MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
SHA3-384 hash: ced3cec10370d3db10af2a3b08582b64bc68913de0d88c39e44821890a093bbc1b699d73bbfeea535086ba7ea1037dfb
SHA1 hash: 65bf64dfcabf7bc83e47ffc4360cda022d4dab34
MD5 hash: 6958acc382e71103a0b83d20bbbb37d2
humanhash: nitrogen-skylark-iowa-november
File name:6958ACC382E71103A0B83D20BBBB37D2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:238'080 bytes
First seen:2024-02-22 15:55:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b54b7baaa544e146111c234c4d3b827d (1 x RedLineStealer)
ssdeep 3072:FdfbYSFlTBL/A9OYh6++4hY7gfv9yPQxAVUmZAzsqvj1letKv/jbNRKCnrQbW:PbYSFH/AYYh9vERVUmSAQj1la9
TLSH T15E34BF2176A0D771CC9B41348A78DAF83A3ABC665669834B77683F6F3F303917225352
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 842020e094882010 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
129.153.86.0:8778

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe
Verdict:
Malicious activity
Analysis date:
2024-02-22 15:59:41 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/93e7352b-bf5c-4475-85b0-07eae17f6460

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477431/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Sending an HTTP GET request to an infection source
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed redline
Link:
https://www.filescan.io/uploads/65d76e970003ad375ce956a6/reports/351e0e6f-b624-482e-97a8-abc80515cc44/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1bf239ad-1690-4587-8296-38321d2f36ee
Result
Threat name:
LummaC, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1397088
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1397088 Sample: vI1lauoohe.exe Startdate: 22/02/2024 Architecture: WINDOWS Score: 100 135 trypokemon.com 2->135 137 trad-einmyus.com 2->137 139 12 other IPs or domains 2->139 167 Snort IDS alert for network traffic 2->167 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 19 other signatures 2->173 15 vI1lauoohe.exe 2->15         started        18 716E.exe 2->18         started        20 tfjithh 2->20         started        22 2 other processes 2->22 signatures3 process4 signatures5 227 Detected unpacking (changes PE section rights) 15->227 229 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->229 231 Maps a DLL or memory area into another process 15->231 233 Creates a thread in another existing process (thread injection) 15->233 24 explorer.exe 43 23 15->24 injected 235 Antivirus detection for dropped file 18->235 237 Detected unpacking (overwrites its own PE header) 18->237 239 Machine Learning detection for dropped file 18->239 241 Writes a notice file (html or txt) to demand a ransom 18->241 29 716E.exe 17 18->29         started        243 Multi AV Scanner detection for dropped file 20->243 245 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->245 247 Checks if the current machine is a virtual machine (disk enumeration) 20->247 249 Injects a PE file into a foreign processes 22->249 31 mstsca.exe 22->31         started        33 mstsca.exe 22->33         started        process6 dnsIp7 149 m2reg.ulm.ac.id 103.23.232.80, 49786, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 24->149 151 trad-einmyus.com 185.12.126.182, 49735, 49736, 49737 QWARTARU Russian Federation 24->151 155 7 other IPs or domains 24->155 107 C:\Users\user\AppData\Roaming\tfjithh, PE32 24->107 dropped 109 C:\Users\user\AppData\Local\Temp40C.exe, PE32 24->109 dropped 111 C:\Users\user\AppData\Local\Temp\DEFD.exe, PE32 24->111 dropped 117 5 other malicious files 24->117 dropped 215 System process connects to network (likely due to code injection or exploit) 24->215 217 Benign windows process drops PE files 24->217 219 Deletes itself after installation 24->219 221 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->221 35 716E.exe 24->35         started        38 DEFD.exe 24->38         started        41 E40C.exe 24->41         started        45 6 other processes 24->45 153 habrafa.com 95.107.163.44, 49765, 49766, 49768 ASC-AL-ASAL Albania 29->153 113 C:\Users\user\_README.txt, ASCII 29->113 dropped 115 C:\Users\user\AppData\Local\...