MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4
SHA3-384 hash: a2a88a8b0dc3af402c6d834d5ca015dd8306fd6c6857d60d9e3ff5ec7e2ca82b776ca622ce352bb0ad9d79d80ece4e07
SHA1 hash: af9c8350c84b451f24a506ec8dc1a1c563047478
MD5 hash: db5d967f0ac8d0d4dec7a7fab21fa611
humanhash: golf-potato-vegan-delaware
File name:db5d967f0ac8d0d4dec7a7fab21fa611.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'792'960 bytes
First seen:2023-12-09 11:50:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:sW1MYl3TyNiJJvy110lDXrfnxlG92HI50S4eB6+LkGQB7lQqOaPHf9xxPR5T/:RMYljz88lnfnxZ/3egvha9Qf95
TLSH T126D53369E1E4A4B0E6FD27B154BE42DF0F737CAA5468979B5BC0CACB08BA6401530337
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.105.132.87:20104

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463980/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Launching a process
Replacing files
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657454a7bb9490c89ccbddde/reports/e5c7ffeb-5a36-4650-8622-7eb6a1942e89/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19a26f79-e96e-46be-a935-9d446342a24f
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356887
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356887 Sample: ae6r1Pwu4b.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 130 runeelite.com 2->130 132 ipinfo.io 2->132 150 Multi AV Scanner detection for domain / URL 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Antivirus detection for URL or domain 2->154 156 11 other signatures 2->156 13 ae6r1Pwu4b.exe 1 4 2->13         started        17 OfficeTrackerNMP131.exe 10 501 2->17         started        19 OfficeTrackerNMP131.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 file5 124 C:\Users\user\AppData\Local\...\DY3AG56.exe, PE32 13->124 dropped 126 C:\Users\user\AppData\Local\...\6xF4Dk5.exe, PE32 13->126 dropped 190 Binary is likely a compiled AutoIt script file 13->190 23 DY3AG56.exe 1 4 13->23         started        192 Antivirus detection for dropped file 17->192 194 Multi AV Scanner detection for dropped file 17->194 196 Detected unpacking (changes PE section rights) 17->196 208 6 other signatures 17->208 27 WerFault.exe 17->27         started        128 C:\...\5zi4zQXuAzeRbSiKNrvbHF77OGqhY3Pt.zip, Zip 19->128 dropped 198 Tries to steal Mail credentials (via file / registry access) 19->198 200 Disables Windows Defender (deletes autostart) 19->200 202 Tries to harvest and steal browser information (history, passwords, etc) 19->202 29 WerFault.exe 19->29         started        204 Detected unpacking (overwrites its own PE header) 21->204 206 Machine Learning detection for dropped file 21->206 31 WerFault.exe 21->31         started        33 WerFault.exe 21->33         started        35 WerFault.exe 21->35         started        37 3 other processes 21->37 signatures6 process7 file8 104 C:\Users\user\AppData\Local\...\Wc5rV82.exe, PE32 23->104 dropped 106 C:\Users\user\AppData\Local\...\5Uz1hG8.exe, PE32 23->106 dropped 180 Multi AV Scanner detection for dropped file 23->180 39 Wc5rV82.exe 1 4 23->39         started        signatures9 process10 file11 108 C:\Users\user\AppData\Local\...\TT0Mt22.exe, PE32 39->108 dropped 110 C:\Users\user\AppData\Local\...\4OT541xB.exe, PE32 39->110 dropped 182 Multi AV Scanner detection for dropped file 39->182 43 TT0Mt22.exe 1 4 39->43         started        signatures12 process13 file14 120 C:\Users\user\AppData\Local\...\3PF62dQ.exe, PE32 43->120 dropped 122 C:\Users\user\AppData\Local\...\1HF91xZ7.exe, PE32 43->122 dropped 188 Multi AV Scanner detection for dropped file 43->188 47 3PF62dQ.exe 43->47         started        50 1HF91xZ7.exe 11 508 43->50         started        54 Conhost.exe 43->54         started        signatures15 process16 dnsIp17 210 Multi AV Scanner detection for dropped file 47->210 212 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->212 214 Maps a DLL or memory area into another process 47->214 222 2 other signatures 47->222 56 explorer.exe 47->56 injected 134 ipinfo.io 34.117.59.81, 443, 49732, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 50->134 136 193.233.132.51, 49729, 49730, 49731 FREE-NET-ASFREEnetEU Russian Federation 50->136 92 C:\Users\user\AppData\...