MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
SHA3-384 hash: 53725062e01a834c7245fd71bbd60d61095d4ee23ac45e68c75e769e222188dba17f9ad4edfb405e80c7c874ae4eecb0
SHA1 hash: 9eed81cbbc373c070c586830baa4290f262ded09
MD5 hash: 1f74315dca91bc894d55aaf284d95fd2
humanhash: saturn-alabama-nineteen-fourteen
File name:1f74315dca91bc894d55aaf284d95fd2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:38'568 bytes
First seen:2023-12-11 18:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Threatray 4'410 similar samples on MalwareBazaar
TLSH T16E03D0CA06E0D6AEF77068760A994C17AEC496C45189E31565C12C9FFC0FCD87867A8F
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://scanintegrutybatowss.pw/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
1f74315dca91bc894d55aaf284d95fd2.exe
Verdict:
Malicious activity
Analysis date:
2023-12-11 21:59:30 UTC
Tags:
loader smoke smokeloader stealer redline
Link:
https://app.any.run/tasks/e51e29f7-cc8c-4fc2-a8d9-5c75fc110241

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/465909/
Detection(s):
Win.Packed.J4qeexi-10016245-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed smokeloader xpack
Link:
https://www.filescan.io/uploads/6577569c855eb2633d66ecd7/reports/23fd2ad1-1d43-4356-9d13-dbaadc4a10f1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/55b394df-3f82-4cd3-ade8-4e92b7d00024
Result
Threat name:
Glupteba, LummaC Stealer, Petite Virus,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359355
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Petite Virus
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socks5Systemz
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359355 Sample: vS3C07uH19.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 137 xmr-eu1.nanopool.org 2->137 139 pastebin.com 2->139 141 15 other IPs or domains 2->141 169 Multi AV Scanner detection for domain / URL 2->169 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 179 22 other signatures 2->179 14 vS3C07uH19.exe 2->14         started        17 hwsusjr 2->17         started        19 svchost.exe 2->19         started        21 svchost.exe 2->21         started        signatures3 175 DNS related to crypt mining pools 137->175 177 Connects to a pastebin service (likely for C&C) 139->177 process4 signatures5 215 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->215 217 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->217 219 Maps a DLL or memory area into another process 14->219 23 explorer.exe 13 15 14->23 injected 221 Checks if the current machine is a virtual machine (disk enumeration) 17->221 223 Creates a thread in another existing process (thread injection) 17->223 28 WerFault.exe 19->28         started        process6 dnsIp7 147 185.172.128.19, 49708, 80 NADYMSS-ASRU Russian Federation 23->147 149 185.221.198.96 M247GB Russian Federation 23->149 151 4 other IPs or domains 23->151 95 C:\Users\user\AppData\Roaming\tususjr, PE32 23->95 dropped 97 C:\Users\user\AppData\Roaming\hwsusjr, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\Temp\D4C7.exe, PE32 23->99 dropped 101 5 other files (4 malicious) 23->101 dropped 181 System process connects to network (likely due to code injection or exploit) 23->181 183 Benign windows process drops PE files 23->183 185 Deletes itself after installation 23->185 187 2 other signatures 23->187 30 B576.exe 7 23->30         started        33 C788.exe 23->33         started        36 7D6D.exe 8 3 23->36         started        39 3 other processes 23->39 file8 signatures9 process10 dnsIp11 119 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 30->119 dropped 121 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 30->121 dropped 123 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 30->123 dropped 127 2 other files (none is malicious) 30->127 dropped 41 tuc3.exe 30->41         started        44 toolspub2.exe 30->44         started        47 31839b57a4f11171d6abc8bbc4451ee4.exe 15 30->47         started        58 4 other processes 30->58 125 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 33->125 dropped 153 Found many strings related to Crypto-Wallets (likely being stolen) 33->153 155 Writes to foreign memory regions 33->155 157 Allocates memory in foreign processes 33->157 159 Injects a PE file into a foreign processes 33->159 49 RegSvcs.exe 33->49         started        143 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 36->143 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->163 145 176.123.7.190 ALEXHOSTMD Moldova Republic of 39->145 165 Sample uses process hollowing technique 39->165 167 Tries to steal Crypto