MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856
SHA3-384 hash: e73a20285aaf96bdaa1aeb69f2a9cdbaece053a76df30b6ac0e38d80ad1db56a38ef22b54b386190d8038c3e5a21acca
SHA1 hash: c8203337bc323f39986347bf82e0f8dd6f62f8c8
MD5 hash: 1d61642c19b1352c2f5404b3ba991845
humanhash: march-ack-high-kansas
File name:1d61642c19b1352c2f5404b3ba991845.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:808'448 bytes
First seen:2023-12-09 17:05:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:/Mr4y90yN8degBdF/RIqaSVJ3zQFo/DiK+BZhzSLU2qQCNQmhZNyztJqkKL444:nyl8dTBd9baS7QW7lkzSFuCyyz/ku
TLSH T182051212BBE84033DDB227B028F607431B35FDE25979476B678696871CB3B84647632B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
82.115.223.152:3838

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464026/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Launching a process
Replacing files
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer lolbin lolbin monero packed rundll32 setupapi sfx shell32 xpack zusy
Link:
https://www.filescan.io/uploads/65749e7ada3178d99cdeb855/reports/869ec88a-6bcb-4cee-a83c-326cabd0e09f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/32856884-3a48-4f58-b542-4255a323a5e9
Result
Threat name:
Glupteba, LummaC Stealer, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356957
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356957 Sample: Dzc2otu6qd.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 134 runeelite.com 2->134 136 ipinfo.io 2->136 150 Snort IDS alert for network traffic 2->150 152 Multi AV Scanner detection for domain / URL 2->152 154 Found malware configuration 2->154 156 18 other signatures 2->156 11 Dzc2otu6qd.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 10 501 2->14         started        17 OfficeTrackerNMP131.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\3hi74gC.exe, PE32 11->120 dropped 122 C:\Users\user\AppData\Local\...\1wh98lE6.exe, PE32 11->122 dropped 21 3hi74gC.exe 11->21         started        24 1wh98lE6.exe 11 508 11->24         started        124 C:\...\9PLuaq1dJ0QUPQ5LPOyi0qyxJFzKQTY6.zip, Zip 14->124 dropped 210 Antivirus detection for dropped file 14->210 212 Multi AV Scanner detection for dropped file 14->212 214 Tries to steal Mail credentials (via file / registry access) 14->214 224 4 other signatures 14->224 28 WerFault.exe 14->28         started        126 C:\...\Iod1NxZudX8xTlzSRfiyEZw5WcQ0rsZ5.zip, Zip 17->126 dropped 216 Disables Windows Defender (deletes autostart) 17->216 218 Tries to harvest and steal browser information (history, passwords, etc) 17->218 220 Exclude list of file types from scheduled, custom, and real-time scanning 17->220 30 WerFault.exe 17->30         started        222 Machine Learning detection for dropped file 19->222 32 WerFault.exe 19->32         started        34 WerFault.exe 19->34         started        36 WerFault.exe 19->36         started        signatures6 process7 dnsIp8 158 Multi AV Scanner detection for dropped file 21->158 160 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->160 162 Maps a DLL or memory area into another process 21->162 170 2 other signatures 21->170 38 explorer.exe 21->38 injected 144 193.233.132.51, 49729, 49730, 49733 FREE-NET-ASFREEnetEU Russian Federation 24->144 146 ipinfo.io 34.117.59.81, 443, 49731, 49732 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 24->146 112 C:\Users\user\AppData\...\FANBooster131.exe, PE32 24->112 dropped 114 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 24->114 dropped 116 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 24->116 dropped 118 2 other malicious files 24->118 dropped 164 Tries to steal Mail credentials (via file / registry access) 24->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 24->166 168 Found stalling execution ending in API Sleep call 24->168 172 8 other signatures 24->172 43 schtasks.exe 1 24->43         started        45 schtasks.exe 1 24->45         started        47 WerFault.exe 24->47         started        49 consent.exe 32->49         started        