\FANBooster131.exe, PE32 50->92 dropped 94 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 50->94 dropped 96 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 50->96 dropped 98 2 other malicious files 50->98 dropped 216 Detected unpacking (changes PE section rights) 50->216 218 Detected unpacking (overwrites its own PE header) 50->218 220 Tries to steal Mail credentials (via file / registry access) 50->220 224 8 other signatures 50->224 61 schtasks.exe 1 50->61         started        63 schtasks.exe 1 50->63         started        65 WerFault.exe 50->65         started        file18 signatures19 process20 dnsIp21 142 185.196.8.238 SIMPLECARRER2IT Switzerland 56->142 144 185.172.128.19, 49754, 80 NADYMSS-ASRU Russian Federation 56->144 146 2 other IPs or domains 56->146 112 C:\Users\user\AppData\Local\Temp\F75D.exe, PE32 56->112 dropped 114 C:\Users\user\AppData\Local\Temp2CB.exe, PE32 56->114 dropped 116 C:\Users\user\AppData\Local\Temp\C3D8.exe, PE32+ 56->116 dropped 118 4 other malicious files 56->118 dropped 184 System process connects to network (likely due to code injection or exploit) 56->184 186 Benign windows process drops PE files 56->186 67 7026.exe 56->67         started        71 FANBooster131.exe 56->71         started        73 740F.exe 56->73         started        76 rundll32.exe 56->76         started        78 conhost.exe 61->78         started        80 conhost.exe 63->80         started        file22 signatures23 process24 dnsIp25 100 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 67->100 dropped 102 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 67->102 dropped 168 Multi AV Scanner detection for dropped file 67->168 170 Machine Learning detection for dropped file 67->170 82 File1.exe 67->82         started        86 File2.exe 67->86         started        88 conhost.exe 67->88         started        172 Detected unpacking (changes PE section rights) 71->172 174 Detected unpacking (overwrites its own PE header) 71->174 90 WerFault.exe 71->90         started        148 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 73->148 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->176 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->178 file26 signatures27 process28 dnsIp29 138 176.123.10.211, 47430, 49755 ALEXHOSTMD Moldova Republic of 82->138 158 Multi AV Scanner detection for dropped file 82->158 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 82->160 162 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 82->162 164 Tries to steal Crypto Currency Wallets 82->164 140 176.123.7.190, 32927, 49756 ALEXHOSTMD Moldova Republic of 86->140 166 Tries to harvest and steal browser information (history, passwords, etc) 86->166 signatures30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-09 11:51:05 UTC
File Type:
PE (Exe)
Extracted files:
219
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cdu6z6slobadproktrfxbwkqmweppori6ubeec4oykme2kha7sa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor brand:paypal collection discovery loader persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231209-n13leagbeq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
4b51c393104af7970c54b872bc91f1af6b89457e49f6d6df2c917e0111a18738
MD5 hash:
392cf6ddab6eced22a91245e612c777c
SHA1 hash:
8920bcee1bda44af19aa6a6f0373311dcceac6b1
Link:
https://www.unpac.me/results/3dc63588-8cfe-456f-9082-f2131e39be5c/
SH256 hash:
624c795b519c6287fd097876097913a6cc53c8e77cc98de0f072ba9af2be052b
MD5 hash:
14d7d4e2cbe1f33741f21e28d3c2c561
SHA1 hash:
5fff182bc642b5cb6fbedaa1b969ab2930d122f1
Link:
https://www.unpac.me/results/3dc63588-8cfe-456f-9082-f2131e39be5c/
SH256 hash:
d35d51b91ebbc729e0505edd70b92f825df3e3aea0403463f32a2d58e2a0c327
MD5 hash:
a9516468ca89ae0f45363c20d270bfe1
SHA1 hash:
374ec3dd952b1775093d518c97b5ac410c7ae54e
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/3dc63588-8cfe-456f-9082-f2131e39be5c/
Parent samples :
f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4
5f9b9f6e600ae49284ec4b3ad48276f5751ab12df2e338306b5430b29701cd10
SH256 hash:
f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4
MD5 hash:
db5d967f0ac8d0d4dec7a7fab21fa611
SHA1 hash:
af9c8350c84b451f24a506ec8dc1a1c563047478
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/3dc63588-8cfe-456f-9082-f2131e39be5c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0874f67d25b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f0874f67d25b8201be2e54e25b86ca832c47bdd147a812105c7614c2694707e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463980/

Comments