MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
SHA3-384 hash: 2ca289c0ec2f20a1a25af524955dd3ea5d6be772d400c184edb1b902229d6ea32d1e61a4cc081a3b735276e76b4831f9
SHA1 hash: 3bcc382bda7844f89394cd0ff4423b9a91aa9bc6
MD5 hash: 94fa0fd13c948e539093125e17dbe8b0
humanhash: echo-virginia-king-carolina
File name:ZH0MI25.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'946'624 bytes
First seen:2023-12-06 02:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:O6I23YcRWdUazcpEm2mRpbtdhL/dBPNOv6fOsGh+yK+2sn:RIiZYmOGt1CvEorUsn
TLSH T139952326FDD88033DE7127F16DF943831A27BC6148B4826B178695AA4CB3785687373E
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe
Verdict:
Malicious activity
Analysis date:
2023-12-06 01:52:34 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/420e4427-9210-404f-bcec-0a894a01b3c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462732/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin mokes packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656fda90855eb2633d60e70d/reports/795816d9-cd67-4151-8997-26987931cff6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
LummaC Stealer, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354356
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354356 Sample: ZH0MI25.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 119 transfer.sh 2->119 121 ipinfo.io 2->121 123 3.246.11.0.in-addr.arpa 2->123 159 Multi AV Scanner detection for domain / URL 2->159 161 Found malware configuration 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 17 other signatures 2->165 11 ZH0MI25.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 10 501 2->14         started        17 OfficeTrackerNMP131.exe 2->17         started        19 12 other processes 2->19 signatures3 process4 file5 109 C:\Users\user\AppData\Local\...\BA5Os31.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Local\...\4oz017Ag.exe, PE32 11->111 dropped 21 BA5Os31.exe 1 4 11->21         started        113 C:\...\xco_XyDg_NoC9PMGuE7zeNAW6gwrPRbu.zip, Zip 14->113 dropped 171 Antivirus detection for dropped file 14->171 173 Multi AV Scanner detection for dropped file 14->173 175 Tries to steal Mail credentials (via file / registry access) 14->175 189 2 other signatures 14->189 24 WerFault.exe 14->24         started        177 Disables Windows Defender (deletes autostart) 17->177 179 Tries to harvest and steal browser information (history, passwords, etc) 17->179 181 Exclude list of file types from scheduled, custom, and real-time scanning 17->181 183 Machine Learning detection for dropped file 19->183 185 Found stalling execution ending in API Sleep call 19->185 187 Contains functionality to inject threads in other processes 19->187 26 WerFault.exe 19->26         started        28 WerFault.exe 19->28         started        signatures6 process7 file8 97 C:\Users\user\AppData\Local\...\3WK60hS.exe, PE32 21->97 dropped 99 C:\Users\user\AppData\Local\...\1Be96QP5.exe, PE32 21->99 dropped 30 3WK60hS.exe 21->30         started        33 1Be96QP5.exe 11 508 21->33         started        process9 dnsIp10 191 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->191 193 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->193 195 Maps a DLL or memory area into another process 30->195 203 2 other signatures 30->203 37 explorer.exe 30->37 injected 115 ipinfo.io 34.117.59.81, 443, 49708, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 33->115 117 193.233.132.51, 49707, 49709, 49710 FREE-NET-ASFREEnetEU Russian Federation 33->117 89 C:\Users\user\AppData\...\FANBooster131.exe, PE32 33->89 dropped 91 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 33->91 dropped 93 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 33->93 dropped 95 2 other malicious files 33->95 dropped 197 Tries to steal Mail credentials (via file / registry access) 33->197 199 Found stalling execution ending in API Sleep call 33->199 201 Disables Windows Defender (deletes autostart) 33->201 205 6 other signatures 33->205 42 schtasks.exe 1 33->42         started        44 schtasks.exe 1 33->44         started        46 WerFault.exe 33->46         started        file11 signatures12 process13 dnsIp14 125 185.196.8.238 SIMPLECARRER2IT Switzerland 37->125 127 185.172.128.19, 49731, 80 NADYMSS-ASRU Russian Federation 37->127 129 2 other IPs or domains 37->129 101 C:\Users\user\AppData\Local\Temp\FDE9.exe, PE32 37->101 dropped 103 C:\Users\user\AppData\Local\Temp927.exe, PE32 37->103 dropped 105 C:\Users\user\AppData\Local\Temp454.exe, PE32 37->105 dropped 107 6 other malicious files 37->107 dropped 167 System process connects to network (likely due to code injection or exploit) 37->167 169 Benign windows process drops PE files 37->169 48 9371.exe 37->48         started        52 D7DF.exe 37->52         started        54 96BD.exe 37->54         started        61 2 other processes 37->61 57 conhost.exe 42->57         started        59 conhost.exe 44->59         started        file15 signatures16 process17 dnsIp18 77 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 48->77 dropped 79 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 48->79 dropped 143 Multi AV Scanner detection for dropped file 48->143 145 Machine Learning detection for dropped file 48->145 63 File2.exe 48->63         started        67 File1.exe 48->67         started        69 conhost.exe 48->69         started        81 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 52->81 dropped 83 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 52->83 dropped 85 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 52->85 dropped 87 2 other malicious files 52->87 dropped 147 Antivirus detection for dropped file 52->147 71 InstallSetup9.exe 52->71         started        131 195.10.205.16 TSSCOM-ASRU Russian Federation 54->131 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->149 151 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->151 73 conhost.exe 54->73         started        153 Tries to harvest and steal browser information (history, passwords, etc) 61->153 155 Modifies the context of a thread in another process (thread injection) 61->155 157 Injects a PE file into a foreign processes 61->157 75 conhost.exe 61->75         started        file19 signatures20 process21 dnsIp22 133 176.123.7.190, 32927, 49732 ALEXHOSTMD Moldova Republic of 63->133 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 63->137 139 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 63->139 141 Tries to steal Crypto Currency Wallets 63->141 135 176.123.10.211, 47430, 49733 ALEXHOSTMD Moldova Republic of 67->135 signatures23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 01:51:06 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqc7gew33ldjm3bzemmmw5beaugn6mtbmc7cqba76zo2lldvatwq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231206-cs1ajaac42/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Executes dropped EXE
PrivateLoader
RisePro
Malware Config
C2 Extraction:
193.233.132.51
Unpacked files
SH256 hash:
5213cc9a0ab7998702209f16958df4fc893572e5671de110bae9731538ea887d
MD5 hash:
0872cc83af30e80855f1a540e7849bc0
SHA1 hash:
e66e2c67725c0affd64683022f9dbfa9e17db4bb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/561b30fa-64fd-4f92-9dc5-7f5386c98613/
Parent samples :
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/561b30fa-64fd-4f92-9dc5-7f5386c98613/
SH256 hash:
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
MD5 hash:
94fa0fd13c948e539093125e17dbe8b0
SHA1 hash:
3bcc382bda7844f89394cd0ff4423b9a91aa9bc6
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/561b30fa-64fd-4f92-9dc5-7f5386c98613/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c05f312dbda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462732/

Comments