MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c
SHA3-384 hash:	043ebe848e0fb88ca53b69a2887ef9a8352714db5977acc4af2bff94d38ebc4da4fd054683804e7b72829ee8fb4f6356
SHA1 hash:	e73316f2e32bad7df56c5e975c8aae13efc3aa84
MD5 hash:	a2d67add9931542f27af310c5f6684ff
humanhash:	idaho-mobile-moon-cat
File name:	a2d67add9931542f27af310c5f6684ff.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'210'304 bytes
First seen:	2022-12-07 12:22:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	49152:I47W2+irPkgTByJA6QDxX4IEV+jtCpLE+8TxQE:Fa2nrsgTBdDREgjMpLp2xQE
TLSH	T1A7A533096FE96366C6EE8B7499F95753033CBAB36D348A1D2B9098841CB36C0C572377
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dd7256ae55124fa928ab7ca5d6de64cebe3b3e04d09f91d98b1a0444c4c0d05a

Verdict:

Malicious activity

Analysis date:

2022-12-07 11:55:20 UTC

Tags:

installer opendir loader

Link:

https://app.any.run/tasks/e0ef088d-0158-4bb0-ba39-b9ff92383a73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/343915/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending a UDP request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll anti-vm cmd.exe packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/639085a9485d8463dc40d3f9/reports/f6888dbe-cd4b-43b7-a7a2-f0e0535d77b2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/21062a36-3a17-4500-b539-a5848c4241e3

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

8 / 100

Link:

https://www.joesandbox.com/analysis/1129878

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dacvjbvo6h3qnjurgs7cqp773lm4jh2773g2lwdj45gcv2eczvwa._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/221207-pkg57seh35/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1da8e72f-9ddb-493c-ab2e-4d6ef1c269d7

Unpacked files

SH256 hash:

0690c6f200a600a92b705f27337936bbad87b8db613f8b4c2512a9ad41a555cf

MD5 hash:

1cd40dede6d46664b6cbaacd766d3678

SHA1 hash:

39c8e0870ebe079d9f2c1ab98bfef8a2e1638dc7

Link:

https://www.unpac.me/results/43fd5acb-435e-46ad-85eb-a100725a150b/

SH256 hash:

18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c

MD5 hash:

a2d67add9931542f27af310c5f6684ff

SHA1 hash:

e73316f2e32bad7df56c5e975c8aae13efc3aa84

Link:

https://www.unpac.me/results/43fd5acb-435e-46ad-85eb-a100725a150b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/18055486aef1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/343915/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample