MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18947a60c28aafd50e6004ff5239fb65574ce588a04bf90d90c5b4da55e64504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 7 File information Comments

SHA256 hash:	18947a60c28aafd50e6004ff5239fb65574ce588a04bf90d90c5b4da55e64504
SHA3-384 hash:	aea06717aad9d9b6486455ffbe46f4949c72d3c9e7110f1c2acd56be461a1690ac0c2d1705270af371d5e379e85df32f
SHA1 hash:	6703435c08fdec17eea2ee52c0e76e4bdb896f60
MD5 hash:	fc6ebc8c3c04929f2246e1d186f87609
humanhash:	one-hydrogen-jersey-sixteen
File name:	18947a60c28aafd50e6004ff5239fb65574ce588a04bf.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'467'392 bytes
First seen:	2022-02-18 18:35:55 UTC
Last seen:	2022-02-18 20:47:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	24576:dUvpaTKT6yDqOw4SYJo5Ye7CnTDA3vNYORkwK:dUxaumuqOiHtqwK
Threatray	1'918 similar samples on MalwareBazaar
TLSH	T13F659E12B5458A40C3994736D0E788104BE7EED2177AD60F398D33593FB374BA44AFAA
File icon (PE):
dhash icon	9979cc968eb8f031 (2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
188.127.235.44:23948

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.127.235.44:23948	https://threatfox.abuse.ch/ioc/388855/

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/242593/

Detection(s):

SecuriteInfo.com.ArtemisFC6EBC8C3C04.3009.15125.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Сreating synchronization primitives

Unauthorized injection to a recently created process

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Reading critical registry keys

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/620fe717ac8ad0468b522e47/reports/34369579-b772-4974-b888-6c7e7295e2cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/17c985df-5e75-45c4-9af8-62536914083f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942420

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18947a60c28aafd50e6004ff5239fb65574ce588a04bf90d90c5b4da55e64504/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2022-02-18 18:23:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

179

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dckhuygcrkx5kdtaat7veop3mvluzzmiubf7sdmqyw2nuvpgiuca._file

Verdict:

malicious

RedLineStealer

1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648

RedLineStealer

200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e

RedLineStealer

20d5c6c663892a91c9e97e45d22ee867f9a024528ea695fcefa40cd85ca361be

RedLineStealer

4a78da86088eed90bd838d99d1afd5ceaca6c9c521be450639670f6d06a7fe77

RedLineStealer

8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03

RedLineStealer

9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc

RedLineStealer

9fbdcf044aba61ae6c0678b5f83fc4bd8b589ba3a4fd12a5bef53e2ead494eed

RedLineStealer

ca245f4ac7fe2c59753a22dcb7c2db857ec7560e1f8af769bab27c54a01133f1

RedLineStealer

d4f72d2182411da7606c634ee11876aafb6230f620c36921288c5de1f8d2f795

RedLineStealer

+ 1'908 additional samples on MalwareBazaar

Unpacked files

SH256 hash:

b4fdaf32e585c0fa44dddd1a4b5dec468498f492d9b27b129668dedefe22f9aa

MD5 hash:

298d4c1c9575a5bc1042bad774c2a5dd

SHA1 hash:

71d169c85e092d0b1f9b2565d77e708b1ffc5486

Link:

https://www.unpac.me/results/9b11bb7c-df9e-4bf0-ac89-1fc050eb1909/

SH256 hash:

bdde4a10bffd6da032723f74ed015b75d104a1eacef5876620e3fd78ebc59ffb

MD5 hash:

7775fb486ead2bbca9f35591f616defa

SHA1 hash:

4e0b582f912310d9cf9da66dfd669bdc71a181f6

Link:

https://www.unpac.me/results/9b11bb7c-df9e-4bf0-ac89-1fc050eb1909/

SH256 hash:

8d2bb7a2e7ecfc9851a3794332e86f16dacedb865426a9dfe1a2eb8d629afca9

MD5 hash:

7d111b693996ed29a75f1f8126d80e61

SHA1 hash:

43ec972004723eb31e7e3edacfda556e46dfd6e5

Link:

https://www.unpac.me/results/9b11bb7c-df9e-4bf0-ac89-1fc050eb1909/

SH256 hash:

18947a60c28aafd50e6004ff5239fb65574ce588a04bf90d90c5b4da55e64504

MD5 hash:

fc6ebc8c3c04929f2246e1d186f87609

SHA1 hash:

6703435c08fdec17eea2ee52c0e76e4bdb896f60

Link:

https://www.unpac.me/results/9b11bb7c-df9e-4bf0-ac89-1fc050eb1909/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/18947a60c28a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18947a60c28aafd50e6004ff5239fb65574ce588a04bf90d90c5b4da55e64504

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)