MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
SHA3-384 hash: 29b7263f5034dc77fce2a7e388e485f3e878551360b177884d56a74d6869eb33c62c0f824b4dc1b6c7f84038620c8d6c
SHA1 hash: 3992584fb9c29fc84f41f35ebca4bec27014c708
MD5 hash: b62cbe2a191fee2243c8c28150ec777f
humanhash: romeo-mexico-london-pasta
File name:XO0UY05.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:808'448 bytes
First seen:2023-12-11 07:09:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:NMrAy90YN8degBdF/RIqaSVJ3zQFo/DiK+BZhzSLU2qQCNQmhZNysBG:pyF8dTBd9baS7QW7lkzSFuCyyss
TLSH T1BA052213BBD88432DDB027B009F707431B36BDE29978876B6BC599861CB3B94547633A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter ukycircle
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
8e782ef613f5ac65f52cdd8cf316acbf.exe
Verdict:
Malicious activity
Analysis date:
2023-12-11 03:52:23 UTC
Tags:
risepro stealer evasion loader smoke smokeloader
Link:
https://app.any.run/tasks/b3a393ed-0b4a-43ea-8d6a-420098dbc1c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/464956/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
DNS request
Sending a custom TCP request
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer lolbin lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6576b5cc56d08f7811ae4e31/reports/4ee01272-640f-44dc-b4e0-a53ecb0af5ba/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f1ba76c-03cc-428e-b2f6-6fdebde689dd
Result
Threat name:
Glupteba, LummaC Stealer, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358150
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1358150 Sample: XO0UY05.exe Startdate: 11/12/2023 Architecture: WINDOWS Score: 100 109 ipinfo.io 2->109 137 Snort IDS alert for network traffic 2->137 139 Multi AV Scanner detection for domain / URL 2->139 141 Found malware configuration 2->141 143 16 other signatures 2->143 10 XO0UY05.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 10 501 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 103 C:\Users\user\AppData\Local\...\4uZ060Ph.exe, PE32 10->103 dropped 105 C:\Users\user\AppData\Local\...\1VN46DW0.exe, PE32 10->105 dropped 20 4uZ060Ph.exe 10->20         started        23 1VN46DW0.exe 11 508 10->23         started        107 C:\...\vPhF22F59KwQyeUbJ9werPJIXjt6EIxi.zip, Zip 13->107 dropped 165 Antivirus detection for dropped file 13->165 167 Multi AV Scanner detection for dropped file 13->167 169 Tries to steal Mail credentials (via file / registry access) 13->169 179 4 other signatures 13->179 27 WerFault.exe 13->27         started        171 Disables Windows Defender (deletes autostart) 16->171 173 Tries to harvest and steal browser information (history, passwords, etc) 16->173 175 Exclude list of file types from scheduled, custom, and real-time scanning 16->175 29 WerFault.exe 16->29         started        177 Machine Learning detection for dropped file 18->177 31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        35 WerFault.exe 18->35         started        signatures6 process7 dnsIp8 145 Multi AV Scanner detection for dropped file 20->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->147 149 Maps a DLL or memory area into another process 20->149 157 2 other signatures 20->157 37 explorer.exe 20->37 injected 117 193.233.132.51, 49708, 49709, 49710 FREE-NET-ASFREEnetEU Russian Federation 23->117 119 ipinfo.io 34.117.59.81, 443, 49711, 49712 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->119 95 C:\Users\user\AppData\...\FANBooster131.exe, PE32 23->95 dropped 97 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 23->97 dropped 99 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 23->99 dropped 101 2 other malicious files 23->101 dropped 151 Tries to steal Mail credentials (via file / registry access) 23->151 153 Found stalling execution ending in API Sleep call 23->153 155 Disables Windows Defender (deletes autostart) 23->155 159 6 other signatures 23->159 42 schtasks.exe 1 23->42         started        44 schtasks.exe 1 23->44         started        46 WerFault.exe 23->46         started        file9 signatures10 process11 dnsIp12 113 185.172.128.19, 49736, 80 NADYMSS-ASRU Russian Federation 37->113 115 81.19.131.34, 49735, 80 IVC-ASRU Russian Federation 37->115 87 C:\Users\user\AppData\Local\Temp1E1.exe, PE32 37->87 dropped 89 C:\Users\user\AppData\Local\Temp\3C0B.exe, PE32 37->89 dropped 91 C:\Users\user\AppData\Local\Temp\34A7.exe, PE32 37->91 dropped 93 2 other malicious files 37->93 dropped 161 System process connects to network (likely due to code injection or exploit) 37->161 163 Benign windows process drops PE files 37->163 48 1556.exe 37->48         started        52 218C.exe 37->52         started        55 34A7.exe 37->55         started        57 E1E1.exe 37->57         started        59 conhost.exe 42->59         started        61 conhost.exe 44->61         started        file13 signatures14 process15 dnsIp16 73 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 48->73 dropped 75 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 48->75 dropped 77 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 48->77 dropped 81 2 other malicious files 48->81 dropped 121 Antivirus detection for dropped file 48->121 123 Multi AV Scanner detection for dropped file 48->123 125 Machine Learning detection for dropped file 48->125 63 31839b57a4f11171d6abc8bbc4451ee4.exe 48->63         started        66 toolspub2.exe 48->66         started        68 tuc3.exe 48->68         started        71 2 other processes 48->71 111 176.123.7.190 ALEXHOSTMD Moldova Republic of 52->111 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->127 129 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->129 131 Tries to harvest and steal browser information (history, passwords, etc) 52->131 133 Tries to steal Crypto Currency Wallets 52->133 79 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 55->79 dropped 135 Sample uses process hollowing technique 55->135 file17 signatures18 process19 file20 181 Antivirus detection for dropped file 63->181 183 Multi AV Scanner detection for dropped file 63->183 185 Detected unpacking (changes PE section rights) 63->185 191 3 other signatures 63->191 187 Sample uses process hollowing technique 66->187 189 Injects a PE file into a foreign processes 66->189 83 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 68->83 dropped 85 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 71->85 dropped signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 03:51:05 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxkduhccaiemwjhy3d2fmryqpgck2vkhjw2v7yho4stqyhpo44ma._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:redline family:risepro family:smokeloader botnet:@oleh_ps botnet:livetraffic botnet:up3 backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231211-hzc2gagber/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
PrivateLoader
RedLine
RedLine payload
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
77.105.132.87:6731
176.123.7.190:32927
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
fc3e7e13b86b49af3b45bbba34e58a2167715a33f0eade6020c7c55663aea34b
MD5 hash:
36930c536c2a81c68839a4f0a02e683c
SHA1 hash:
87afbc08b78894bf5e7ded12b5ae0eba2e6ea86c
Link:
https://www.unpac.me/results/50e865e3-deea-4950-b939-d69bd5be641e/
SH256 hash:
e650797807defd666edd24d869018bbadc161098b9fd7753e059c673fba97ffc
MD5 hash:
bc8695645b18a870be0417c65d4c882b
SHA1 hash:
591f3ef23f040a25d48b01bfcc79b64d386a7a6a
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/50e865e3-deea-4950-b939-d69bd5be641e/
Parent samples :
dacf04a6064ab88cefee0ad303e750a28986b565157c0eb19d01cc20ab33ec1d
cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
SH256 hash:
cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
MD5 hash:
b62cbe2a191fee2243c8c28150ec777f
SHA1 hash:
3992584fb9c29fc84f41f35ebca4bec27014c708
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/50e865e3-deea-4950-b939-d69bd5be641e/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdd43a1c4202/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464956/

Comments