MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
SHA3-384 hash: 76e487b4f55f7f574797835c7dbd70604a19b4082fc44a8f88d2b5f701d2c5de953d42f0e67ede5d4304acc55ade3cd6
SHA1 hash: 4835a4d3a7b3dbabaaa0e5823dfd100d30731ef5
MD5 hash: c016f87a9194278bfeb85115ca640016
humanhash: rugby-wyoming-indigo-thirteen
File name:c016f87a9194278bfeb85115ca640016
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'694'656 bytes
First seen:2023-12-06 23:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:BkV3O2+4c61WcT6szwdZchgfbYVbVeuWnwL3GV8wUOBlU/8XPoUqknsE6:+3OF4VccuOKMSuWnG3GV8wUUlUu8h
TLSH T17DC5332B9BC54176E6392B709AF2074B2A39FDE48629463F0782E1144C73790A973B77
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463041/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Launching a process
Replacing files
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6571016618cffa73b1dc8f1f/reports/24c67243-ca12-4b30-9f15-762831a8e0ff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/875384b2-ccb0-4d24-9da4-83f9e6cebc03
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355028
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355028 Sample: 3DmdxH8ksO.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 132 82.148.8.0.in-addr.arpa 2->132 134 yeahweliftbro.cz 2->134 136 2 other IPs or domains 2->136 154 Snort IDS alert for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 18 other signatures 2->160 13 3DmdxH8ksO.exe 1 4 2->13         started        17 OfficeTrackerNMP131.exe 10 501 2->17         started        19 OfficeTrackerNMP131.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 file5 106 C:\Users\user\AppData\Local\...\Ut3Ay74.exe, PE32 13->106 dropped 108 C:\Users\user\AppData\Local\...\6Zu8WH1.exe, PE32 13->108 dropped 192 Binary is likely a compiled AutoIt script file 13->192 23 Ut3Ay74.exe 1 4 13->23         started        110 C:\...\9i00u7rg7fzbRV4SGMeDtm1fuLfviyuL.zip, Zip 17->110 dropped 194 Antivirus detection for dropped file 17->194 196 Tries to steal Mail credentials (via file / registry access) 17->196 198 Machine Learning detection for dropped file 17->198 206 4 other signatures 17->206 27 WerFault.exe 17->27         started        200 Disables Windows Defender (deletes autostart) 19->200 202 Tries to harvest and steal browser information (history, passwords, etc) 19->202 204 Exclude list of file types from scheduled, custom, and real-time scanning 19->204 29 WerFault.exe 19->29         started        31 WerFault.exe 21->31         started        33 WerFault.exe 21->33         started        35 WerFault.exe 21->35         started        signatures6 process7 file8 98 C:\Users\user\AppData\Local\...\Bg6lV02.exe, PE32 23->98 dropped 100 C:\Users\user\AppData\Local\...\5Sb5nb6.exe, PE32 23->100 dropped 166 Multi AV Scanner detection for dropped file 23->166 37 Bg6lV02.exe 1 4 23->37         started        signatures9 process10 file11 94 C:\Users\user\AppData\Local\...\iE9PJ88.exe, PE32 37->94 dropped 96 C:\Users\user\AppData\Local\...\4TA041fH.exe, PE32 37->96 dropped 40 iE9PJ88.exe 1 4 37->40         started        process12 file13 102 C:\Users\user\AppData\Local\...\3ks42ns.exe, PE32 40->102 dropped 104 C:\Users\user\AppData\Local\...\1yV80RA6.exe, PE32 40->104 dropped 43 3ks42ns.exe 40->43         started        46 1yV80RA6.exe 11 508 40->46         started        process14 dnsIp15 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->168 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->170 172 Maps a DLL or memory area into another process 43->172 180 2 other signatures 43->180 50 explorer.exe 43->50 injected 150 193.233.132.51, 49729, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 46->150 152 ipinfo.io 34.117.59.81, 443, 49730, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 46->152 124 C:\Users\user\AppData\...\FANBooster131.exe, PE32 46->124 dropped 126 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 46->126 dropped 128 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 46->128 dropped 130 2 other malicious files 46->130 dropped 174 Tries to steal Mail credentials (via file / registry access) 46->174 176 Found stalling execution ending in API Sleep call 46->176 178 Disables Windows Defender (deletes autostart) 46->178 182 6 other signatures 46->182 55 schtasks.exe 1 46->55         started        57 schtasks.exe 1 46->57         started        59 WerFault.exe 46->59         started        file16 signatures17 process18 dnsIp19 138 91.92.247.96 THEZONEBG Bulgaria 50->138 140 185.196.8.238 SIMPLECARRER2IT Switzerland 50->140 142 3 other IPs or domains 50->142 86 C:\Users\user\AppData\Local\Temp\CA1.exe, PE32+ 50->86 dropped 88 C:\Users\user\AppData\Local\Temp\9677.exe, PE32 50->88 dropped 90 C:\Users\user\AppData\Local\Temp\8C64.exe, PE32 50->90 dropped 92 5 other malicious files 50->92 dropped 162 System process connects to network (likely due to code injection or exploit) 50->162 164 Benign windows process drops PE files 50->164 61 52D.exe 50->61         started        65 45F2.exe 50->65         started        67 CA1.exe 50->67         started        73 3 other processes 50->73 69 conhost.exe 55->69         started        71 conhost.exe 57->71         started        file20 signatures21 process22 dnsIp23 112 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 61->112 dropped 114 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 61->114 dropped 208 Multi AV Scanner detection for dropped file 61->208 210 Machine Learning detection for dropped file 61->210 76 File2.exe 61->76         started        80 File1.exe 61->80         started        82 conhost.exe 61->82         started        116 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 65->116 dropped 118 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 65->118 dropped 120 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 65->120 dropped 122 2 other malicious files 65->122 dropped 212 Antivirus detection for dropped file 65->212 84 InstallSetup9.exe 65->84         started        214 Modifies the context of a thread in another process (thread injection) 67->214 216 Injects a PE file into a foreign processes 67->216 144 195.10.205.16 TSSCOM-ASRU Russian Federation 73->144 file24 signatures25 process26 dnsIp27 146 176.123.7.190, 32927, 49757 ALEXHOSTMD Moldova Republic of 76->146 184 Multi AV Scanner detection for dropped file 76->184 186 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 76->186 188 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 76->188 190 2 other signatures 76->190 148 176.123.10.211, 47430, 49756 ALEXHOSTMD Moldova Republic of 80->148 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 23:19:05 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ub4j7ffge77akzm33gkwo4q54gfdjvgciwmpqhjeyu7sgl3bwxa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231206-3atm5shga6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
8b74945ba3781ddc1aa09c53edfabe62d55da4c0f72f95ab6068012f4f5ab459
MD5 hash:
0d4e95c5dea49b60608caffca27cfe6b
SHA1 hash:
95245c52c2e35ae5266d43f96fbd4acef2665313
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/63cc60d9-3d9c-4294-8d54-2af7b11e9b4c/
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/63cc60d9-3d9c-4294-8d54-2af7b11e9b4c/
SH256 hash:
dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
MD5 hash:
c016f87a9194278bfeb85115ca640016
SHA1 hash:
4835a4d3a7b3dbabaaa0e5823dfd100d30731ef5
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/63cc60d9-3d9c-4294-8d54-2af7b11e9b4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463041/

Comments


Avatar
zbet commented on 2023-12-06 23:18:31 UTC

url : hxxp://109.107.182.45/red/line.exe