Currency Wallets 39->167 52 RegSvcs.exe 39->52         started        54 conhost.exe 39->54         started        56 RegSvcs.exe 39->56         started        file12 signatures13 process14 dnsIp15 111 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 41->111 dropped 60 tuc3.tmp 41->60         started        191 Detected unpacking (changes PE section rights) 44->191 193 Contains functionality to inject code into remote processes 44->193 195 Injects a PE file into a foreign processes 44->195 62 toolspub2.exe 44->62         started        197 Detected unpacking (overwrites its own PE header) 47->197 199 UAC bypass detected (Fodhelper) 47->199 201 Found Tor onion address 47->201 203 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->203 129 dayfarrichjwclik.fun 104.21.80.57 CLOUDFLARENETUS United States 49->129 131 neighborhoodfeelsa.fun 104.21.87.137 CLOUDFLARENETUS United States 49->131 135 3 other IPs or domains 49->135 205 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->205 207 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->207 65 WerFault.exe 49->65         started        133 195.20.16.103 EITADAT-ASFI Finland 52->133 209 Tries to harvest and steal browser information (history, passwords, etc) 52->209 113 C:\Windows\System32\drivers\etc\hosts, ASCII 58->113 dropped 115 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 58->115 dropped 117 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 58->117 dropped 211 Modifies the hosts file 58->211 213 Adds a directory exclusion to Windows Defender 58->213 67 Broom.exe 58->67         started        file16 signatures17 process18 signatures19 69 tuc3.exe 60->69         started        225 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 62->225 227 Maps a DLL or memory area into another process 62->227 229 Checks if the current machine is a virtual machine (disk enumeration) 62->229 231 Creates a thread in another existing process (thread injection) 62->231 process20 file21 93 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 69->93 dropped 72 tuc3.tmp 69->72         started        process22 file23 103 C:\Program Files (x86)\...\xrecode3.exe, PE32 72->103 dropped 105 C:\Program Files (x86)\...\is-JON7M.tmp, PE32 72->105 dropped 107 C:\Program Files (x86)\...\is-A0587.tmp, PE32 72->107 dropped 109 56 other files (none is malicious) 72->109 dropped 189 Uses schtasks.exe or at.exe to add and modify task schedules 72->189 76 net.exe 72->76         started        78 schtasks.exe 72->78         started        80 xrecode3.exe 72->80         started        83 xrecode3.exe 72->83         started        signatures24 process25 file26 85 conhost.exe 76->85         started        87 net1.exe 76->87         started        89 conhost.exe 78->89         started        91 C:\ProgramData\...\SpaceRacesEX.exe, PE32 80->91 dropped process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-09 01:55:28 UTC
File Type:
PE (Exe)
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ka7tzvv2xhskfwyvrgymt334vtc7vyk2shivsajta5ojhshpgkrq._file
Verdict:
malicious
Similar samples:
0ea5e6ef38e8566aec0be2a53048e65915842636b9bdce6209f5473920ed417f
RedLineStealer
503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
RedLineStealer
80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
RedLineStealer
9665dcf0f35367e093f2534c42cdcb6a92c929892ca0b11ab37cb8ee82f1314f
RedLineStealer
adf65d66d76d4ccf8c548133de94f970cb441150f487d8753939922bf18c341c
RedLineStealer
b2ea891595823ce0ccc4f4352bd96bd9440d612a7fe3339868ec529983e9a3c3
RedLineStealer
f35dbaff6f328daa836dcab2a80cf3efae4dd574788e153a7ecd27f52da9dee1
RedLineStealer
feeabd0ec12dfa5f3262e130908a56008d76ef32eb406a72762707bca9331eb9
RedLineStealer
ff99fd8d3c6207711c6ec61de4b491963b1931db0fbd75ea3b4e30f5df482c2b
RedLineStealer
+ 4'400 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:zgrat botnet:@oleh_ps botnet:livetraffic backdoor infostealer rat trojan
Link:
https://tria.ge/reports/231211-w8xdcsedhl/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://81.19.131.34/fks/index.php
176.123.7.190:32927
77.105.132.87:17066
Unpacked files
SH256 hash:
503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3
MD5 hash:
1f74315dca91bc894d55aaf284d95fd2
SHA1 hash:
9eed81cbbc373c070c586830baa4290f262ded09
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/8b06af0e-f6c9-4612-9bdc-5e45ffb9be04/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/503f3cd6bab9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/503f3cd6bab9e4a2db1589b0c9ef7cacc5fae15a91d1590133075c93c8ef32a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/465909/

Comments