MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
SHA3-384 hash: 9d360594653e15db7bb5f63f7ab8262a9f60aaac06f7fe858ee751145e07570d50f48482c832e67a1657329991c69120
SHA1 hash: 7b59ec4a8f8d1504add32b2412483db6f9aed081
MD5 hash: 3755062e162af135a69553d363fd6783
humanhash: august-april-hot-lamp
File name:3755062e162af135a69553d363fd6783.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'073'152 bytes
First seen:2023-11-10 15:41:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:0yxlReeTq6aeFIspCAGfvUDG/OmTxCcSZUQ:DxlReemTeG6DGEjcS+
Threatray 30 similar samples on MalwareBazaar
TLSH T17D3522536FED5033E4A1A771A8F342070738BCA26D38836E325A291F9CB25917972737
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.92.51:19057

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/654e4f4b641154c7e3f1c891/reports/1a15127f-47d6-4b59-a08b-c93b705cbc4f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fecca77-6c28-41f0-85a9-a8eee5082ddc
Result
Threat name:
Glupteba, Mystic Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340746
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1340746 Sample: d5c63uxNeA.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 189 Found malware configuration 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 Antivirus detection for URL or domain 2->193 195 15 other signatures 2->195 13 d5c63uxNeA.exe 1 4 2->13         started        16 svchost.exe 1 2 2->16         started        19 rundll32.exe 2->19         started        process3 dnsIp4 133 C:\Users\user\AppData\Local\...\rz1rK87.exe, PE32 13->133 dropped 135 C:\Users\user\AppData\Local\...\7LH6QY21.exe, PE32 13->135 dropped 21 rz1rK87.exe 1 4 13->21         started        137 104.117.234.93 AKAMAI-ASUS United States 16->137 139 127.0.0.1 unknown unknown 16->139 file5 process6 file7 107 C:\Users\user\AppData\Local\...\dF3sl45.exe, PE32 21->107 dropped 109 C:\Users\user\AppData\Local\...\3PO29ug.exe, PE32 21->109 dropped 207 Antivirus detection for dropped file 21->207 209 Machine Learning detection for dropped file 21->209 25 3PO29ug.exe 21->25         started        28 dF3sl45.exe 1 4 21->28         started        signatures8 process9 file10 211 Antivirus detection for dropped file 25->211 213 Multi AV Scanner detection for dropped file 25->213 215 Machine Learning detection for dropped file 25->215 219 5 other signatures 25->219 31 explorer.exe 25->31 injected 129 C:\Users\user\AppData\Local\...\2UN2323.exe, PE32 28->129 dropped 131 C:\Users\user\AppData\Local\...\1Qs38jN6.exe, PE32 28->131 dropped 217 Binary is likely a compiled AutoIt script file 28->217 36 1Qs38jN6.exe 12 28->36         started        38 2UN2323.exe 1 28->38         started        signatures11 process12 dnsIp13 159 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 31->159 161 185.229.66.214 SUPERSERVERSDATACENTERRU Russian Federation 31->161 163 8 other IPs or domains 31->163 99 C:\Users\user\AppData\Roaming\jwfvrab, PE32 31->99 dropped 101 C:\Users\user\AppData\Local\Temp\D82.exe, PE32 31->101 dropped 103 C:\Users\user\AppData\Local\Temp\B80F.exe, PE32 31->103 dropped 105 5 other malicious files 31->105 dropped 165 System process connects to network (likely due to code injection or exploit) 31->165 167 Benign windows process drops PE files 31->167 169 Adds a directory exclusion to Windows Defender 31->169 171 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->171 40 B80F.exe 31->40         started        44 81D9.exe 31->44         started        46 8FF4.exe 31->46         started        57 4 other processes 31->57 173 Binary is likely a compiled AutoIt script file 36->173 175 Machine Learning detection for dropped file 36->175 177 Found API chain indicative of sandbox detection 36->177 179 Contains functionality to modify clipboard data 36->179 49 chrome.exe 9 36->49         started        51 chrome.exe 36->51         started        59 8 other processes 36->59 181 Contains functionality to inject code into remote processes 38->181 183 Writes to foreign memory regions 38->183 185 Allocates memory in foreign processes 38->185 187 Injects a PE file into a foreign processes 38->187 53 AppLaunch.exe 12 38->53         started        55 conhost.exe 38->55         started        file14 signatures15 process16 dnsIp17 111 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 40->111 dropped 113 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 40->113 dropped 115 C:\Users\user\AppData\...\InstallSetup5.exe, PE32 40->115 dropped 117 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 40->117 dropped 221 Antivirus detection for dropped file 40->221 223 Multi AV Scanner detection for dropped file 40->223 225 Machine Learning detection for dropped file 40->225 227 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->227 61 toolspub2.exe 40->61         started        64 31839b57a4f11171d6abc8bbc4451ee4.exe 40->64         started        73 4 other processes 40->73 119 C:\Users\user\...\bIjOHZKOUEASrqa.data, PE32 44->119 dropped 121 C:\Users\user\...