MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
SHA3-384 hash: ad3f642426da3e09c0ad2d95bb2daa3611e988d07d4c8296a1f87c5df13c3e997ba38fb93400db1ce3ebd80e262ff471
SHA1 hash: 32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
MD5 hash: 2f3c9be60064deb5a63a27f1c4e50cc0
humanhash: maryland-utah-mobile-nuts
File name:2f3c9be60064deb5a63a27f1c4e50cc0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'495'744 bytes
First seen:2024-01-04 14:30:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
Threatray 665 similar samples on MalwareBazaar
TLSH T17066339656D8496FDDB67B3388F871CF5E70FC23B439960F5810848E0EA25A4AC31B76
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
103.13.209.45:4782

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Running batch commands
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-debug anti-vm CAB control explorer installer installer lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6596c128ffafd83ebca5be58/reports/01fa7e31-1c80-4e36-a764-b1bc51ea5018/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c28815ee-14d6-4899-83c7-db5c21a1d217
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369821
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369821 Sample: K2QGF67iGz.exe Startdate: 04/01/2024 Architecture: WINDOWS Score: 100 153 youtube-ui.l.google.com 2->153 155 www.youtube.com 2->155 157 16 other IPs or domains 2->157 189 Snort IDS alert for network traffic 2->189 191 Found malware configuration 2->191 193 Antivirus detection for URL or domain 2->193 195 16 other signatures 2->195 13 K2QGF67iGz.exe 1 4 2->13         started        16 FANBooster131.exe 2->16         started        19 MaxLoonaFest131.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 127 C:\Users\user\AppData\Local\...\Xj6Hl21.exe, PE32 13->127 dropped 129 C:\Users\user\AppData\Local\...\6kG0qp7.exe, PE32+ 13->129 dropped 23 Xj6Hl21.exe 1 4 13->23         started        131 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->131 dropped 133 C:\...\u7l6W8bCFTg6l6Ud6tKUrHpkRyUesHJT.zip, Zip 16->133 dropped 169 Antivirus detection for dropped file 16->169 171 Multi AV Scanner detection for dropped file 16->171 173 Detected unpacking (changes PE section rights) 16->173 187 4 other signatures 16->187 27 WerFault.exe 16->27         started        135 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->135 dropped 137 C:\...\PpdIEOqRjoZOodABUpwdczwIkjxCm9cT.zip, Zip 19->137 dropped 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->175 177 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 19->177 179 Tries to steal Mail credentials (via file / registry access) 19->179 29 WerFault.exe 19->29         started        139 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->139 dropped 141 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->141 dropped 143 C:\...\fmWmhQ1C4mmGqgDGVbMsukPklrT5BKLG.zip, Zip 21->143 dropped 181 Machine Learning detection for dropped file 21->181 183 Modifies Windows Defender protection settings 21->183 185 Hides threads from debuggers 21->185 31 powershell.exe 21->31         started        33 powershell.exe 21->33         started        35 powershell.exe 21->35         started        37 22 other processes 21->37 signatures6 process7 file8 115 C:\Users\user\AppData\Local\...\SP4Rr42.exe, PE32 23->115 dropped 117 C:\Users\user\AppData\Local\...\5kB6gI2.exe, PE32 23->117 dropped 213 Antivirus detection for dropped file 23->213 215 Machine Learning detection for dropped file 23->215 39 SP4Rr42.exe 1 4 23->39         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        53 conhost.exe 37->53         started        55 18 other processes 37->55 signatures9 process10 file11 119 C:\Users\user\AppData\Local\...\Qf8gp08.exe, PE32 39->119 dropped 121 C:\Users\user\AppData\Local\...\4Wo403IN.exe, PE32 39->121 dropped 217 Antivirus detection for dropped file 39->217 219 Machine Learning detection for dropped file 39->219 57 Qf8gp08.exe 1 4 39->57         started        signatures12 process13 file14 123 C:\Users\user\AppData\Local\...\Vr8oH09.exe, PE32 57->123 dropped 125 C:\Users\user\AppData\Local\...\3hL78Uj.exe, PE32 57->125 dropped 231 Antivirus detection for dropped file 57->231 233 Machine Learning detection for dropped file 57->233 61 Vr8oH09.exe 1 4 57->61         started        signatures15 process16 file17 145 C:\Users\user\AppData\Local\...\2pX3090.exe, PE32 61->145 dropped 147 C:\Users\user\AppData\Local\...