MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
SHA3-384 hash: 32c4dc7dd477e5272ddec0c8490a92d44e82eb9558f496c6e4578529462c1a3da6db7bad58ea3511442f826ede814fef
SHA1 hash: 47eb41b707a5aa88490218c65258ae1c7f3e2efd
MD5 hash: daeff3b01aa993b628d9816934325dee
humanhash: five-illinois-uniform-solar
File name:5sL4tK1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'738'016 bytes
First seen:2023-12-06 02:21:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e2cda978a1321eeb131174780043dc0 (1 x RiseProStealer, 1 x RedLineStealer)
ssdeep 24576:t5CRsVNqSlUl0ABPc3K6mMBz6a9DhvhoSpy:zNqSlUlxAK6N6a3vhy
TLSH T12D85FA2176F95B59F5F34FB896BAA612087ABC6ADF11C2DF1250904E0C21BD08978F37
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe
Verdict:
Malicious activity
Analysis date:
2023-12-06 01:52:34 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/420e4427-9210-404f-bcec-0a894a01b3c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462736/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Win.Trojan.Stealerc-10014035-0
Create hunting rule

Win.Trojan.Pwsx-10015942-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin mokes overlay packed
Link:
https://www.filescan.io/uploads/656fdaca50153e59a3184448/reports/3b4f336b-77a8-4075-9250-45789c6d5c00/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Glupteba, LummaC Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354351
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354351 Sample: 5sL4tK1.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 109 pinkipinevazzey.pw 2->109 111 musclefarelongea.pw 2->111 113 3 other IPs or domains 2->113 165 Multi AV Scanner detection for domain / URL 2->165 167 Found malware configuration 2->167 169 Malicious sample detected (through community Yara rule) 2->169 171 16 other signatures 2->171 11 5sL4tK1.exe 2->11         started        14 oXnyHd.exe 2->14         started        16 svchost.exe 2->16         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 207 Contains functionality to inject code into remote processes 11->207 209 Writes to foreign memory regions 11->209 211 Allocates memory in foreign processes 11->211 21 AppLaunch.exe 11->21         started        213 Multi AV Scanner detection for dropped file 14->213 215 Injects a PE file into a foreign processes 14->215 107 127.0.0.1 unknown unknown 16->107 24 WerFault.exe 19->24         started        signatures6 process7 signatures8 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->173 175 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->175 177 Maps a DLL or memory area into another process 21->177 179 2 other signatures 21->179 26 explorer.exe 20 21 21->26 injected process9 dnsIp10 139 185.196.8.238 SIMPLECARRER2IT Switzerland 26->139 141 185.172.128.19, 49741, 80 NADYMSS-ASRU Russian Federation 26->141 143 2 other IPs or domains 26->143 73 C:\Users\user\AppData\Local\Temp\D3C2.exe, PE32 26->73 dropped 75 C:\Users\user\AppData\Local\Temp\BA0F.exe, PE32 26->75 dropped 77 C:\Users\user\AppData\Local\Temp\B75E.exe, PE32 26->77 dropped 79 7 other files (6 malicious) 26->79 dropped 217 System process connects to network (likely due to code injection or exploit) 26->217 219 Benign windows process drops PE files 26->219 221 Adds a directory exclusion to Windows Defender 26->221 223 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->223 31 A9E0.exe 26->31         started        35 664C.exe 5 26->35         started        37 6CD6.exe 26->37         started        39 8 other processes 26->39 file11 signatures12 process13 dnsIp14 91 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 31->91 dropped 93 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 31->93 dropped 95 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 31->95 dropped 105 2 other malicious files 31->105 dropped 145 Antivirus detection for dropped file 31->145 147 Multi AV Scanner detection for dropped file 31->147 149 Machine Learning detection for dropped file 31->149 42 31839b57a4f11171d6abc8bbc4451ee4.exe 31->42         started        45 latestX.exe 31->45         started        48 toolspub2.exe 31->48         started        59 4 other processes 31->59 97 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 35->97 dropped 99 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 35->99 dropped 50 File2.exe 35->50         started        53 File1.exe 35->53         started        55 conhost.exe 35->55         started        151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->151 153 Modifies the context of a thread in another process (thread injection) 37->153 155 Injects a PE file into a foreign processes 37->155 57 6CD6.exe 37->57         started        133 pinkipinevazzey.pw 104.21.32.12 CLOUDFLARENETUS United States 39->133 135 195.10.205.16 TSSCOM-ASRU Russian Federation 39->135 137 2 other IPs or domains 39->137 101 C:\Users\user\AppData\Roaming\oXnyHd.exe, PE32 39->101 dropped 103 C:\Users\user\AppData\Local\...