51 Conhost.exe 34->51         started        file9 signatures10 process11 dnsIp12 138 185.196.8.238 SIMPLECARRER2IT Switzerland 38->138 140 185.172.128.19, 49754, 80 NADYMSS-ASRU Russian Federation 38->140 142 2 other IPs or domains 38->142 104 C:\Users\user\AppData\Local\Temp\FEAD.exe, PE32 38->104 dropped 106 C:\Users\user\AppData\Local\Temp\F093.exe, PE32 38->106 dropped 108 C:\Users\user\AppData\Local\Temp\F01A.exe, PE32 38->108 dropped 110 6 other malicious files 38->110 dropped 204 System process connects to network (likely due to code injection or exploit) 38->204 206 Benign windows process drops PE files 38->206 53 F093.exe 38->53         started        57 B83B.exe 38->57         started        59 BC72.exe 38->59         started        68 2 other processes 38->68 62 conhost.exe 43->62         started        64 conhost.exe 45->64         started        208 Writes to foreign memory regions 49->208 66 svchost.exe 49->66 injected file13 signatures14 process15 dnsIp16 90 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 53->90 dropped 92 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 53->92 dropped 94 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 53->94 dropped 102 2 other malicious files 53->102 dropped 174 Antivirus detection for dropped file 53->174 176 Multi AV Scanner detection for dropped file 53->176 178 Machine Learning detection for dropped file 53->178 70 31839b57a4f11171d6abc8bbc4451ee4.exe 53->70         started        73 toolspub2.exe 53->73         started        75 InstallSetup9.exe 53->75         started        78 InstallSetup9.exe 53->78         started        96 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 57->96 dropped 98 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 57->98 dropped 80 File2.exe 57->80         started        83 File1.exe 57->83         started        85 conhost.exe 57->85         started        148 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 59->148 100 C:\Users\user\AppData\Roaming\oXnyHd.exe, PE32 68->100 dropped 180 Injects a PE file into a foreign processes 68->180 file17 signatures18 process19 dnsIp20 182 Antivirus detection for dropped file 70->182 184 Multi AV Scanner detection for dropped file 70->184 186 Detected unpacking (changes PE section rights) 70->186 200 3 other signatures 70->200 188 Sample uses process hollowing technique 73->188 190 Injects a PE file into a foreign processes 73->190 128 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 75->128 dropped 87 Broom.exe 75->87         started        130 176.123.7.190, 32927, 49756 ALEXHOSTMD Moldova Republic of 80->130 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 80->192 194 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 80->194 196 Tries to harvest and steal browser information (history, passwords, etc) 80->196 132 176.123.10.211, 47430, 49755 ALEXHOSTMD Moldova Republic of 83->132 198 Tries to steal Crypto Currency Wallets 83->198 file21 signatures22 process23 signatures24 202 Multi AV Scanner detection for dropped file 87->202
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-07 05:18:27 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkh6geglsigzsycsqmklbrbo74wjqn65d3ran6pitwkkhqkc7bla._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231209-vmdtfshfbr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/049b51a9-34a6-4d2d-84d1-1b1d6f5d82b6/
SH256 hash:
82002d82867b12bb3a2b6387a1f582745684ba2ef0c742ede45ceecf9e86d5e2
MD5 hash:
b0a7dc5200f2c1140a3f923dde2b63fb
SHA1 hash:
5395ca47de6bafd21359f1600a51c150b1626dc1
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/049b51a9-34a6-4d2d-84d1-1b1d6f5d82b6/
SH256 hash:
328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856
MD5 hash:
1d61642c19b1352c2f5404b3ba991845
SHA1 hash:
c8203337bc323f39986347bf82e0f8dd6f62f8c8
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/049b51a9-34a6-4d2d-84d1-1b1d6f5d82b6/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/328fe310cb92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464026/

Comments