MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319
SHA3-384 hash: 2eae494fa9a32524b85ea31137f2510ec1d4d9546b86710631ed8f95379f366ca7d0e1f0398d5835523f97cafabdb194
SHA1 hash: 482d0e365455c43864730d85feb28e390d7b3d99
MD5 hash: 05d226f9416143d089de0dfcf50c2c44
humanhash: july-ink-comet-shade
File name:05d226f9416143d089de0dfcf50c2c44.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'853'376 bytes
First seen:2023-12-22 01:15:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:xrYiv1hkrQPSaOGSmeke9qKsUforvKWvDzkPNwJUEP/NYN+rpE/W/I:hx1CIdSQe0KjorvbPk+J73NStW/
Threatray 212 similar samples on MalwareBazaar
TLSH T10BD533079AD0D227F87C237406FA82631BB47C69FD6143EF3A92390B1AB1D94A535727
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.65.31:48396

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468892/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed packed risepro rundll32 scriptrunner setupapi sfx shell32 smokeloader stealer virus xpack
Link:
https://www.filescan.io/uploads/6584e352b290743934ea6ea8/reports/fae8e875-400a-481d-9f3e-dc341b85c1b0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/113b6c9d-9126-4b87-98f9-2ec8fd269c75
Result
Threat name:
Amadey, LummaC Stealer, RedLine, RisePro
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365910
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365910 Sample: 1vZX9U5Diw.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 127 attachmentartikidw.fun 2->127 129 s3-w.us-east-1.amazonaws.com 2->129 131 4 other IPs or domains 2->131 171 Snort IDS alert for network traffic 2->171 173 Multi AV Scanner detection for domain / URL 2->173 175 Found malware configuration 2->175 177 23 other signatures 2->177 12 1vZX9U5Diw.exe 1 4 2->12         started        15 MaxLoonaFest131.exe 2->15         started        18 OfficeTrackerNMP131.exe 14 60 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 111 C:\Users\user\AppData\Local\...\6fV9co9.exe, PE32 12->111 dropped 113 C:\Users\user\AppData\Local\...\4vc629iJ.exe, PE32 12->113 dropped 22 6fV9co9.exe 12->22         started        25 4vc629iJ.exe 16 69 12->25         started        115 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->115 dropped 117 C:\...\ZVOBfHVItfwoR9yIXav78dPkhu3OWDTn.zip, Zip 15->117 dropped 231 Multi AV Scanner detection for dropped file 15->231 233 Detected unpacking (changes PE section rights) 15->233 235 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->235 249 3 other signatures 15->249 29 WerFault.exe 15->29         started        119 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->119 dropped 121 C:\...\Au5glI9D6ZbWc0i9gXjDiyLiEp6L1gUy.zip, Zip 18->121 dropped 237 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->237 239 Query firmware table information (likely to detect VMs) 18->239 241 Tries to steal Mail credentials (via file / registry access) 18->241 31 WerFault.exe 18->31         started        123 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->123 dropped 125 C:\...\w0UceSCxDWhx4rERcOWYy7Xdc8l4M7m9.zip, Zip 20->125 dropped 243 Hides threads from debuggers 20->243 245 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->245 247 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->247 33 WerFault.exe 20->33         started        signatures6 process7 dnsIp8 199 Multi AV Scanner detection for dropped file 22->199 201 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->201 203 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->203 211 3 other signatures 22->211 35 explorer.exe 22->35 injected 145 91.92.249.253, 49704, 49705, 49706 THEZONEBG Bulgaria 25->145 147 ipinfo.io 34.117.186.192, 443, 49707, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 25->147 103 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 25->103 dropped 105 C:\Users\user\AppData\...\FANBooster131.exe, PE32 25->105 dropped 107 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 25->107 dropped 109 2 other malicious files 25->109 dropped 205 Detected unpacking (changes PE section rights) 25->205 207 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->207 209 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 25->209 213 7 other signatures 25->213 40 OfficeTrackerNMP131.exe 25->40         started        42 cmd.exe 1 25->42         started        44 cmd.exe 1 25->44         started        46 WerFault.exe 25->46         started        file9 signatures10 process11 dnsIp12 137 185.215.113.68, 49735, 80 WHOLESALECONNECTIONSNL Portugal 35->137 139 5.42.65.125, 49739, 49741, 49742 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->139 141 2 other IPs or domains 35->141 91 C:\Users\user\AppData\Local\Temp\97B9.exe, PE32 35->91 dropped 93 C:\Users\user\AppData\Local\Temp\9372.exe, PE32 35->93 dropped 95 C:\Users\user\AppData\Local\Temp\8884.exe, PE32 35->95 dropped 101 5 other malicious files 35->101 dropped 179 System process connects to network (likely due to code injection or exploit) 35->179 181 Benign windows process drops PE files 35->181 48 FANBooster131.exe 35->48         started        52 425E.exe 35->52         started        54 528B.exe 35->54         started        66 3 other processes 35->66 97 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 40->97 dropped 99 C:\...