MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
SHA3-384 hash: 3043ad07e2d09becc6ba234c9a18100763dbd513d2fbe8818296d57312280a03002483fc31bf7a42e3bf49082221fe45
SHA1 hash: d395b8f652ca727083063f299945e5db7d38bcdd
MD5 hash: 89e1a7d36faf083338491d57b77c733b
humanhash: don-rugby-magazine-uranus
File name:89e1a7d36faf083338491d57b77c733b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'067'008 bytes
First seen:2023-11-10 18:26:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:Hy2Ft/Hf7fcKPDrLJSUIaeSIs6CiGmagDGu3SzxSsv80bLtnku:SQcANRxepnrGeZitSsU0v
Threatray 403 similar samples on MalwareBazaar
TLSH T145352303AED8D4A3E9F153B02CFA424B0235BC616D78932F7656642F9DA3EA17534336
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.92.51:19057

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-10009781-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer lolbin lolbin packed remote rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/654e75f7993fbf888b6ebb27/reports/922a76cf-f90d-4cc1-a584-ac9ebc07543a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3ec6de5-0efe-4b75-bcd6-77efc4cdc0ff
Result
Threat name:
Glupteba, Mystic Stealer, Raccoon Steale
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340831
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1340831 Sample: xiM4eleLIL.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 205 Found malware configuration 2->205 207 Malicious sample detected (through community Yara rule) 2->207 209 Antivirus detection for URL or domain 2->209 211 18 other signatures 2->211 13 xiM4eleLIL.exe 1 4 2->13         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 129 C:\Users\user\AppData\Local\...\cn6EL64.exe, PE32 13->129 dropped 131 C:\Users\user\AppData\Local\...\7Yv6bs92.exe, PE32 13->131 dropped 20 cn6EL64.exe 1 4 13->20         started        process5 file6 103 C:\Users\user\AppData\Local\...\yS6eV55.exe, PE32 20->103 dropped 105 C:\Users\user\AppData\Local\...\3zL92FG.exe, PE32 20->105 dropped 213 Antivirus detection for dropped file 20->213 215 Machine Learning detection for dropped file 20->215 24 3zL92FG.exe 20->24         started        27 yS6eV55.exe 1 4 20->27         started        signatures7 process8 file9 217 Antivirus detection for dropped file 24->217 219 Multi AV Scanner detection for dropped file 24->219 221 Machine Learning detection for dropped file 24->221 225 4 other signatures 24->225 30 explorer.exe 24->30 injected 125 C:\Users\user\AppData\Local\...\2uA1755.exe, PE32 27->125 dropped 127 C:\Users\user\AppData\Local\...\1oq47Kk4.exe, PE32 27->127 dropped 223 Binary is likely a compiled AutoIt script file 27->223 35 2uA1755.exe 1 27->35         started        37 1oq47Kk4.exe 12 27->37         started        signatures10 process11 dnsIp12 157 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 30->157 159 185.229.66.214 SUPERSERVERSDATACENTERRU Russian Federation 30->159 161 8 other IPs or domains 30->161 133 C:\Users\user\AppData\Roaming\hvtiajf, PE32 30->133 dropped 135 C:\Users\user\AppData\Local\Temp\FF7D.exe, PE32+ 30->135 dropped 137 C:\Users\user\AppData\Local\Temp\F8B.exe, PE32 30->137 dropped 139 5 other malicious files 30->139 dropped 173 System process connects to network (likely due to code injection or exploit) 30->173 175 Benign windows process drops PE files 30->175 177 Adds a directory exclusion to Windows Defender 30->177 179 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->179 39 3E9C.exe 30->39         started        43 FF7D.exe 30->43         started        45 778F.exe 30->45         started        56 4 other processes 30->56 181 Multi AV Scanner detection for dropped file 35->181 183 Machine Learning detection for dropped file 35->183 185 Contains functionality to inject code into remote processes 35->185 193 3 other signatures 35->193 47 AppLaunch.exe 12 35->47         started        50 conhost.exe 35->50         started        187 Binary is likely a compiled AutoIt script file 37->187 189 Found API chain indicative of sandbox detection 37->189 191 Contains functionality to modify clipboard data 37->191 52 chrome.exe 9 37->52         started        54 chrome.exe 37->54         started        58 8 other processes 37->58 file13 signatures14 process15 dnsIp16 113 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 39->113 dropped 115 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 39->115 dropped 117 C:\Users\user\AppData\...