MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
SHA3-384 hash: 68797759dea612dfec6f41c234df0532214fcaefbbcacdacbad264858cde85dbb66357ca0746454abd757fa6f2331859
SHA1 hash: 174275aff50a2c3f5f2f8e29e359304bf3de28dd
MD5 hash: 1f9cf120796b3e008b0230d98d8fe7e2
humanhash: high-hydrogen-papa-low
File name:1f9cf120796b3e008b0230d98d8fe7e2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:174'080 bytes
First seen:2024-02-10 08:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22f9f2606c25ef8bf6061b93336e819f (1 x GCleaner, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 3072:X5CUZj36xumev2uDLFHbJAEUuUUtA5PvnPjexS:X5Cij36RyzZdAEXMX
TLSH T1F204AE2036E98072D2D3267189F0CBF54EAB78961772B9CE4FD9157A5F24AE1833431E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon d2f0e4c4ccf9c6f9 (5 x Stealc, 1 x LummaStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.92.244.55:13002

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22.exe
Verdict:
Malicious activity
Analysis date:
2024-02-10 08:40:44 UTC
Tags:
loader smoke smokeloader miner
Link:
https://app.any.run/tasks/a0bbbf3b-6ea6-4e6f-bfc4-43f5a24e7691

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475651/
Detection(s):
Win.Malware.Dropperx-10020919-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint glupteba packed smokeloader
Link:
https://www.filescan.io/uploads/65c7369e721c476da6b158a0/reports/a9994c18-413b-4cd7-b84a-768e3bff1fb3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ec47ca58-c01b-4e8d-bdae-f660de2d4443
Result
Threat name:
LummaC, Amadey, Babuk, Djvu, RedLine, Sm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390110
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390110 Sample: amONbBvdCh.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 99 trad-einmyus.com 2->99 101 starozitnictvi-znojmo.cz 2->101 103 15 other IPs or domains 2->103 117 Snort IDS alert for network traffic 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 123 15 other signatures 2->123 11 amONbBvdCh.exe 2->11         started        14 1210.exe 2->14         started        16 fdvshsb 2->16         started        signatures3 process4 signatures5 179 Detected unpacking (changes PE section rights) 11->179 181 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->181 183 Maps a DLL or memory area into another process 11->183 185 Creates a thread in another existing process (thread injection) 11->185 18 explorer.exe 83 24 11->18 injected 187 Antivirus detection for dropped file 14->187 189 Detected unpacking (overwrites its own PE header) 14->189 191 Machine Learning detection for dropped file 14->191 199 2 other signatures 14->199 23 1210.exe 14->23         started        193 Multi AV Scanner detection for dropped file 16->193 195 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->195 197 Checks if the current machine is a virtual machine (disk enumeration) 16->197 process6 dnsIp7 105 m2reg.ulm.ac.id 103.23.232.80, 49781, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 18->105 107 109.107.182.3, 49791, 80 TELEPORT-TV-ASRU Russian Federation 18->107 111 6 other IPs or domains 18->111 67 C:\Users\user\AppData\Roaming\fdvshsb, PE32 18->67 dropped 69 C:\Users\user\AppData\Local\Temp\B662.exe, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\Temp\B0EE.exe, PE32 18->71 dropped 79 5 other malicious files 18->79 dropped 133 System process connects to network (likely due to code injection or exploit) 18->133 135 Benign windows process drops PE files 18->135 137 Deletes itself after installation 18->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->139 25 5E51.exe 18->25         started        28 B0EE.exe 18->28         started        31 1210.exe 18->31         started        33 7 other processes 18->33 109 habrafa.com 189.232.12.90, 49765, 80 UninetSAdeCVMX Mexico 23->109 73 C:\Users\user\_README.txt, ASCII 23->73 dropped 75 C:\Users\user\Desktop\...\ZBEDCJPBEY.mp3, data 23->75 dropped 77 C:\Users\user\Desktop\...\ONBQCLYSPU.docx, data 23->77 dropped 81 2 other malicious files 23->81 dropped 141 Modifies existing user documents (likely ransomware behavior) 23->141 file8 signatures9 process10 dnsIp11 153 Multi AV Scanner detection for dropped file 25->153 155 Machine Learning detection for dropped file 25->155 173 2 other signatures 25->173 36 vbc.exe 25->36         started        89 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 28->89 dropped 157 Antivirus detection for dropped file 28->157 159 Detected unpacking (changes PE section rights) 28->159 161 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->161 175 5 other signatures 28->175 163 Detected unpacking (overwrites its own PE header) 31->163 177 2 other signatures 31->177 40 1210.exe 1 15 31->40         started        93 secretionsuitcasenioise.shop 104.21.16.152, 443, 49782 CLOUDFLARENETUS United States 33->93 95 decorousnumerousieo.shop 104.21.38.2, 443, 49779 CLOUDFLARENETUS United States 33->95 97 4 other IPs or domains 33->97 91 C:\Users\user\AppData\Local\Temp\...\Travesti, PE32+ 33->91 dropped 165 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 33->165 167 Query firmware table information (likely to detect VMs) 33->167 169 Uses cmd line tools excessively to alter registry or file data 33->169 171 LummaC encrypted strings found 33->171 43 cmd.exe 33->43         started        45 conhost.exe 33->45         started        47 reg.exe 1 1 33->47         started        49 8 other processes 33->49 file12 signatures13 process14 dnsIp15 113 91.92.244.55 THEZONEBG Bulgaria 36->113 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->143 145 Found many strings related to Crypto-Wallets (likely being stolen) 36->145 147 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->147 149 Tries to harvest and steal browser information (history, passwords, etc) 36->149 115 api.2ip.ua 104.21.65.24, 443, 49748, 49754 CLOUDFLARENETUS United States 40->115 83 C:\Users\user\AppData\Local\...\1210.exe, PE32 40->83 dropped 51 1210.exe 40->51         started        54 icacls.exe 40->54         started        151 Drops PE files with a suspicious file extension 43->151 56 Namespace.pif 43->56         started        59 cmd.exe 43->59         started        61 conhost.exe 43->61         started        63 6 other processes 43->63 file16 signatures17 process18 file19 125 Sample uses process hollowing technique 51->125 65 1210.exe 12 51->65         started        85 C:\Users\user\AppData\...\TechHarbor.pif, PE32+ 56->85 dropped 127 Drops PE files with a suspicious file extension 56->127 129 Modifies the context of a thread in another process (thread injection) 56->129 131 Injects a PE file into a foreign processes 56->131 87 C:\Users\user\AppData\Local\...87amespace.pif, PE32+ 59->87 dropped signatures20 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-02-07 09:22:36 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rei5wg2mlt6qsiha6elz5c6w4huujdbgm4rronzbb7yxpunfira._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:djvu family:redline family:smokeloader family:vidar botnet:655507914130aa0fe72362726c206a7c botnet:empresslogs botnet:tfd5 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/240210-klez1saa6t/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Amadey
DcRat
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
RedLine
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://habrafa.com/test1/get.php
https://t.me/newagev
https://steamcommunity.com/profiles/76561199631487327
http://185.215.113.32
91.92.244.55:13002
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ba42c17b-183b-4bae-8c55-4ed88a181803/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
MD5 hash:
1f9cf120796b3e008b0230d98d8fe7e2
SHA1 hash:
174275aff50a2c3f5f2f8e29e359304bf3de28dd
Link:
https://www.unpac.me/results/ba42c17b-183b-4bae-8c55-4ed88a181803/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/475651/

Comments