\rXjY01dVnpTdruHzzBXe9LQov2ZlwMpR.zip, Zip 40->99 dropped 183 Query firmware table information (likely to detect VMs) 40->183 185 Tries to steal Mail credentials (via file / registry access) 40->185 187 Hides threads from debuggers 40->187 195 2 other signatures 40->195 56 WerFault.exe 40->56         started        189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->189 191 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 42->191 193 Uses schtasks.exe or at.exe to add and modify task schedules 42->193 197 2 other signatures 42->197 58 conhost.exe 42->58         started        60 schtasks.exe 1 42->60         started        62 conhost.exe 44->62         started        64 schtasks.exe 1 44->64         started        file13 signatures14 process15 dnsIp16 83 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 48->83 dropped 85 C:\...\VStC333U91f8eQEpNn7PbTWqWEBu8bXD.zip, Zip 48->85 dropped 149 Multi AV Scanner detection for dropped file 48->149 151 Detected unpacking (changes PE section rights) 48->151 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->153 169 10 other signatures 48->169 69 WerFault.exe 48->69         started        87 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 52->87 dropped 155 Machine Learning detection for dropped file 52->155 157 Found many strings related to Crypto-Wallets (likely being stolen) 52->157 159 Writes to foreign memory regions 52->159 71 RegSvcs.exe 52->71         started        89 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 54->89 dropped 161 Antivirus detection for dropped file 54->161 75 Utsysc.exe 54->75         started        133 attachmentartikidw.fun 104.21.76.167 CLOUDFLARENETUS United States 66->133 135 176.123.7.190, 32927 ALEXHOSTMD Moldova Republic of 66->135 163 Allocates memory in foreign processes 66->163 165 Sample uses process hollowing technique 66->165 167 Injects a PE file into a foreign processes 66->167 77 RegSvcs.exe 66->77         started        file17 signatures18 process19 dnsIp20 143 195.20.16.103, 18305, 49740 EITADAT-ASFI Finland 71->143 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 71->215 217 Found many strings related to Crypto-Wallets (likely being stolen) 71->217 219 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 71->219 221 Tries to harvest and steal browser information (history, passwords, etc) 71->221 223 Antivirus detection for dropped file 75->223 225 Multi AV Scanner detection for dropped file 75->225 227 Creates an undocumented autostart registry key 75->227 229 Machine Learning detection for dropped file 75->229 79 schtasks.exe 75->79         started        signatures21 process22 process23 81 conhost.exe 79->81         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 19:06:00 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xeung6vxpwys5uc6qwyowimcsy4tngzh3tfpg7o32blmsrl7ommq._file
Verdict:
unknown
Similar samples:
0f3d5594200f4cd0b3945bb7cc68ca39a73c0afbc5c443e585bd0fbafafe230c
RedLineStealer
3d3256f59de5264a0ee38f599f027aafe6084cfa561978a68d9d956067466f7b
RedLineStealer
42d5c8af3500e1d4979045b84efe4fe7f901e8b5bcdb46a0a8ef9e2fcb7320ef
RedLineStealer
486271a3873f946e14f5662e2498d75c29323402c778bdf6ce0905b37619fc3a
RedLineStealer
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
RedLineStealer
668fc345d9de1f0e519e5e9309b520ca10af01081e45a58d13380ae3ee38bedd
RedLineStealer
82bf998ee07f0549a68b9904d760f7b0fd47ee68f08a59a26de171b6dc8ea3db
RedLineStealer
ce654e4934dd045ce89e801a081bfcdcb7a3d6acef665da960daedc13c9557d1
RedLineStealer
f196e69cb49c0c71535746085983f00f8006a2df7c74a177cf6cb30c601eaaf5
RedLineStealer
+ 202 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:smokeloader family:zgrat botnet:666 botnet:@oleh_ps backdoor collection discovery evasion infostealer persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/231222-bms4labeen/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Lumma Stealer payload V4
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://5.42.65.125
176.123.7.190:32927
185.172.128.33:38294
195.20.16.103:18305
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/78f78b97-d160-40bf-9459-506fb17a0964/
SH256 hash:
b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319
MD5 hash:
05d226f9416143d089de0dfcf50c2c44
SHA1 hash:
482d0e365455c43864730d85feb28e390d7b3d99
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/78f78b97-d160-40bf-9459-506fb17a0964/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b928d37ab77db12ed05e85b0eb21829639369b27dccaf37ddbd056c9457f7319

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468892/

Comments