MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b
SHA3-384 hash: 78131e88687b3cf21dbf59a38aca5a9c0e9925d7cd45e9f4cb2b165bb2fbe51310642da427c31b8d92d22a175bcb2f29
SHA1 hash: 769f701c46c99b0bf886d4474aa0a649e21d0cc8
MD5 hash: 34e405f5099eac8086c14c5b377889eb
humanhash: island-spaghetti-bluebird-washington
File name:34e405f5099eac8086c14c5b377889eb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:374'272 bytes
First seen:2023-01-04 17:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 85c125029c36db6aaac2403f54b79e02 (6 x RedLineStealer, 4 x Smoke Loader, 1 x DanaBot)
ssdeep 3072:xiXyvqLUvSPh/p5tpJYmCNAqNEyLmp1rBSK8jdA4upFldiLLk44pBH+EPWlE0Yj9:UNLUv2/Jf1Cu0pkQKoxupmL1q+EcojT
Threatray 5'644 similar samples on MalwareBazaar
TLSH T1B884BF21B266BBA3EB13C53D491DCBD637AD78608624D60E2358155F3EF0BA4817E93C
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 7cfc94b494949cc0 (4 x RedLineStealer, 1 x Gozi, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.65.134.165:55673

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
34e405f5099eac8086c14c5b377889eb.exe
Verdict:
Malicious activity
Analysis date:
2023-01-04 17:12:41 UTC
Tags:
trojan loader smoke
Link:
https://app.any.run/tasks/100312ce-9a21-4bc8-943d-74f778fa9119

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349447/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b5b3290e926711fd76e257/reports/0889f6c8-8777-4cb4-85bc-c768b1440bc1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c45eed8-d507-4d48-8d29-646b0b58e281
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145227
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777959 Sample: c3gsFCRXB9.exe Startdate: 04/01/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 9 other signatures 2->50 7 c3gsFCRXB9.exe 2->7         started        10 iugtwre 2->10         started        process3 signatures4 52 Detected unpacking (changes PE section rights) 7->52 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->54 56 Maps a DLL or memory area into another process 7->56 60 2 other signatures 7->60 12 explorer.exe 8 7->12 injected 58 Machine Learning detection for dropped file 10->58 process5 dnsIp6 32 vatra.at 175.126.109.15, 49698, 49699, 49700 SKB-ASSKBroadbandCoLtdKR Korea Republic of 12->32 34 degroeneuitzender.nl 5.135.247.111, 443, 49704 OVHFR France 12->34 36 6 other IPs or domains 12->36 24 C:\Users\user\AppData\Roaming\iugtwre, PE32 12->24 dropped 26 C:\Users\user\AppData\Local\Temp\F8A5.exe, PE32 12->26 dropped 28 C:\Users\user\AppData\Local\Temp\DC4.exe, PE32 12->28 dropped 30 2 other malicious files 12->30 dropped 62 System process connects to network (likely due to code injection or exploit) 12->62 64 Benign windows process drops PE files 12->64 66 Deletes itself after installation 12->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->68 17 747E.exe 12->17         started        20 F8A5.exe 12->20         started        22 DC4.exe 12->22         started        file7 signatures8 process9 signatures10 38 Antivirus detection for dropped file 17->38 40 Multi AV Scanner detection for dropped file 17->40 42 Machine Learning detection for dropped file 17->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 17:16:33 UTC
File Type:
PE (Exe)
Extracted files:
90
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2maroqwprduu56gjy3tmtnvkctqv7tvu5lrlez36k7sbeo5r55fq._file
Verdict:
malicious
Similar samples:
086b7030ebbf0f41b8dc943c97e408c7ad56648362838012c3ebae4c9352437d
RedLineStealer
234311a98ef272ea9a66272eaadaeb49f118eee9b7ebc518aa481bb079032531
RedLineStealer
26bf41e843a6cf0c073286c97c0a840836005fd1ad81013fb0e4d826e4915176
RedLineStealer
6ee6e62727c52fe662284978117cecb7d4b62628a8e48bc0a51dda6c40c8ee75
RedLineStealer
a7a86feba39d56914b320770c63b2d59a2187d797fd7c46f0962a174dc1551f6
RedLineStealer
b138115dee877cf4029ba6a224bc2ed3daeaa6d31b2f9a6bce98ecb49cbf5217
RedLineStealer
c120a9b0f22236ec372ce1745b087a08ae494d138b2cb864bef7c660aee7afb9
RedLineStealer
c516fc3286df7ec543273f5cce533a9d356c56ab014c2d92337ba420712da32c
RedLineStealer
eb12ebce19f49f6acf5874bbfc2892c1ca0b7d2ca9b06476d6bc944c4f555e7f
RedLineStealer
fbcfad978fc7ff59912a00a53c28b78564a46e31c582d5d3f51fbd06f0bbb913
RedLineStealer
+ 5'634 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/230104-vqaafagh87/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ed226700-59de-4b91-b4b3-dc0a6e872ed6
Unpacked files
SH256 hash:
6068910718476b25f80759a5fcf74a2bd9a8baf454e62c0b29098119b3ed8d00
MD5 hash:
f037f0beb48c2ce39a25cb97f570bd28
SHA1 hash:
f850c07e43c36274f1fef85afe8c1a815033377f
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/af03cc0c-82b9-441d-852d-23214aae4e54/
Parent samples :
452591ae6a291b486e7e73be69f40cc62a0d9c4ab18e4d2369a0c6064be2604a
77467614ff0ccab1245707fb61c452840fb269c30e1513f38ea316c2e97fcea4
98ed8d8b7da808d3f413b02a49c8dc1cbe0cff43105730aa9c280fb9d647e880
d1010aa6d09bbbb2078f534dbe7e3173fd3eeb3ddc69beb121c15ed0c6b71608
fbbeaa1e952007ae67e981d3ba3b282e260dba293a2250a7756c2ba4f27ba3aa
280d80b8bdf7ad08789ae9bf65c03111daf5e6675be66671a669c85131dc08ad
91ffb6f744a4dd0b5dd947d79bde9320493bf93674f90899cd3ae3b2640e8604
e89edeca7e6e850954744ea09cafb469c6013286dac007872833d93e5c1a69ed
8a0329a75d7e5f2e3773ca76c37812c664de4695d651f375bf44c7fc6d1f420a
b020583bc9ff724a5e1ead0cd9cf6b8941b688c9c71fbef11c9db98b466a2d83
7b3357fdb88277d16f5000c26779820155feabe5dbae02431e1266928dea9b8a
d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b
72c829651d217d09c19475e5d1a8014643383679c63841b28bdb6ae8a4dd6b1a
dfe1e48b455de83cefc432a7eea41f5db451c2635ad3cd763d80c7594160c4b6
5948839447e34fea2d341be03c6263d49ce266ca690074a369d906cb79036140
SH256 hash:
d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b
MD5 hash:
34e405f5099eac8086c14c5b377889eb
SHA1 hash:
769f701c46c99b0bf886d4474aa0a649e21d0cc8
Link:
https://www.unpac.me/results/af03cc0c-82b9-441d-852d-23214aae4e54/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3011742cf88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d3011742cf88e94ef8c9c6e6c9b6aa14e15fceb4eae2b2677e57e4123bb1ef4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2432863/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349447/

Comments