MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143
SHA3-384 hash: c694635a5f83390c2442d164b9b5f8565e5819c44df7bb1de34fd83d2d2fcf52f898cf2e1dc4d8e0612c8e28a3d7ac62
SHA1 hash: 1c4a6c587d5f0a2381ffaa7e4e379a3b7ed226b1
MD5 hash: 43c066ff330d8f7986fbc48c065e3072
humanhash: item-zebra-hamper-lamp
File name:43c066ff330d8f7986fbc48c065e3072.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'706'432 bytes
First seen:2023-12-09 04:45:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:MM0Mi5znqaB73VZfjdsDpvMczajIntYMLJ827Df:R0lT/dFZbd8pvM0ajQZV82X
Threatray 559 similar samples on MalwareBazaar
TLSH T13EC53396ABE51123C8E457B4ACB702E37A353CE248385B2F61B5948D48F39E1787371B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.105.132.87:14418

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463872/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6573f10b56d08f7811aca2e1/reports/e857431a-c9ba-4020-90f7-07f1f8e32f0d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e74e67c1-0408-4f2f-bb4c-564e09e77b37
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356766
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356766 Sample: OV0WnV6CzT.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 136 runeelite.com 2->136 138 ipinfo.io 2->138 140 connv2.proxies.tv 2->140 172 Snort IDS alert for network traffic 2->172 174 Multi AV Scanner detection for domain / URL 2->174 176 Found malware configuration 2->176 178 20 other signatures 2->178 14 OV0WnV6CzT.exe 1 4 2->14         started        18 OfficeTrackerNMP131.exe 2->18         started        20 OfficeTrackerNMP131.exe 2->20         started        22 rundll32.exe 2->22         started        signatures3 process4 file5 116 C:\Users\user\AppData\Local\...\lT9kJ82.exe, PE32 14->116 dropped 118 C:\Users\user\AppData\Local\...\6yM7Cv7.exe, PE32 14->118 dropped 230 Binary is likely a compiled AutoIt script file 14->230 24 lT9kJ82.exe 1 4 14->24         started        signatures6 process7 file8 108 C:\Users\user\AppData\Local\...\Pt4YC55.exe, PE32 24->108 dropped 110 C:\Users\user\AppData\Local\...\5KF8ZE3.exe, PE32 24->110 dropped 210 Antivirus detection for dropped file 24->210 212 Multi AV Scanner detection for dropped file 24->212 214 Machine Learning detection for dropped file 24->214 28 Pt4YC55.exe 1 4 24->28         started        signatures9 process10 file11 112 C:\Users\user\AppData\Local\...\Qr0zI47.exe, PE32 28->112 dropped 114 C:\Users\user\AppData\Local\...\4AE270nN.exe, PE32 28->114 dropped 224 Antivirus detection for dropped file 28->224 226 Multi AV Scanner detection for dropped file 28->226 228 Machine Learning detection for dropped file 28->228 32 Qr0zI47.exe 1 4 28->32         started        36 4AE270nN.exe 28->36         started        signatures12 process13 file14 92 C:\Users\user\AppData\Local\...\3Le36le.exe, PE32 32->92 dropped 94 C:\Users\user\AppData\Local\...\1Cz78iI2.exe, PE32 32->94 dropped 158 Antivirus detection for dropped file 32->158 160 Multi AV Scanner detection for dropped file 32->160 162 Machine Learning detection for dropped file 32->162 38 3Le36le.exe 32->38         started        41 1Cz78iI2.exe 32->41         started        96 C:\...\vUgMXLhr7AyWezZVNzdLlnBFFiXMTKQX.zip, Zip 36->96 dropped 164 Tries to steal Mail credentials (via file / registry access) 36->164 166 Disables Windows Defender (deletes autostart) 36->166 168 Tries to harvest and steal browser information (history, passwords, etc) 36->168 170 3 other signatures 36->170 43 WerFault.exe 36->43         started        signatures15 process16 signatures17 180 Antivirus detection for dropped file 38->180 182 Multi AV Scanner detection for dropped file 38->182 184 Machine Learning detection for dropped file 38->184 194 5 other signatures 38->194 45 explorer.exe 38->45 injected 186 Contains functionality to inject code into remote processes 41->186 188 Writes to foreign memory regions 41->188 190 Allocates memory in foreign processes 41->190 192 Injects a PE file into a foreign processes 41->192 50 AppLaunch.exe 11 508 41->50         started        52 AppLaunch.exe 41->52         started        process18 dnsIp19 148 185.196.8.238, 49747, 80 SIMPLECARRER2IT Switzerland 45->148 150 185.172.128.19, 80 NADYMSS-ASRU Russian Federation 45->150 156 2 other IPs or domains 45->156 120 C:\Users\user\AppData\Local\TempCFE.exe, PE32 45->120 dropped 122 C:\Users\user\AppData\Local\Temp9B1.exe, PE32 45->122 dropped 124 C:\Users\user\AppData\Local\Temp\AC3B.exe, PE32 45->124 dropped 132 3 other malicious files 45->132 dropped 232 System process connects to network (likely due to code injection or exploit) 45->232 234 Benign windows process drops PE files 45->234 54 E9B1.exe 45->54         started        58 6C9F.exe 45->58         started        60 ECFE.exe 45->60         started        71 7 other processes 45->71 152 193.233.132.51, 49729, 49731, 50500 FREE-NET-ASFREEnetEU Russian Federation 50->152 154 ipinfo.io 34.117.59.81, 443, 49730, 49732 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 50->154 126 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 50->126 dropped 128 C:\...