MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
SHA3-384 hash: 2669758408a2544969dcfe756f987a835b3a1158a1db7d84679efc2d804efd31c4a89dedbf7e49776ceeca9c69f54837
SHA1 hash: 87768cdc34c5c71d6d4675b00817e8727ed1b39e
MD5 hash: 1223f69e2c1c0b0ed8c162a87a105d75
humanhash: johnny-iowa-september-zebra
File name:mQ8FT62.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'442'240 bytes
First seen:2023-12-06 02:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:UCPRuqMcFBd6Lzap+Np6g6h8BRGE5rQvOb4hCy0x2iy/0+LWFdf:RPRJl78AgjoTbzbiaHWFd
TLSH T1E2B5336AB9D84023CFB133B469FA068B2B29B851847547EF17029F651CB33C45DB772A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe
Verdict:
Malicious activity
Analysis date:
2023-12-06 01:52:34 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/420e4427-9210-404f-bcec-0a894a01b3c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462731/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin lolbin mokes packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656fda8f3636548f373cca05/reports/24fae35f-429b-4bd7-b702-0093e0c6d15e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6fbb01c9-b7d2-4b46-863b-e1348371f7dd
Result
Threat name:
LummaC Stealer, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354357
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354357 Sample: mQ8FT62.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 122 transfer.sh 2->122 124 medicinebuckerrysa.pw 2->124 126 2 other IPs or domains 2->126 144 Snort IDS alert for network traffic 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Found malware configuration 2->148 150 18 other signatures 2->150 12 mQ8FT62.exe 1 4 2->12         started        15 OfficeTrackerNMP131.exe 10 501 2->15         started        18 OfficeTrackerNMP131.exe 2->18         started        20 12 other processes 2->20 signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\ZH0MI25.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\Local\...\5sL4tK1.exe, PE32 12->110 dropped 22 ZH0MI25.exe 1 4 12->22         started        194 Antivirus detection for dropped file 15->194 196 Multi AV Scanner detection for dropped file 15->196 198 Tries to steal Mail credentials (via file / registry access) 15->198 208 5 other signatures 15->208 112 C:\...\dyEowjr1UJZH7sXvzpTj53G0Z5vNZlSo.zip, Zip 18->112 dropped 200 Disables Windows Defender (deletes autostart) 18->200 202 Tries to harvest and steal browser information (history, passwords, etc) 18->202 204 Exclude list of file types from scheduled, custom, and real-time scanning 18->204 26 WerFault.exe 18->26         started        206 Machine Learning detection for dropped file 20->206 28 WerFault.exe 20->28         started        30 WerFault.exe 20->30         started        signatures6 process7 file8 84 C:\Users\user\AppData\Local\...\BA5Os31.exe, PE32 22->84 dropped 86 C:\Users\user\AppData\Local\...\4oz017Ag.exe, PE32 22->86 dropped 178 Multi AV Scanner detection for dropped file 22->178 32 BA5Os31.exe 1 4 22->32         started        signatures9 process10 file11 80 C:\Users\user\AppData\Local\...\3WK60hS.exe, PE32 32->80 dropped 82 C:\Users\user\AppData\Local\...\1Be96QP5.exe, PE32 32->82 dropped 142 Multi AV Scanner detection for dropped file 32->142 36 3WK60hS.exe 32->36         started        39 1Be96QP5.exe 11 508 32->39         started        signatures12 process13 dnsIp14 152 Multi AV Scanner detection for dropped file 36->152 154 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->154 156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->156 164 3 other signatures 36->164 43 explorer.exe 36->43 injected 132 193.233.132.51, 49705, 49706, 49707 FREE-NET-ASFREEnetEU Russian Federation 39->132 134 ipinfo.io 34.117.59.81, 443, 49708, 49709 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 39->134 100 C:\Users\user\AppData\...\FANBooster131.exe, PE32 39->100 dropped 102 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 39->102 dropped 104 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 39->104 dropped 106 2 other malicious files 39->106 dropped 158 Tries to steal Mail credentials (via file / registry access) 39->158 160 Found stalling execution ending in API Sleep call 39->160 162 Disables Windows Defender (deletes autostart) 39->162 166 6 other signatures 39->166 48 schtasks.exe 1 39->48         started        50 schtasks.exe 1 39->50         started        52 WerFault.exe 39->52         started        file15 signatures16 process17 dnsIp18 136 185.196.8.238 SIMPLECARRER2IT Switzerland 43->136 138 185.172.128.19, 49730, 80 NADYMSS-ASRU Russian Federation 43->138 140 2 other IPs or domains 43->140 114 C:\Users\user\AppData\Local\Temp\9654.exe, PE32 43->114 dropped 116 C:\Users\user\AppData\Local\Temp\7FDD.exe, PE32 43->116 dropped 118 C:\Users\user\AppData\Local\Temp\7CFE.exe, PE32 43->118 dropped 120 6 other malicious files 43->120 dropped 190 System process connects to network (likely due to code injection or exploit) 43->190 192 Benign windows process drops PE files 43->192 54 3264.exe 43->54         started        58 70D7.exe 43->58         started        60 3478.exe 43->60         started        66 2 other processes 43->66 62 conhost.exe 48->62         started        64 conhost.exe 50->64         started        file19 signatures20 process21 file22 88 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 54->88 dropped 90 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 54->90 dropped 180 Multi AV Scanner detection for dropped file 54->180 182 Machine Learning detection for dropped file 54->182 68 File2.exe 54->68         started        72 File1.exe 54->72         started        74 conhost.exe 54->74         started        92 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 58->92 dropped 94 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 58->94 dropped 96 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 58->96 dropped 98 2 other malicious files 58->98 dropped 184 Antivirus detection for dropped file 58->184 76 InstallSetup9.exe 58->76         started        78 conhost.exe 60->78         started        186 Modifies the context of a thread in another process (thread injection) 66->186 188 Injects a PE file into a foreign processes 66->188 signatures23 process24 dnsIp25 128 176.123.7.190, 32927, 49732 ALEXHOSTMD Moldova Republic of 68->128 168 Multi AV Scanner detection for dropped file 68->168 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 68->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 68->172 130 176.123.10.211, 47430, 49731 ALEXHOSTMD Moldova Republic of 72->130 174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 72->174 176 Tries to harvest and steal browser information (history, passwords, etc) 72->176 signatures26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 01:51:06 UTC
File Type:
PE (Exe)
Extracted files:
112
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxrmuss2gu2c6a2ewi3yztpzdqka3skfcz4hesh4c66ttqjm2sua._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231206-cszzrsac39/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
5213cc9a0ab7998702209f16958df4fc893572e5671de110bae9731538ea887d
MD5 hash:
0872cc83af30e80855f1a540e7849bc0
SHA1 hash:
e66e2c67725c0affd64683022f9dbfa9e17db4bb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e0c9329f-fffa-4687-b7a4-dafb960f8e52/
Parent samples :
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/e0c9329f-fffa-4687-b7a4-dafb960f8e52/
SH256 hash:
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
MD5 hash:
1223f69e2c1c0b0ed8c162a87a105d75
SHA1 hash:
87768cdc34c5c71d6d4675b00817e8727ed1b39e
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/e0c9329f-fffa-4687-b7a4-dafb960f8e52/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7de2ca4a5a35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462731/

Comments