\_README.txt, ASCII 29->115 dropped 43 schtasks.exe 31->43         started        file8 signatures9 process10 dnsIp11 175 Antivirus detection for dropped file 35->175 177 Detected unpacking (changes PE section rights) 35->177 179 Detected unpacking (overwrites its own PE header) 35->179 195 2 other signatures 35->195 48 716E.exe 1 16 35->48         started        141 resergvearyinitiani.shop 172.67.217.100 CLOUDFLARENETUS United States 38->141 181 Multi AV Scanner detection for dropped file 38->181 183 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->183 185 Query firmware table information (likely to detect VMs) 38->185 197 4 other signatures 38->197 187 UAC bypass detected (Fodhelper) 41->187 189 Machine Learning detection for dropped file 41->189 191 Found Tor onion address 41->191 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->193 52 cmd.exe 41->52         started        54 conhost.exe 43->54         started        143 129.153.86.0 ORCL-ASHBURN3US United States 45->143 145 r.l1nc0in.ru 104.21.58.54 CLOUDFLARENETUS United States 45->145 147 172.67.201.20 CLOUDFLARENETUS United States 45->147 119 C:\Users\user\AppData\Local\Temp\...\Here, PE32 45->119 dropped 199 2 other signatures 45->199 56 cmd.exe 45->56         started        58 conhost.exe 45->58         started        60 reg.exe 1 1 45->60         started        62 5 other processes 45->62 file12 signatures13 process14 dnsIp15 133 api.2ip.ua 104.21.65.24, 443, 49751, 49757 CLOUDFLARENETUS United States 48->133 105 C:\Users\user\AppData\Local\...\716E.exe, PE32 48->105 dropped 64 716E.exe 48->64         started        67 icacls.exe 48->67         started        69 fodhelper.exe 52->69         started        71 conhost.exe 52->71         started        73 fodhelper.exe 52->73         started        75 fodhelper.exe 52->75         started        77 conhost.exe 56->77         started        file16 process17 signatures18 161 Injects a PE file into a foreign processes 64->161 79 716E.exe 64->79         started        83 E40C.exe 69->83         started        process19 file20 125 C:\Users\user\AppData\Local\...\build3.exe, PE32 79->125 dropped 127 C:\Users\user\AppData\Local\...\build2.exe, PE32 79->127 dropped 129 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 79->129 dropped 131 7 other malicious files 79->131 dropped 163 Modifies existing user documents (likely ransomware behavior) 79->163 85 build2.exe 79->85         started        88 build3.exe 79->88         started        165 Found Tor onion address 83->165 90 powershell.exe 83->90         started        signatures21 process22 signatures23 201 Antivirus detection for dropped file 85->201 203 Multi AV Scanner detection for dropped file 85->203 205 Detected unpacking (changes PE section rights) 85->205 207 Injects a PE file into a foreign processes 85->207 92 build2.exe 85->92         started        209 Detected unpacking (overwrites its own PE header) 88->209 211 Machine Learning detection for dropped file 88->211 213 Uses schtasks.exe or at.exe to add and modify task schedules 88->213 97 build3.exe 88->97         started        99 conhost.exe 90->99         started        process24 dnsIp25 157 t.me 149.154.167.99, 443, 49773 TELEGRAMRU United Kingdom 92->157 159 159.69.103.8, 49776, 49779, 49781 HETZNER-ASDE Germany 92->159 121 C:\Users\user\AppData\Local\...\sqlm[1].dll, PE32 92->121 dropped 223 Found many strings related to Crypto-Wallets (likely being stolen) 92->223 225 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 92->225 123 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 97->123 dropped 101 schtasks.exe 97->101         started        file26 signatures27 process28 process29 103 conhost.exe 101->103         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 03:00:02 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6hvq3v3rirdavka7nmyfmssd4nyfzbrp4ug4e52w2ap74fj2fsa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:glupteba family:lumma family:smokeloader family:vidar botnet:7f6c51bbce50f99b5a632c204a5ec558 botnet:tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan
Link:
https://tria.ge/reports/240222-tdb3tsca5v/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
DcRat
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Glupteba payload
Lumma Stealer
SmokeLoader
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://habrafa.com/test1/get.php
https://t.me/hypergog
https://steamcommunity.com/profiles/76561199642171824
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/08d0c260-e72c-4f78-9e08-2943acdd7b06/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
MD5 hash:
6958acc382e71103a0b83d20bbbb37d2
SHA1 hash:
65bf64dfcabf7bc83e47ffc4360cda022d4dab34
Link:
https://www.unpac.me/results/08d0c260-e72c-4f78-9e08-2943acdd7b06/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/078f586ebb8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477431/

Comments