MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
SHA3-384 hash: 96784a070620c7aae70921c1ccb43476a24f84473ddb895fec0a7b2cc51c7f0a90b7b65b7e4d44fb3b0720bdbabe6408
SHA1 hash: 3c5e89328c9d134e7690e2a6029f8e1bb1809b6e
MD5 hash: 5e2eb10af1a04afa53efb1ac20e8c45e
humanhash: seventeen-jupiter-white-yankee
File name:5e2eb10af1a04afa53efb1ac20e8c45e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:253'952 bytes
First seen:2023-11-10 17:06:17 UTC
Last seen:2023-11-10 18:16:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48be20798c978bee66ef4268b8d28670 (2 x Heodo, 1 x RedLineStealer)
ssdeep 3072:pSdDJp7LU+5Fo2NXINf3xSgfP8pFPWO95C/wgpz4+B+yQOvI:gdr0se2NaSgfUpFPh5C/DU
TLSH T1EF444A0363A13861EF2246318E2AF6E46E1EF5604F5477BB1E646A1FC5709F2F66230D
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0060664a4f034500 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.92.51:19057

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e2eb10af1a04afa53efb1ac20e8c45e.exe
Verdict:
Malicious activity
Analysis date:
2023-11-10 17:06:26 UTC
Tags:
loader
Link:
https://app.any.run/tasks/e52567b8-e1f4-4d98-823d-8ed5f63494a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10532.3866.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/654e6336946b6ab2245dfe94/reports/dd639724-c829-45f5-ad16-51f3798d36a3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e2ce252-e0ca-4f03-866b-1dbe51daa353
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340796
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1340796 Sample: shUlN6FiVQ.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 23 dpav.cc 2->23 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 3 other signatures 2->43 7 shUlN6FiVQ.exe 2->7         started        10 gfgbesg 2->10         started        12 gfgbesg 2->12         started        signatures3 process4 signatures5 45 Detected unpacking (changes PE section rights) 7->45 47 Maps a DLL or memory area into another process 7->47 49 Checks if the current machine is a virtual machine (disk enumeration) 7->49 51 Creates a thread in another existing process (thread injection) 7->51 14 explorer.exe 8 3 7->14 injected 53 Found evasive API chain (may stop execution after checking system information) 10->53 55 Machine Learning detection for dropped file 10->55 57 Found API chain indicative of debugger detection 10->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->59 process6 dnsIp7 25 201.119.129.11, 49768, 49769, 49770 UninetSAdeCVMX Mexico 14->25 27 dpav.cc 211.119.84.111, 49734, 49735, 49736 LGDACOMLGDACOMCorporationKR Korea Republic of 14->27 19 C:\Users\user\AppData\Roaming\gfgbesg, PE32 14->19 dropped 21 C:\Users\user\...\gfgbesg:Zone.Identifier, ASCII 14->21 dropped 29 System process connects to network (likely due to code injection or exploit) 14->29 31 Benign windows process drops PE files 14->31 33 Deletes itself after installation 14->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 file8 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 17:07:04 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmgylc53kcmss7yxzvohw3eucqkd7nfztl7o4wara6sqjeywdpkq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/231110-vmytmabc7t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
9b9d5cf0cbdcbf67a3d1f42509985228a4a62cacfd79ee095beb512c75ae4998
MD5 hash:
c6ba5e70e5a630f884f3c7cec5746363
SHA1 hash:
6b457f6f2abb8e4e1e3f49385ac8588acd2c7f29
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2f8460ed-c36f-4845-8046-8346acbd0c2e/
Parent samples :
af63001bfd4ed850fb3bf50862ef7265a6822ffc20f6b24ed741975918c56f2c
d0d97c70ea6e26b3708dc101a310f056d690bbc17306c493ccba4a6f00fad541
ce015e5940a83246f5f69f4548281a05783e4a664be65b93422bab2d1ed9dc41
3b8e8d855e714ca23dbdb2f30665dd6d3e810c7aa6fa43e1d2dcb0b0bd6a3ed7
e2b5145997ea023b6a21e305f46d725c8686f152d5666bd452b8adcd5af92d82
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0
44fa511765693f9d912b3dce34be85c13be4fcc241d8ddc82fbab23852a6d174
1c42bdf6438c73d6f16d7bad5e9601e21dd92a7222e3c42761dc0f6d942b1a3a
ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
dc13f91ceeb3c8c0959a9eb30ef56f5d23684be90bc459cdc80d1f105da3e58c
9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
7c6dc6ae1caf94cd6f0cbcb075a81698bf496408e9553f63cd5c5742523b6bc8
2c08dae77574be67ecbd1d57d5ea8ea80042c7ee15f0ad5da405f574bf82b529