\InstallSetup5.exe, PE32 39->117 dropped 119 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 39->119 dropped 227 Antivirus detection for dropped file 39->227 229 Multi AV Scanner detection for dropped file 39->229 231 Machine Learning detection for dropped file 39->231 233 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->233 60 toolspub2.exe 39->60         started        63 31839b57a4f11171d6abc8bbc4451ee4.exe 39->63         started        70 4 other processes 39->70 121 C:\Users\user\...\ViCfBEvyTKwhmmK.data, PE32 43->121 dropped 123 C:\Users\user\...\KdeqnJzcFnRlIXL.data, PE32 43->123 dropped 235 Writes to foreign memory regions 43->235 237 Allocates memory in foreign processes 43->237 239 Injects a PE file into a foreign processes 43->239 65 jsc.exe 43->65         started        73 2 other processes 45->73 163 5.42.92.88 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 47->163 241 Tries to delay execution (extensive OutputDebugStringW loop) 47->241 165 192.168.2.5 unknown unknown 52->165 167 239.255.255.250 unknown Reserved 52->167 75 3 other processes 52->75 68 chrome.exe 54->68         started        169 194.49.94.80 EQUEST-ASNL unknown 56->169 171 194.49.94.11 EQUEST-ASNL unknown 56->171 243 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->243 245 Found many strings related to Crypto-Wallets (likely being stolen) 56->245 247 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->247 77 5 other processes 56->77 79 8 other processes 58->79 file17 signatures18 process19 dnsIp20 249 Multi AV Scanner detection for dropped file 60->249 251 Detected unpacking (changes PE section rights) 60->251 253 Machine Learning detection for dropped file 60->253 255 Injects a PE file into a foreign processes 60->255 81 toolspub2.exe 60->81         started        257 Detected unpacking (overwrites its own PE header) 63->257 259 Found Tor onion address 63->259 261 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 63->261 84 cmd.exe 63->84         started        141 194.169.175.235 CLOUDCOMPUTINGDE Germany 65->141 263 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->263 265 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->265 267 Tries to harvest and steal browser information (history, passwords, etc) 65->267 269 Tries to steal Crypto Currency Wallets 65->269 86 chrome.exe 65->86         started        107 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 70->107 dropped 109 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 70->109 dropped 111 C:\Windows\System32\drivers\etc\hosts, ASCII 70->111 dropped 271 Modifies the hosts file 70->271 273 Adds a directory exclusion to Windows Defender 70->273 88 Broom.exe 70->88         started        143 91.103.252.114 HOSTGLOBALPLUS-ASRU Russian Federation 73->143 145 104.244.42.129 TWITTERUS United States 75->145 147 104.244.42.194 TWITTERUS United States 75->147 149 73 other IPs or domains 75->149 file21 signatures22 process23 signatures24 195 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 81->195 197 Maps a DLL or memory area into another process 81->197 199 Checks if the current machine is a virtual machine (disk enumeration) 81->199 201 Creates a thread in another existing process (thread injection) 81->201 90 fodhelper.exe 84->90         started        92 conhost.exe 84->92         started        94 fodhelper.exe 84->94         started        96 fodhelper.exe 84->96         started        98 chrome.exe 86->98         started        203 Multi AV Scanner detection for dropped file 88->203 process25 dnsIp26 101 31839b57a4f11171d6abc8bbc4451ee4.exe 90->101         started        151 142.250.69.205 GOOGLEUS United States 98->151 153 142.251.215.228 GOOGLEUS United States 98->153 155 142.251.33.68 GOOGLEUS United States 98->155 process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 18:27:06 UTC
File Type:
PE (Exe)
Extracted files:
137