\DCvHFpsgpOhHDSF.data, PE32 44->121 dropped 229 Writes to foreign memory regions 44->229 231 Allocates memory in foreign processes 44->231 233 Injects a PE file into a foreign processes 44->233 66 jsc.exe 44->66         started        149 194.49.94.80 EQUEST-ASNL unknown 46->149 235 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->235 237 Found many strings related to Crypto-Wallets (likely being stolen) 46->237 239 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->239 69 conhost.exe 46->69         started        151 192.168.2.5 unknown unknown 49->151 153 239.255.255.250 unknown Reserved 49->153 76 3 other processes 49->76 71 chrome.exe 51->71         started        155 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 53->155 157 194.49.94.11 EQUEST-ASNL unknown 57->157 78 6 other processes 57->78 80 8 other processes 59->80 file18 signatures19 process20 dnsIp21 241 Multi AV Scanner detection for dropped file 61->241 243 Detected unpacking (changes PE section rights) 61->243 245 Machine Learning detection for dropped file 61->245 247 Injects a PE file into a foreign processes 61->247 82 toolspub2.exe 61->82         started        249 Detected unpacking (overwrites its own PE header) 64->249 251 Found Tor onion address 64->251 253 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->253 85 cmd.exe 64->85         started        141 194.169.175.235 CLOUDCOMPUTINGDE Germany 66->141 255 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 66->255 257 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 66->257 259 Tries to harvest and steal browser information (history, passwords, etc) 66->259 123 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 73->123 dropped 125 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 73->125 dropped 127 C:\Windows\System32\drivers\etc\hosts, ASCII 73->127 dropped 261 Modifies the hosts file 73->261 263 Adds a directory exclusion to Windows Defender 73->263 87 Broom.exe 73->87         started        143 104.244.42.133 TWITTERUS United States 76->143 145 104.244.42.193 TWITTERUS United States 76->145 147 65 other IPs or domains 76->147 file22 signatures23 process24 signatures25 197 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 82->197 199 Maps a DLL or memory area into another process 82->199 201 Checks if the current machine is a virtual machine (disk enumeration) 82->201 203 Creates a thread in another existing process (thread injection) 82->203 89 fodhelper.exe 85->89         started        91 conhost.exe 85->91         started        93 fodhelper.exe 85->93         started        95 fodhelper.exe 85->95         started        205 Multi AV Scanner detection for dropped file 87->205 process26 process27 97 31839b57a4f11171d6abc8bbc4451ee4.exe 89->97         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 16:02:14 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7drijpikxuqlsj6iliuvcresdtg3kr3qdtal64sptsta7oxkcjha._file
Verdict:
malicious
Similar samples:
3b73c4da6f2bda6ebc26552afccbfd8c097a5a3195fd2593840d9ea7712b7120
RedLineStealer
50c1d754d7837fc0b4085436b80acb900a1b3a35d3f3fa27420b8aa9a4a9f29d
RedLineStealer
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
RedLineStealer
779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
RedLineStealer
cf17ba3233bc2dab9db27c1c73682990e0403054fad2a4ba39316d66c53bb406
RedLineStealer
d2667ebba32efa519eec816fac01b3be538c57c2830a23eb8e43bca561e091d7
RedLineStealer
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
RedLineStealer
e6c757449536eefcf5903526df6e6dafa4e352fb7b55024ef005a51f7c853e86
RedLineStealer
e85172898e1439bc95876cd84f60ac685bd13ee9de2bda81f497807e7f7822b3
RedLineStealer
ed5858af8476036c1914ff346745b794c74a98bbb2fa8edba77bfc497a6471a8
RedLineStealer
+ 20 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:mystic family:redline family:sectoprat family:smokeloader botnet:@ytlogsbot botnet:pixelnew2.0 botnet:taiga botnet:up3 backdoor dropper infostealer loader persistence rat stealer trojan
Link:
https://tria.ge/reports/231110-s5b2gahh81/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect Mystic stealer payload
Glupteba
Glupteba payload
Mystic
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://5.42.92.190/fks/index.php
5.42.92.51:19057
194.49.94.11:80
194.169.175.235:42691
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
151a7adca61814e33a56a3e4b06c4ceb699855de65301048686dff46ad3d8680
MD5 hash:
09837a6fc9178693e96f00e005bb348e
SHA1 hash:
928dea68e60588a1f2bafbd9a1b97e7a14f49c5b
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/07b4121e-1fa7-44ea-ad43-1bdfa85de2e3/
Parent samples :
f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
1375f86609d8fe34f907a85a718851c42109bfda03d3000394d04fe63d8a1b7e
SH256 hash:
ca561520a28465aff522485a40bce57984c4e25741c5c1b3e9c544d774e3bf75
MD5 hash:
30e5898d385d7429aa3056e06f28bcbe
SHA1 hash:
1815e8b039ff534d5117d4b2d6c400a564cdac3f
Link:
https://www.unpac.me/results/07b4121e-1fa7-44ea-ad43-1bdfa85de2e3/
SH256 hash:
dce3cf0613756df0f955e85e7a91e42edea3c911f9296ee2a63884cf610057f9
MD5 hash:
c99705d89f2e422d524894b639a99ae8
SHA1 hash:
cd0b7fb89195019caf40104b5b723fdbb9343088
Link:
https://www.unpac.me/results/07b4121e-1fa7-44ea-ad43-1bdfa85de2e3/
SH256 hash:
46d73000badea343d2cb0847c368847c37606303018f3c4978d01873e0b4fb82
MD5 hash:
91df744d778858b578e9e1200e3644ae
SHA1 hash:
0ad8bc6a8b89368b135918e95f1e6b49150192f1
Link:
https://www.unpac.me/results/07b4121e-1fa7-44ea-ad43-1bdfa85de2e3/
Parent samples :
dd49ae56ccd5824fe4f6b62ed6b3b3466a40e56163c23adee63b9b26d96b09c5
afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
3e7af42c2132ad7ca46675fcc364bbfff19ed9a9b6e7c1416215334bcc1e6a27
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e
MD5 hash:
3755062e162af135a69553d363fd6783
SHA1 hash:
7b59ec4a8f8d1504add32b2412483db6f9aed081
Link:
https://www.unpac.me/results/07b4121e-1fa7-44ea-ad43-1bdfa85de2e3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8e284bd0abd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f8e284bd0abd20b927c85a295144921ccdb547701cc0bf724f9ca60fbaea124e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729439/
  
Delivery method
Distributed via web download

Comments