\JBWoTtCWm2LgjuvoR3EibrMKSNUfnpFE.zip, Zip 50->128 dropped 130 C:\Users\user\AppData\...\FANBooster131.exe, PE32 50->130 dropped 134 2 other files (none is malicious) 50->134 dropped 236 Tries to steal Mail credentials (via file / registry access) 50->236 238 Disables Windows Defender (deletes autostart) 50->238 240 Exclude list of file types from scheduled, custom, and real-time scanning 50->240 248 3 other signatures 50->248 63 oXnyHd.exe 50->63         started        65 schtasks.exe 1 50->65         started        67 schtasks.exe 1 50->67         started        69 WerFault.exe 50->69         started        242 Found stalling execution ending in API Sleep call 52->242 244 Contains functionality to inject threads in other processes 52->244 246 Uses schtasks.exe or at.exe to add and modify task schedules 52->246 file20 signatures21 process22 dnsIp23 100 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 54->100 dropped 102 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 54->102 dropped 196 Machine Learning detection for dropped file 54->196 73 File1.exe 54->73         started        77 File2.exe 54->77         started        79 conhost.exe 54->79         started        198 Antivirus detection for dropped file 58->198 200 Multi AV Scanner detection for dropped file 58->200 202 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->202 204 Modifies the context of a thread in another process (thread injection) 58->204 81 6C9F.exe 58->81         started        146 77.105.132.87, 20104, 49746 PLUSTELECOM-ASRU Russian Federation 60->146 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->206 84 conhost.exe 65->84         started        86 conhost.exe 67->86         started        104 C:\Users\user\AppData\Roaming\oXnyHd.exe, PE32 71->104 dropped 106 C:\Users\user\AppData\Local\...\tmp9998.tmp, XML 71->106 dropped 208 Injects a PE file into a foreign processes 71->208 88 schtasks.exe 71->88         started        file24 signatures25 process26 dnsIp27 142 176.123.10.211, 47430, 49742 ALEXHOSTMD Moldova Republic of 73->142 216 Multi AV Scanner detection for dropped file 73->216 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->218 220 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->220 222 2 other signatures 73->222 144 176.123.7.190, 32927, 49741 ALEXHOSTMD Moldova Republic of 77->144 98 C:\Users\user\...\ContextProperties.exe, PE32+ 81->98 dropped 90 conhost.exe 88->90         started        file28 signatures29 process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 21:30:36 UTC
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ejkpectr6kpjhdc75fh3g5g6vel6yd5ghzgqgn5fqhux6qlcfbq._file
Verdict:
malicious
Similar samples:
0242eddb9768c2a6d56474f89f628768e59609b44d7cc86c9fa08b705ca8961a
RedLineStealer
4e70f9de2a4e122b0ba1db7c63ac443e39bbfd9e2b475e8fb29d12ad964bfd7e
RedLineStealer
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
RedLineStealer
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
RedLineStealer
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
RedLineStealer
be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
RedLineStealer
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
RedLineStealer
dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
RedLineStealer
+ 549 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection loader persistence stealer trojan
Link:
https://tria.ge/reports/231209-fdzl8seffn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/e648c508-06d9-4b78-b9e2-65a84b82312f/
SH256 hash:
59e82e7cac5f7c5eb7910b7e3355a1ba5bd4326cd78a2ede36aac2d5c28f1d8d
MD5 hash:
0820f49fdb8e0ff2b8cdbfae89f894d3
SHA1 hash:
32974961355ae3881da25cf4068cb13037edc751
Link:
https://www.unpac.me/results/e648c508-06d9-4b78-b9e2-65a84b82312f/
SH256 hash:
f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143
MD5 hash:
43c066ff330d8f7986fbc48c065e3072
SHA1 hash:
1c4a6c587d5f0a2381ffaa7e4e379a3b7ed226b1
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/e648c508-06d9-4b78-b9e2-65a84b82312f/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f112a790538f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_Debugger
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f112a790538f94f49c62ff4a7d9ba6f548bf607d31f26819bd2c0f4bfa0b1143

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/463872/
  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download

Comments