\1dP82wv5.exe, PE32 61->147 dropped 235 Antivirus detection for dropped file 61->235 237 Binary is likely a compiled AutoIt script file 61->237 239 Machine Learning detection for dropped file 61->239 65 2pX3090.exe 21 40 61->65         started        70 1dP82wv5.exe 12 61->70         started        signatures18 process19 dnsIp20 149 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 65->149 151 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 65->151 107 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 65->107 dropped 109 C:\Users\user\AppData\...\FANBooster131.exe, PE32 65->109 dropped 111 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 65->111 dropped 113 2 other malicious files 65->113 dropped 197 Antivirus detection for dropped file 65->197 199 Multi AV Scanner detection for dropped file 65->199 201 Detected unpacking (changes PE section rights) 65->201 211 9 other signatures 65->211 72 powershell.exe 65->72         started        75 cmd.exe 65->75         started        77 cmd.exe 65->77         started        86 12 other processes 65->86 203 Binary is likely a compiled AutoIt script file 70->203 205 Machine Learning detection for dropped file 70->205 207 Found API chain indicative of sandbox detection 70->207 209 Contains functionality to modify clipboard data 70->209 79 chrome.exe 1 70->79         started        82 chrome.exe 70->82         started        84 chrome.exe 70->84         started        file21 signatures22 process23 dnsIp24 221 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 72->221 223 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 72->223 225 Found many strings related to Crypto-Wallets (likely being stolen) 72->225 229 2 other signatures 72->229 88 conhost.exe 72->88         started        227 Uses schtasks.exe or at.exe to add and modify task schedules 75->227 101 2 other processes 75->101 103 2 other processes 77->103 165 192.168.2.4 unknown unknown 79->165 167 239.255.255.250 unknown Reserved 79->167 90 chrome.exe 79->90         started        93 chrome.exe 79->93         started        95 chrome.exe 79->95         started        97 chrome.exe 82->97         started        99 chrome.exe 84->99         started        105 11 other processes 86->105 signatures25 process26 dnsIp27 159 youtube-ui.l.google.com 142.250.31.190 GOOGLEUS United States 90->159 161 static.doubleclick.net 142.251.111.149 GOOGLEUS United States 90->161 163 43 other IPs or domains 90->163
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 14:31:08 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5kf2jn5poqusauhwqgbpdj3ov3fiv2wlsvh2j5iahmkfyq5l7jq._file
Verdict:
malicious
Similar samples:
44d85e7e0e05ce06956da634a3f19633f1393bf7f82f1faef84e2c4e9d57af5a
RedLineStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
RedLineStealer
4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
RedLineStealer
66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
RedLineStealer
7324e9649a54a5f6767cf58fcec138770627780486cbb709f751a684be7a0b1a
RedLineStealer
8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486
RedLineStealer
94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233
RedLineStealer
b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
RedLineStealer
bd09222e00af329436f92ffddb3d0b35bc2ba06142c28731a7701b1f02d035ab
RedLineStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
RedLineStealer
+ 655 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:zgrat backdoor collection discovery evasion persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240104-rvpn5shhhk/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect ZGRat V1
Modifies Windows Defender Real-time Protection settings
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
Unpacked files
SH256 hash:
a79c21bf239c475d9d666468f5771106f27f33431ff6c80f9c5904c1dc59aa1d
MD5 hash:
a99ea8af69aa691c251b1619762fa253
SHA1 hash:
dd113abdef305b9a70f904e48ec79947a8d0f7cd
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a8987212-58b7-4f93-91d6-47aadda107ad/
Parent samples :
b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
9c7844e137bd630f22e7d487c43be450d9c185ea7339230bef46d2decb817d4d
e3cdb09481565d89e6123cf4145a1291d7abeac808d2f19364f9a3e04c3e1ccc
SH256 hash:
f92c6cd33f2b6190f3b1b22f5810f941901cc348c50f367ba15a0287f1f6379c
MD5 hash:
d2eb28c0c95995935206e14103ddd130
SHA1 hash:
c6c7a767a15baa64a8d9baad062d25ae4f1391ef
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/a8987212-58b7-4f93-91d6-47aadda107ad/
SH256 hash:
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
MD5 hash:
2f3c9be60064deb5a63a27f1c4e50cc0
SHA1 hash:
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
Link:
https://www.unpac.me/results/a8987212-58b7-4f93-91d6-47aadda107ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download

Comments