MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
SHA3-384 hash: 85582096be654c290639c2b6344cea2d9a28377595840c65336b1009d0a9d728b81f8a4ee71ffb9b47ba27c3e5bee4c6
SHA1 hash: 8218f1ac465ef94ac59da608316b915fb888b904
MD5 hash: 10db1942bef56829f1478f2b42a843d3
humanhash: delaware-ceiling-lamp-bacon
File name:10db1942bef56829f1478f2b42a843d3
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'352 bytes
First seen:2023-03-22 04:41:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a4559d1602669b68de352c9c26c5d967 (2 x Stop, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:9480lL2LXU6Vyrr8DMDfaaAql1c/FI2kn4ehv4ikYdnrS9daTT3:mTlL2jU6VyrjfaPA1c/F+nvhQdanrS9
Threatray 40 similar samples on MalwareBazaar
TLSH T1E374F11173E2C073E5A745794A6ACBB09E3FB8705B598ACB2B8057AD0E347D1DE36306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0085634351617101 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
10db1942bef56829f1478f2b42a843d3
Verdict:
Malicious activity
Analysis date:
2023-03-22 04:44:49 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/84ca7ce4-4a91-47ea-b6c5-a18a4c041f90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376334/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed ursnif
Link:
https://www.filescan.io/uploads/641a871d2fbc9ad18a031bc0/reports/f414352b-3fec-4fbf-8703-a888e779ec02/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8eaf830-1e15-4bc9-b260-6907f2e5d949
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199022
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 04:42:08 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbhuzxgibfpgst4hnjman4sen2vqtsyppb3nfthh6xcfg7h3dmeq._file
Verdict:
malicious
Similar samples:
00c7453735b92b52a229aa1b4b5d7c2f61ca5aeb44ac7e9f7a93476cb3f7b064
RedLineStealer
14e2872ba87811b677432d96bdd0ec42ca09d014275b6b4db3c2b6ba6e58bfce
RedLineStealer
1c0ebc3fa874f0e6205ee5e541e1f5582d7dd80751d40be1c42c5aedfc472b18
RedLineStealer
8cd2e380a79b34d7993448cdbd73eb2474230de4297aa5239513504011d89933
RedLineStealer
96e778e9fe65225a131f9e3c2c05c44a5ceec6549812beff030460641aea6500
RedLineStealer
9bc7821632e1a1131405446d0867d157b59e0028b077f382e3f0132618c9887e
RedLineStealer
9f2727bdfd763219f83abb84822108c63dbb410ba13be238292c620eb9f5db9f
RedLineStealer
c5f37ddafa3535a6a3b76acc5c6509b5381012e5d126c2981cec46a272409e3a
RedLineStealer
+ 30 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@germany discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230322-fbnryseh49/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.11.61.125:22344
Unpacked files
SH256 hash:
6795dbb5efc32fb90da0deb66b9b9f79bca2b9c04ba85e11b99c1486e24dfa98
MD5 hash:
ea0399f40f9700d5b1ed80130ccd44cb
SHA1 hash:
e7d6a471e9e45918e8662edfa6a6325bd6daedf5
Link:
https://www.unpac.me/results/5b0eab21-8b26-42c9-9bb6-fdabdea5a86b/
SH256 hash:
988a9899cafe50f1d10d74230509a947405b0c547bd37af5cb19e24e0dcd74ec
MD5 hash:
28e82e1f5c44bee1e115ada4354c38bd
SHA1 hash:
c2b435365bb19102327e63bde925f49c6f9e302f
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5b0eab21-8b26-42c9-9bb6-fdabdea5a86b/
Parent samples :
9bc7821632e1a1131405446d0867d157b59e0028b077f382e3f0132618c9887e
00c7453735b92b52a229aa1b4b5d7c2f61ca5aeb44ac7e9f7a93476cb3f7b064
57aa83c1093b146313786986b0e1b712ea2a53f0d0c95e1125df1313c0c9bba3
a9979989b6709a7c8c0d588adc4a70f16145a77980288235f3bf31c2daebc877
8a78beb7278acda21f84745e779fe1f2372e6e5e9988dda4348a29b227001b49
6b5f42c5333f844eab55e395ab585f8c298f70e52680947b9e58b4aae888291f
184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
de0deb264fa6ae49e89815bad5a063b8636f06b994dd1ea1612b51408ba98b92
3de48fc5f0343ae45da8b32c924551074c812894f9f090d9db44f290a5338720
0186553120f556687cc3178395c9d30f5f7536930c29060bdcee47dd34e0adc1
7729dddee47a8d00dbd8be1c07fde55bcbf8e0adf6b60b9cc4b78122cb0980ac
da26a56611511239d248f1f07c85c141a505593f1f3e36b6023a28af62a039cf
8e9ee5687cfa20820065d0cde137b74a969a99cccdb7aea81aefc3a979221c62
3f60fa0671189c1be251ef5a698892b8209c413bfe89b042705b5397214065d0
d68ba5d832b6dd7257751c3247c32b9f98d7632c1eefa4953eafc6188fb92520
341d969482b09341b19823051659471bc98499f48135c2146387edf9d10c496d
c49f3c06de85718a2636796dbf5bc42aa2dbdb61c25c9f50aded7b0d7750f096
1079b345363b9f3b668760a5841521d86a479ec81f0cdb33a90e78a56b71eff8
SH256 hash:
0a354633ad8f70d2b069fde958c1f0e7ca37b6539347b0c7f4117be331b99e51
MD5 hash:
37d310169cbf1c089ec3f2ee44937c86
SHA1 hash:
191c9143818bf21347115bd87bcfe53c05fd324b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/5b0eab21-8b26-42c9-9bb6-fdabdea5a86b/
Parent samples :
c5f37ddafa3535a6a3b76acc5c6509b5381012e5d126c2981cec46a272409e3a
9bc7821632e1a1131405446d0867d157b59e0028b077f382e3f0132618c9887e
96e778e9fe65225a131f9e3c2c05c44a5ceec6549812beff030460641aea6500
14e2872ba87811b677432d96bdd0ec42ca09d014275b6b4db3c2b6ba6e58bfce
00c7453735b92b52a229aa1b4b5d7c2f61ca5aeb44ac7e9f7a93476cb3f7b064
42a1e87ed506cc9fa90b736df7bcbcc1a43e552b5e8054f72701e3862e925980
57aa83c1093b146313786986b0e1b712ea2a53f0d0c95e1125df1313c0c9bba3
a9979989b6709a7c8c0d588adc4a70f16145a77980288235f3bf31c2daebc877
8a78beb7278acda21f84745e779fe1f2372e6e5e9988dda4348a29b227001b49
ec22c58ee58853b9c8093a4fc48505c00ca3da534edd942dc90615263a7a8c16
ff09a98f202feb3424cbc314292bc0ebf41e307acab47156944e16f5899435fc
6b5f42c5333f844eab55e395ab585f8c298f70e52680947b9e58b4aae888291f
9bf48636ddcbaa03296da875de882a900beff608d06f08b39e813f54fb976729
441f41b5d71d87e71c52db1ec1313b3d1eced25e9eebb3b6d83eb2a97a5cacd8
a880f1cd895d5f8b156b4c95f4972fe6a373105e7e17ac184ac0db4826eac86d
8cd2e380a79b34d7993448cdbd73eb2474230de4297aa5239513504011d89933
9f2727bdfd763219f83abb84822108c63dbb410ba13be238292c620eb9f5db9f
184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
fd27a0d8a325e152b38c31c9d66102e6356b4c7773740e509e03917f88543b5e
de0deb264fa6ae49e89815bad5a063b8636f06b994dd1ea1612b51408ba98b92
1451488667d13af22f9c499d4763d6a5551d31b7f62c91fc698abcf33741b5ff
15f497477ed80181c3edbbee767fd29efb2277f07785e4d2f0010fea93625edf
4d2ca20f77551de7bc6a5788de5252b3d1c3efe011e7f329e873d01a7eb339b5
3de48fc5f0343ae45da8b32c924551074c812894f9f090d9db44f290a5338720
0186553120f556687cc3178395c9d30f5f7536930c29060bdcee47dd34e0adc1
7729dddee47a8d00dbd8be1c07fde55bcbf8e0adf6b60b9cc4b78122cb0980ac
da26a56611511239d248f1f07c85c141a505593f1f3e36b6023a28af62a039cf
8e9ee5687cfa20820065d0cde137b74a969a99cccdb7aea81aefc3a979221c62
3ef942105f61f4ecb0c4dffced364e0cd3c6b95e9185014c6b54251b7cd90a41
3f60fa0671189c1be251ef5a698892b8209c413bfe89b042705b5397214065d0
32dbd91f9642c3153a9d55db5c8d86901fa9c125f1ddee401ab07e564b08656a
d68ba5d832b6dd7257751c3247c32b9f98d7632c1eefa4953eafc6188fb92520
341d969482b09341b19823051659471bc98499f48135c2146387edf9d10c496d
c49f3c06de85718a2636796dbf5bc42aa2dbdb61c25c9f50aded7b0d7750f096
1079b345363b9f3b668760a5841521d86a479ec81f0cdb33a90e78a56b71eff8
03f2e96515c17572eb1d3e0eeeea7ab30e2816096161ec3956c953b6a2882c57
4ef2f1fb1007b2089f04b2ba7b36552d0b93c1dcd92854231dcaf1780c1785c4
SH256 hash:
184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09
MD5 hash:
10db1942bef56829f1478f2b42a843d3
SHA1 hash:
8218f1ac465ef94ac59da608316b915fb888b904
Link:
https://www.unpac.me/results/5b0eab21-8b26-42c9-9bb6-fdabdea5a86b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/184f4cdcc809/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 184f4cdcc8095e694f876a5806f2446eab09cb0f7876d2cce7f5c4537cfb1b09

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2550717/
Cape
Cape
https://www.capesandbox.com/analysis/376334/
  
URLhaus
https://urlhaus.abuse.ch/url/2403396/

Comments


Avatar
zbet commented on 2023-03-22 04:41:29 UTC

url : hxxp://194.110.203.101/puta/nsoftwinx64.exe