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2swu5lari3dt6rfxx4s7gnlkpdkxmsrqbgmlxdfi6tfs36ol3k5a._file
Verdict:
malicious
Similar samples:
37904ac37e91e0497936159fbbcd48749ec2b7ea742e3a44fe4e00db2507b402
RedLineStealer
bbfe892212b563f55273825e83c4e719e3fd408fdc609760223d1ca501f1e3eb
RedLineStealer
c8b64075c0adb0e6c348c6d3253ed3905df2b13fc181298f506faa4d4a909646
RedLineStealer
d66c7e5d68d7039128db1c7eb6a0275fc869e1f25e9dbcd553ca05bc637e4391
RedLineStealer
ea8ecda6aaf0a6560b614a46a33112caf8ab6404be64ced23fa202737ddbacbf
RedLineStealer
fc7c58fa31dde1fe7f032f4be560539a14130dd0ce74c06825d455d77e016165
RedLineStealer
+ 393 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:mystic family:raccoon family:redline family:sectoprat family:smokeloader botnet:23545d68ee8b777ffd2f74f9eb99e145 botnet:@ytlogsbot botnet:pixelnew2.0 botnet:taiga botnet:up3 backdoor brand:paypal dropper evasion infostealer loader persistence phishing rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231110-w3qzdscc8x/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
AutoIT Executable
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Detect Mystic stealer payload
Glupteba
Glupteba payload
Mystic
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://5.42.92.190/fks/index.php
5.42.92.51:19057
194.49.94.11:80
194.169.175.235:42691
http://91.103.252.114:80/
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
6890b449c8af1d7a52fc7f7bc4165e92ba1117afff53d7b72fca54cdc4f69b7e
MD5 hash:
afbc75b2d7befe994189d27db31a3b45
SHA1 hash:
19f0ae0df2c306a668650c2934306b322a1228e1
Link:
https://www.unpac.me/results/ad84f418-6a5d-4a0f-b140-9534e48695e8/
SH256 hash:
46d73000badea343d2cb0847c368847c37606303018f3c4978d01873e0b4fb82
MD5 hash:
91df744d778858b578e9e1200e3644ae
SHA1 hash:
0ad8bc6a8b89368b135918e95f1e6b49150192f1
Link:
https://www.unpac.me/results/ad84f418-6a5d-4a0f-b140-9534e48695e8/
Parent samples :
dd49ae56ccd5824fe4f6b62ed6b3b3466a40e56163c23adee63b9b26d96b09c5
afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
3e7af42c2132ad7ca46675fcc364bbfff19ed9a9b6e7c1416215334bcc1e6a27
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
8ecb53e21239643477dbf5310c727cc6b84f1ea644d52da28ebc615a35d76af4
MD5 hash:
ee835361285a97c6a09826404d5d7285
SHA1 hash:
28598f6d0c9a94e29d989087fecc0ce90c62befc
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ad84f418-6a5d-4a0f-b140-9534e48695e8/
Parent samples :
68cdb9386a731d632b95fa312510d802ea16e1faad66411795e2b407c19809c0
71334cb3df06b322134688d24e5b8620d691a38ac42d72c5c0071b3de563fcb4
2a18f4184897d97d571bae0e6f246e458b7773e32effe335b08beb717e641ce0
b830ed49662218ce0830fdd8018ef7730ff47a725c68c792b1199fad6f0a96db
d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
81b156ce5e3c46a2c484bb746dbb3e99265e26f94c64df933f4f27c6548ebe62
b5b6dfb221365b25f9343b8b1f7d5779eaa1cb489a15508852d5f9227a6a91de
a06acba515844903c5d524ea8ac8b1ea0115b1cf5c6516eabb4ecdd51934183f
981e42945b27742a2ef21acaeb4f0985ac83e484671e7bedd2dc071e0c4af62f
b13a42c56d5e32f437619f4331055b58d88da9d7ca85faeb55152ac349f23954
bf747d7d7e3824b80a05d2988b5163729fb1b8c280f4ea5e2d638ab421f5c9d4
72f29919f78f53956692e212fe8bbff32e153e88a93ec3aa72576e5b440a2f85
7c948da84e336ddde18db89ad5bd132002e9393abb5c614d1d74c2005e358b36
3455690561867bf0046352f788d3ff43673d0f093118f3de1c6e0f7bcfb8d3e6
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
7e0b0e20c59f429e1767aa431bc47aaafcf5765dd4b43e135b361d9b1136cdde
MD5 hash:
b680bf24df1a02d58add5c8671fdcefe
SHA1 hash:
b1040563c03d1908ee2e44a376ffd5edf385bcb6
Link:
https://www.unpac.me/results/ad84f418-6a5d-4a0f-b140-9534e48695e8/
SH256 hash:
d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba
MD5 hash:
89e1a7d36faf083338491d57b77c733b
SHA1 hash:
d395b8f652ca727083063f299945e5db7d38bcdd
Link:
https://www.unpac.me/results/ad84f418-6a5d-4a0f-b140-9534e48695e8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4ad4eac1146/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_Debugger
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d4ad4eac1146c73f44b7bf25f3356a78d5764a300998bb8ca8f4cb2df9cbdaba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729439/
  
Delivery method
Distributed via web download

Comments