MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed
SHA3-384 hash: c24430bcb6487a97d89acbf4dc63d0a647c9662c84cd291719f1404d5a4cea6c6f0b4e16ae34e2863776f2ea647e525f
SHA1 hash: ddb436c8e7a98f2b3b15a648a8d39b5f60dd7bda
MD5 hash: ac8a1c20c84716ed980cf4ae6548f8a9
humanhash: fanta-social-saturn-seven
File name:ac8a1c20c84716ed980cf4ae6548f8a9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'853'376 bytes
First seen:2023-12-22 09:00:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:jnYiv1hkrQPSaOGSmeke9qKsUforvKWvDzkPNwJUEP/NYN+rpE/W/Q:bx1CIdSQe0KjorvbPk+J73NStW/
TLSH T11FD533079AD0C266F97C237407EAC2671B743C29FD6143EF3A92390B1AB5E94A535723
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.65.31:48396

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469027/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed packed risepro rundll32 scriptrunner setupapi sfx shell32 smokeloader stealer virus xpack
Link:
https://www.filescan.io/uploads/65855052b855eb3693ed59ab/reports/bebfa7b9-b67c-4bbb-890b-1ce14832b945/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd42bdf4-610b-4271-96bf-d503f4d82cbb
Result
Threat name:
Amadey, LummaC Stealer, RedLine, RisePro
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366133
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366133 Sample: QGShkK4MMl.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 129 attachmentartikidw.fun 2->129 131 s3-w.us-east-1.amazonaws.com 2->131 133 4 other IPs or domains 2->133 163 Snort IDS alert for network traffic 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Found malware configuration 2->167 169 20 other signatures 2->169 12 QGShkK4MMl.exe 1 4 2->12         started        15 OfficeTrackerNMP131.exe 14 60 2->15         started        18 MaxLoonaFest131.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 107 C:\Users\user\AppData\Local\...\6zM9cK5.exe, PE32 12->107 dropped 109 C:\Users\user\AppData\Local\...\4aa353Ub.exe, PE32 12->109 dropped 22 6zM9cK5.exe 12->22         started        25 4aa353Ub.exe 16 69 12->25         started        111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->111 dropped 113 C:\...\sgNDEUOheXhN5XEdGFjoYgyhrYiqSDz6.zip, Zip 15->113 dropped 201 Multi AV Scanner detection for dropped file 15->201 203 Detected unpacking (changes PE section rights) 15->203 205 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->205 219 3 other signatures 15->219 29 WerFault.exe 15->29         started        115 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->115 dropped 117 C:\...\1tncjXChbEGYgAfDNF43njSs1kWPU0lE.zip, Zip 18->117 dropped 207 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->207 209 Query firmware table information (likely to detect VMs) 18->209 211 Tries to steal Mail credentials (via file / registry access) 18->211 31 WerFault.exe 18->31         started        119 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->119 dropped 121 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->121 dropped 123 2 other malicious files 20->123 dropped 213 Hides threads from debuggers 20->213 215 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->215 217 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->217 33 WerFault.exe 20->33         started        35 WerFault.exe 20->35         started        signatures6 process7 dnsIp8 179 Multi AV Scanner detection for dropped file 22->179 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->181 183 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->183 191 3 other signatures 22->191 37 explorer.exe 22->37 injected 143 91.92.249.253, 49704, 49705, 49707 THEZONEBG Bulgaria 25->143 145 ipinfo.io 34.117.186.192, 443, 49706, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 25->145 99 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 25->99 dropped 101 C:\Users\user\AppData\...\FANBooster131.exe, PE32 25->101 dropped 103 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 25->103 dropped 105 2 other malicious files 25->105 dropped 185 Detected unpacking (changes PE section rights) 25->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->187 189 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 25->189 193 7 other signatures 25->193 42 cmd.exe 1 25->42         started        44 cmd.exe 1 25->44         started        46 WerFault.exe 25->46         started        file9 signatures10 process11 dnsIp12 135 185.215.113.68, 49731, 80 WHOLESALECONNECTIONSNL Portugal 37->135 137 5.42.65.125, 49735, 49738, 49741 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 37->137 139 2 other IPs or domains 37->139 91 C:\Users\user\AppData\Local\Temp\70CF.exe, PE32 37->91 dropped 93 C:\Users\user\AppData\Local\Temp\6D54.exe, PE32 37->93 dropped 95 C:\Users\user\AppData\Local\Temp\64E7.exe, PE32 37->95 dropped 97 5 other malicious files 37->97 dropped 195 System process connects to network (likely due to code injection or exploit) 37->195 197 Benign windows process drops PE files 37->197 48 FANBooster131.exe 37->48         started        52 46EB.exe 37->52         started        54 3585.exe 37->54         started        64 2 other processes 37->64 199 Uses schtasks.exe or at.exe to add and modify task schedules 42->199 56 conhost.exe 42->56         started        58 schtasks.exe 1 42->58         started        60 conhost.exe 44->60         started        62 schtasks.exe 1 44->62         started        file13 signatures14 process15 dnsIp16 83 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 48->83 dropped 85 C:\...\HDZgOYMT77mZNb2Vpq2lmrew5hWnicHw.zip, Zip 48->85 dropped 147 Multi AV Scanner detection for dropped file 48->147 149 Detected unpacking (changes PE section rights) 48->149 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->151 161 10 other signatures 48->161 67 WerFault.exe 48->67         started        87 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 52->87 dropped 153 Antivirus detection for dropped file 52->153 155 Machine Learning detection for dropped file 52->155 69 Utsysc.exe 52->69         started        89 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 54->89 dropped 157 Found many strings related to Crypto-Wallets (likely being stolen) 54->157 159 Sample uses process hollowing technique 54->159 72 RegSvcs.exe 54->72         started        75 WerFault.exe 54->75         started        77 WerFault.exe 54->77         started        125 attachmentartikidw.fun 172.67.197.124 CLOUDFLARENETUS United States 64->125 127 176.123.7.190, 32927 ALEXHOSTMD Moldova Republic of 64->127 file17 signatures18 process19 dnsIp20 171 Antivirus detection for dropped file 69->171 173 Multi AV Scanner detection for dropped file 69->173 175 Creates an undocumented autostart registry key 69->175 177 Machine Learning detection for dropped file 69->177 79 schtasks.exe 69->79         started        141 195.20.16.103, 18305 EITADAT-ASFI Finland 72->141 signatures21 process22 process23 81 conhost.exe 79->81         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 22:50:55 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk3obkqnnwjb5vw2zl72uovlzzlkdyzw453ru2hzvorl3jsorlwq._file
Verdict:
unknown
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:smokeloader family:zgrat botnet:666 botnet:@oleh_ps backdoor evasion infostealer persistence rat stealer themida trojan
Link:
https://tria.ge/reports/231222-kyv7rsgbb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Lumma Stealer payload V4
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://5.42.65.125
176.123.7.190:32927
185.172.128.33:38294
195.20.16.103:18305
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/89c3e261-f8f5-4291-9264-a07b44d79c87/
SH256 hash:
52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed
MD5 hash:
ac8a1c20c84716ed980cf4ae6548f8a9
SHA1 hash:
ddb436c8e7a98f2b3b15a648a8d39b5f60dd7bda
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/89c3e261-f8f5-4291-9264-a07b44d79c87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52b6e0aa0d6d921ed6dacaffaa3aabce56a1e336e7771a68f9aba2bda64e8aed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469027/

Comments