MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c
SHA3-384 hash: e22fe300ccfac0559da44222536cd26392463ae18fac47e5e826ae0c617f1e0d6e11a6e07bcda21ff9207b12c3eb1797
SHA1 hash: 4532609eb662a335bbbe68bc0a3333a5a10ce7c7
MD5 hash: 023f7549aba23f064161a497cd11626b
humanhash: don-timing-six-nebraska
File name:023f7549aba23f064161a497cd11626b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:38'019 bytes
First seen:2023-12-22 01:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
TLSH T1E503D08A1C219A78FE1542F7169C8FD4533DD8CB61F3AF4D4A36893764CB7B482342A9
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.65.31:48396

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
872aef68846ab8587a930d7d786a1a51.exe
Verdict:
Malicious activity
Analysis date:
2023-12-18 23:57:57 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/0a0b94fd-1417-4bf8-a204-27a8dac79163

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468890/
Detection(s):
Win.Packed.Jefpimb-10016846-0
Create hunting rule

Win.Packed.Razy-10016942-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
60%
Tags:
overlay packed xpack
Link:
https://www.filescan.io/uploads/6584dfcff4b6e5e16353fa7c/reports/29337330-5c22-4af5-af83-79f7144bfb7c/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb0a5ce7-bc97-4549-bfbe-f5987611775e
Result
Threat name:
Amadey, LummaC Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365907
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365907 Sample: zFZmNLWVfM.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 72 attachmentartikidw.fun 2->72 74 soupinterestoe.fun 2->74 76 4 other IPs or domains 2->76 96 Snort IDS alert for network traffic 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Found malware configuration 2->100 102 18 other signatures 2->102 11 zFZmNLWVfM.exe 2->11         started        14 sjjswst 2->14         started        16 Utsysc.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 signatures5 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->156 158 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->158 160 Maps a DLL or memory area into another process 11->160 168 2 other signatures 11->168 20 explorer.exe 10 20 11->20 injected 162 Antivirus detection for dropped file 14->162 164 Multi AV Scanner detection for dropped file 14->164 166 Machine Learning detection for dropped file 14->166 process6 dnsIp7 78 185.215.113.68, 49734, 80 WHOLESALECONNECTIONSNL Portugal 20->78 80 5.42.65.125, 49737, 49740, 49743 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 20->80 82 2 other IPs or domains 20->82 58 C:\Users\user\AppData\Roaming\sjjswst, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\9215.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\Temp\8AF0.exe, PE32 20->62 dropped 64 7 other malicious files 20->64 dropped 122 System process connects to network (likely due to code injection or exploit) 20->122 124 Benign windows process drops PE files 20->124 126 Deletes itself after installation 20->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->128 25 539E.exe 4 20->25         started        29 5E2E.exe 3 20->29         started        31 836D.exe 20->31         started        34 5 other processes 20->34 file8 signatures9 process10 dnsIp11 66 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 25->66 dropped 130 Multi AV Scanner detection for dropped file 25->130 132 Machine Learning detection for dropped file 25->132 134 Found many strings related to Crypto-Wallets (likely being stolen) 25->134 154 3 other signatures 25->154 36 RegSvcs.exe 8 4 25->36         started        40 WerFault.exe 21 25->40         started        68 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 29->68 dropped 136 Antivirus detection for dropped file 29->136 138 Contains functionality to inject code into remote processes 29->138 42 Utsysc.exe 29->42         started        88 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->88 70 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 31->70 dropped 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->142 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->144 44 qemu-ga.exe 31->44         started        46 conhost.exe 31->46         started        90 185.172.128.33 NADYMSS-ASRU Russian Federation 34->90 92 attachmentartikidw.fun 104.21.76.167, 49747, 49750, 80 CLOUDFLARENETUS United States 34->92 94 176.123.7.190, 32927 ALEXHOSTMD Moldova Republic of 34->94 146 Found evasive API chain (may stop execution after checking computer name) 34->146 148 Tries to harvest and steal browser information (history, passwords, etc) 34->148 150 Sample uses process hollowing technique 34->150 152 Tries to steal Crypto Currency Wallets 34->152 48 RegSvcs.exe 34->48         started        50 RegSvcs.exe 34->50         started        file12 signatures13 process14 dnsIp15 84 195.20.16.103, 18305, 49738 EITADAT-ASFI Finland 36->84 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 36->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->108 110 Tries to steal Crypto Currency Wallets 36->110 112 Antivirus detection for dropped file 42->112 114 Multi AV Scanner detection for dropped file 42->114 116 Creates an undocumented autostart registry key 42->116 120 2 other signatures 42->120 52 schtasks.exe 42->52         started        118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->118 86 soupinterestoe.fun 104.21.24.252 CLOUDFLARENETUS United States 48->86 54 WerFault.exe 48->54         started        signatures16 process17 process18 56 conhost.exe 52->56         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 23:56:06 UTC
File Type:
PE (Exe)
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmropdtr33qkxexnsw455zu7cqv4ligrclrg5slbl75kg6eukbga._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:lumma family:redline family:smokeloader family:stealc family:zgrat botnet:666 botnet:@oleh_ps botnet:up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/231222-bc75rsaccq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
Themida packer
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
DcRat
Detect Lumma Stealer payload V4
Detect ZGRat V1
Glupteba
Glupteba payload
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Stealc
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://5.42.65.125
176.123.7.190:32927
185.172.128.33:38294
http://77.91.76.36
http://host-file-host6.com/
http://host-host-file8.com/
http://attachmentartikidw.fun/api
195.20.16.103:18305
Unpacked files
SH256 hash:
9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c
MD5 hash:
023f7549aba23f064161a497cd11626b
SHA1 hash:
4532609eb662a335bbbe68bc0a3333a5a10ce7c7
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/18c8293c-9ed4-4192-a48e-323b2e1587f6/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b22e78e71de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/9b22e78e71dee0ab92ed95b9dee69f142bc5a0d112e26ec9615ffaa37894504c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468890/

Comments