MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
SHA3-384 hash: a0dfeb2e21f48b9b779641f8523af6bfd45471e52bae635beeaeece0fe6f2aafb7cab66cc7770e0dfe7f085bb3753d02
SHA1 hash: 8773d98d74fff190df1add381cf641840e5f77ae
MD5 hash: 7c4e3e9ca9e5e5c13b648e0bd891a390
humanhash: fix-river-yankee-lactose
File name:BA5Os31.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:808'448 bytes
First seen:2023-12-06 02:21:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:KMrVy90YN8degBdF/RIqaSVJ3zQFo/DiK+BZhzSLU2qQCNQmhZNyztJqkyOhmIB:XyP8dTBd9baS7QW7lkzSFuCyyz/MvIB
Threatray 1 similar samples on MalwareBazaar
TLSH T107051222B7E44033D9B127B058F607831B36BDF29879436B678696971CB3B84647633B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe
Verdict:
Malicious activity
Analysis date:
2023-12-06 01:52:34 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/420e4427-9210-404f-bcec-0a894a01b3c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462738/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer lolbin lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656fdacc3636548f373ccaa8/reports/58c74e5e-34a5-4393-bb84-eb19505f555d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
LummaC Stealer, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354359
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354359 Sample: BA5Os31.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 123 transfer.sh 2->123 125 pinkipinevazzey.pw 2->125 127 3 other IPs or domains 2->127 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Found malware configuration 2->149 151 18 other signatures 2->151 11 BA5Os31.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 10 501 2->14         started        17 OfficeTrackerNMP131.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 file5 97 C:\Users\user\AppData\Local\...\3WK60hS.exe, PE32 11->97 dropped 99 C:\Users\user\AppData\Local\...\1Be96QP5.exe, PE32 11->99 dropped 21 3WK60hS.exe 11->21         started        24 1Be96QP5.exe 11 508 11->24         started        195 Antivirus detection for dropped file 14->195 197 Multi AV Scanner detection for dropped file 14->197 199 Tries to steal Mail credentials (via file / registry access) 14->199 209 5 other signatures 14->209 28 WerFault.exe 14->28         started        101 C:\...\dLrtD9_2oNqW3iFzqwPedRo9OKTE1f0x.zip, Zip 17->101 dropped 201 Found many strings related to Crypto-Wallets (likely being stolen) 17->201 203 Disables Windows Defender (deletes autostart) 17->203 205 Tries to harvest and steal browser information (history, passwords, etc) 17->205 30 WerFault.exe 17->30         started        207 Machine Learning detection for dropped file 19->207 signatures6 process7 dnsIp8 153 Multi AV Scanner detection for dropped file 21->153 155 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->155 157 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->157 165 3 other signatures 21->165 32 explorer.exe 21->32 injected 129 193.233.132.51, 49703, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 24->129 131 ipinfo.io 34.117.59.81, 443, 49704, 49707 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 24->131 89 C:\Users\user\AppData\...\FANBooster131.exe, PE32 24->89 dropped 91 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 24->91 dropped 93 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 24->93 dropped 95 2 other malicious files 24->95 dropped 159 Antivirus detection for dropped file 24->159 161 Tries to steal Mail credentials (via file / registry access) 24->161 163 Machine Learning detection for dropped file 24->163 167 8 other signatures 24->167 37 schtasks.exe 1 24->37         started        39 schtasks.exe 1 24->39         started        41 WerFault.exe 24->41         started        file9 signatures10 process11 dnsIp12 115 185.172.128.19, 49728, 80 NADYMSS-ASRU Russian Federation 32->115 117 81.19.131.34, 49727, 80 IVC-ASRU Russian Federation 32->117 119 transfer.sh 144.76.136.153 HETZNER-ASDE Germany 32->119 79 C:\Users\user\AppData\Local\Temp\F682.exe, PE32 32->79 dropped 81 C:\Users\user\AppData\Local\Temp\CB5C.exe, PE32 32->81 dropped 83 C:\Users\user\AppData\Local\Temp\B0A1.exe, PE32+ 32->83 dropped 85 6 other malicious files 32->85 dropped 139 System process connects to network (likely due to code injection or exploit) 32->139 141 Benign windows process drops PE files 32->141 143 Found many strings related to Crypto-Wallets (likely being stolen) 32->143 43 A95B.exe 32->43         started        47 59B3.exe 32->47         started        49 AC5A.exe 32->49         started        52 B0A1.exe 32->52         started        54 conhost.exe 37->54         started        56 conhost.exe 39->56         started        file13 signatures14 process15 dnsIp16 103 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 43->103 dropped 105 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 43->105 dropped 179 Multi AV Scanner detection for dropped file 43->179 181 Machine Learning detection for dropped file 43->181 58 File2.exe 43->58         started        62 File1.exe 43->62         started        64 cmd.exe 43->64         started        66 conhost.exe 43->66         started        107 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 47->107 dropped 109 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 47->109 dropped 111 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 47->111 dropped 113 2 other malicious files 47->113 dropped 183 Antivirus detection for dropped file 47->183 68 InstallSetup9.exe 47->68         started        121 195.10.205.16, 2245, 49731 TSSCOM-ASRU Russian Federation 49->121 185 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->185 187 Found many strings related to Crypto-Wallets (likely being stolen) 49->187 189 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->189 70 conhost.exe 49->70         started        191 Modifies the context of a thread in another process (thread injection) 52->191 193 Injects a PE file into a foreign processes 52->193 72 B0A1.exe 52->72         started        file17 signatures18 process19 dnsIp20 133 176.123.7.190, 32927, 49730 ALEXHOSTMD Moldova Republic of 58->133 169 Multi AV Scanner detection for dropped file 58->169 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->171 173 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->173 175 Tries to harvest and steal browser information (history, passwords, etc) 58->175 135 176.123.10.211, 47430, 49729 ALEXHOSTMD Moldova Republic of 62->135 177 Tries to steal Crypto Currency Wallets 62->177 75 conhost.exe 64->75         started        77 choice.exe 64->77         started        137 108.61.96.165 AS-CHOOPAUS United States 72->137 87 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 72->87 dropped file21 signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 01:51:06 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3onhb66zlfibdmxmucdocyg7cx6o27wmewsste3kn3ib72ifpla._file
Verdict:
malicious
Similar samples:
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
RedLineStealer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231206-ctklgaac54/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
5213cc9a0ab7998702209f16958df4fc893572e5671de110bae9731538ea887d
MD5 hash:
0872cc83af30e80855f1a540e7849bc0
SHA1 hash:
e66e2c67725c0affd64683022f9dbfa9e17db4bb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/83382573-4e33-4b32-ae0f-887ceb415992/
Parent samples :
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/83382573-4e33-4b32-ae0f-887ceb415992/
SH256 hash:
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
MD5 hash:
7c4e3e9ca9e5e5c13b648e0bd891a390
SHA1 hash:
8773d98d74fff190df1add381cf641840e5f77ae
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/83382573-4e33-4b32-ae0f-887ceb415992/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9edcd387deca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462738/

Comments