a6189864b80a674de976bc67a13f42fc6e601f2ea11c446047c84e2d12e120ae
22f1911d81e0e2feaf26b7b28208b5cbb68be45c39d5a6630c40047de2446f4e
d2a5bffc667647e9ba8a0d1733f9a27df01af72b9dbc7193031aad4c8853c6e4
ea226ab509f8001582cace500f1890df678371771cf7ee1cf1d61f949f201c5e
a31e66233b55244dea9219f5b5a4df56732ea52b4d2c7dac246851fcb9b9c318
c28c4cec1d98e3f612108826f92aef8d25da93ec22ac1b91523e944126ad0dbb
03c4bbba0969018b4e4e048b8f3c52ce0d99a3e37da9ed11a18997e8a836f28f
ba87c237b03a3a5a54273ccded35d16559f33678a76f05ce856389e207b68046
c5c00a192d1427f8d60b64e3e769c7f16b2fee7133dee7c63c042faaea4919fb
5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
787c7572ea0492bdb433eb344fbc7f52e4ebdc62be69a2a3f1fa6180d4b22646
29da085a372470916f440dd7d72d7f6b2f4d634fc39880159786537bbf753efb
bbd761200738143705543689c13919065c19468a060b7cc63366ec414fcad107
e52e7b7b19091fbed821e1cfea10d78f6b20cda9e6119da26be4e77798b14907
d11cb28aa2618e76429ee7ebefb5c86c71374d2f8fdd58af946aee926c34615b
6bdfb620003859b5a5318fda333a8950d7d0edf266f297b8e3ae62b6018a07d5
c99d3d0a3d0d2ba99b089e1d71c8909a00e5876178c04db399afe57330bf615d
6503300b2dd8c4f441918d168a423dea5e342798eb112e0296757fe14e649d75
407c8e4e1a4fcba52d051e64eb52e67ad3ed5b1e1b41d41f21f7f6d32fd549f0
6a98e02fb015b78790f1c3b1f46ef61427e52a5a73d31fea518d9bd72a78dfa1
93bfa6ea57e67dae492fdaad02bdf1d0570deca1ac04e3665961e55f820c5320
7c6e6b4aaa210da5a69c5b12328158d54486e6d31bfe4938ab82097f2babc9f5
32d4bae99e3e24b7be91e342b78c84fb590146c0d5bc902f3c98b7673f6f7732
4afaefd1e04ef31fb1642e0b516c554e21de8340b84545641e7c29d028510afb
cd4942c9bb87b2b1d0c3511c23a2f7d8f1af35527a628aed2ea82f38e1d6a2d8
fdccf4ea45fd8aea2759fdb0c1b301ed989a6784a15778666db9b8e0e98403ca
8ca5fb996e43a8257aeead6230584228e1de3f34ac57ecf044cfb5135718a942
28a3132ff1dae5dda972e6d3910639c81d51bd593f065998df1e8efac0b64a9e
4fc7a527cd92275e3b8ae2cfb2e67d3f77760d29315755f02ce23dc455af27ed
b8cb255809d4f5e9475af6c541604c26021aaf8933a078143c6eef71dbfa77c1
b150b158d7dc445c348fffdb721f7c1a10f096482d2826ee455608f2061f6b63
9ccbd2020485782799f188fcde1c1015d4cef7a288b982afec7c94632ce292e9
e2056f95078e4e2d7df2819de53365fcc71bea3c022c4943bde8192039ef40d1
4c689166fc1682e14e6cf3cdb67a8cc62271334cdadf4410de99d3ba2b9d3a37
263a808889e25375c4e77085e7985d81c2f43150a4323e839619d0816d861c7e
4053798eb00caf7de7b00c2115db30dc8a1567d02035c23c79a279d1d3671177
e7ceec24f33171ed8426076f3c2011f20183fae40da62e379ab80333c3c48024
796bf8bc705cdc346f8c28dbe67ae39f0a384758dfb32f70ec7670ae7912fbe3
e1a8a8dad424eaca7496c436df74ced1215d42d7ac86f26a2d8108caf7a89940
4e2c32e76bec4ad95d0ca1a130e5b2a29bc624a1d348ce36fbd95027113c498b
fe2b3415794cd8ccb9ee4b28925f88c6815af95ccb14f58ac756210e9ad2d205
748c26e1f5c15693e97403c0e228b60433d4f051970fe13704174a90f824f5d7
26194c26b5412d22a2d59b50efc917df3e05102a5b1d0895e5c199c58c377211
fd787202cfb815a07775e5a12a87a8cec0736207ad3b27aadadb3c7eac245070
bd3c9be0544276fffc4b23029f7073661e859bbb41047292c4c0555ede12b1e5
65283a60a4a81ceaad94179b9555c1420abdc9ca49843c765098e5fa1e039efb
f6095eb7c5759c19ddc15879bb68bcad8ea5a1c30a7767d7b2b45ad837567a1f
43349b2181b49be96a57e0ac4da5ead230cbc6c048cd1c8089dd4e7428ca44e0
415bf1a2b1e00420502e3ac845170724004aaac7512b96440e2eb2965846bf51
fd01181f0a584579a652ad899163477ff55dcf48a8f1017e07805c69306b9731
5628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
36c2741465b9cf44c246ab5139421edce8b94483e63d5fe8e6eb18dade8ac263
17bd90ec1ab9fdfc235404d2a8705d20713b7c44f330097806e312dcbedbb2c4
8317ec6b484bb93b94883e8b9b354121716184ccbfcce47a3f732bed0c8d0a83
5aef45398566aece608ab79365c4c968438ee3c4de238865a266663be2ed849f
bbf35930603e2c79b466e38f249939ec19d6e8b8875868a03a607a92f39c62fb
91387a4e75e7e17acd8ffc08d87bb037a2217e967630c16c7681d006c1c0206f
d031dba06e6f21c4a0deaee93b9fa0ed8849f0d401ff26ca239e9da547030d77
f3a13cc76e0912f23dfdf11cf1a9f6b8015b540d1eae809d2a359c9a278ade1d
4d80f93923e0ff63d3dab7126446f4b33924d1306ae7524dacf36470689fdc28
SH256 hash:
9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
MD5 hash:
5e2eb10af1a04afa53efb1ac20e8c45e
SHA1 hash:
3c5e89328c9d134e7690e2a6029f8e1bb1809b6e
Link:
https://www.unpac.me/results/2f8460ed-c36f-4845-8046-8346acbd0c2e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b0d858bbb50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712503/
  
Delivery method
Distributed via web download

Comments