->236 238 Tries to harvest and steal ftp login credentials 65->238 240 Tries to harvest and steal browser information (history, passwords, etc) 65->240 242 Tries to steal Crypto Currency Wallets 65->242 76 conhost.exe 71->76         started        78 fodhelper.exe 71->78         started        file20 signatures21 process22 file23 134 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 73->134 dropped 80 tuc3.tmp 73->80         started        process24 file25 100 C:\Program Files (x86)\...\stdbutton.exe, PE32 80->100 dropped 102 C:\Program Files (x86)\...\is-RS1SL.tmp, PE32 80->102 dropped 104 C:\Program Files (x86)\...\is-R1JAH.tmp, PE32 80->104 dropped 106 106 other files (none is malicious) 80->106 dropped 178 Uses schtasks.exe or at.exe to add and modify task schedules 80->178 84 net.exe 80->84         started        86 stdbutton.exe 80->86         started        89 schtasks.exe 80->89         started        91 stdbutton.exe 80->91         started        signatures26 process27 dnsIp28 94 conhost.exe 84->94         started        96 net1.exe 84->96         started        166 bmkpfeb.com 185.196.8.22 SIMPLECARRER2IT Switzerland 86->166 168 95.216.227.177 HETZNER-ASDE Germany 86->168 98 conhost.exe 89->98         started        136 C:\ProgramData\M73Bitrate\M73Bitrate.exe, PE32 91->136 dropped file29 process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-17 06:09:00 UTC
File Type:
PE (Exe)
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avxsg6tgvzlqsp5xwzso4z3om7pyrakdzkohmzgqzi7mzw5xb2qa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:glupteba family:redline family:rhadamanthys family:smokeloader family:stealc family:zgrat botnet:666 botnet:@oleh_ps botnet:livetraffic botnet:up3 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/231220-fgtkdscefn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Detect ZGRat V1
Djvu Ransomware
Glupteba
Glupteba payload
RedLine
RedLine payload
Rhadamanthys
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
194.26.192.132:12343
77.105.132.87:17066
http://host-file-host6.com/
http://host-host-file8.com/
http://77.91.76.36
195.20.16.103:18305
Unpacked files
SH256 hash:
056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0
MD5 hash:
b609ff3043cce55de06305281a780fac
SHA1 hash:
6bedec39bcd100763ab909ecc8c266968b470d6f
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5c0527fe-80b6-49fb-a44f-ecd134c4584d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/056f237a66ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/056f237a66ae57093fb7b664ee676e67df888143ca9c7664d0ca3eccdbb70ea0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468590/

Comments