\tmp30D0.tmp, XML 39->103 dropped 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->157 159 Query firmware table information (likely to detect VMs) 39->159 161 Found many strings related to Crypto-Wallets (likely being stolen) 39->161 163 6 other signatures 39->163 61 11 other processes 39->61 file15 signatures16 process17 dnsIp18 181 Antivirus detection for dropped file 42->181 183 Multi AV Scanner detection for dropped file 42->183 185 Detected unpacking (changes PE section rights) 42->185 197 5 other signatures 42->197 81 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 45->81 dropped 83 C:\Windows\System32\drivers\etc\hosts, ASCII 45->83 dropped 199 2 other signatures 45->199 201 2 other signatures 48->201 115 176.123.7.190, 32927, 49743 ALEXHOSTMD Moldova Republic of 50->115 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->187 203 2 other signatures 50->203 117 176.123.10.211, 47430, 49742 ALEXHOSTMD Moldova Republic of 53->117 189 Tries to steal Crypto Currency Wallets 53->189 119 108.61.96.165 AS-CHOOPAUS United States 57->119 85 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 57->85 dropped 191 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 57->191 193 Tries to steal Mail credentials (via file / registry access) 57->193 205 2 other signatures 57->205 87 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 59->87 dropped 89 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 59->89 dropped 63 Broom.exe 59->63         started        66 tuc3.tmp 59->66         started        121 medicinebuckerrysa.pw 172.67.176.17 CLOUDFLARENETUS United States 61->121 123 musclefarelongea.pw 172.67.179.134 CLOUDFLARENETUS United States 61->123 125 3 other IPs or domains 61->125 195 Query firmware table information (likely to detect VMs) 61->195 68 chrome.exe 61->68         started        71 conhost.exe 61->71         started        file19 signatures20 process21 dnsIp22 225 Multi AV Scanner detection for dropped file 63->225 127 microsoftmscompoc.tt.omtrdc.net 68->127 129 part-0012.t-0009.t-msedge.net 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 68->129 131 12 other IPs or domains 68->131 signatures23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 01:51:06 UTC
File Type:
PE (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdcyfmifxvwolcfh53ba7p3tukenfcrearsqw6nznqs4qlmikmaa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/231206-cs1w3aac46/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
SmokeLoader
Malware Config
C2 Extraction:
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
85f112b4ffae6e3bc975a965215d8fbedc3d531a5c21b561eefcd48d3c6c63f5
MD5 hash:
c77dceefe08c5cc4b340c1598869a8fa
SHA1 hash:
f493198f778effff9dfa90c26cd351925a165255
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0c0fdae1-d13f-4d90-9b9d-9795ae524674/
Parent samples :
80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
ff99fd8d3c6207711c6ec61de4b491963b1931db0fbd75ea3b4e30f5df482c2b
e5396263b275a0b90f4158b5555742108df3fe62c19b99c0ca45c03c619e2ec1
5c2c7d3464325e963f224975e3caca21eb4668fc86dc6c51397f5fd135f1b318
d3423d506c9ccc5f5ec5b4acf13716c4387cdc2d61f34b6a6e47dce65b2c9f2a
3c974b9f0a714df2773f11095f9d1c348c3db7676671346baf6e328d7b42bd1a
8c490d6ddb6088af87d6e487397113a54d4e23ace17159fdd514b4a39849d929
ddc048bac90461eba7c48f4b575e59f948650e0c42561d2faf48c3a78a519ebf
ffa5036ac28ddf219766bee866974128fcd7f1f2afd77736adf4749871346466
ffb78b11e896ea9e8f172dec96ab801f66ac29df8102eda69bff1070225c4db1
SH256 hash:
80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300
MD5 hash:
daeff3b01aa993b628d9816934325dee
SHA1 hash:
47eb41b707a5aa88490218c65258ae1c7f3e2efd
Link:
https://www.unpac.me/results/0c0fdae1-d13f-4d90-9b9d-9795ae524674/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80c582b105bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80c582b105bd6ce588a7eec20fbf73a288d28a2404650b79b96c25c82d885300

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462736/

Comments