MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18955e0d050b9ce796bd444e130c12b4428b304b0d4eb16b54f77657d8ec0379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18955e0d050b9ce796bd444e130c12b4428b304b0d4eb16b54f77657d8ec0379
SHA3-384 hash: 3be3d309bede0f0b6076e0b96dca5152bc70877ba40d2a8ce63eea58cb6ef2e804911b86fac2119d26699aff36f498ce
SHA1 hash: aa7b234fa3cedcb1b899c89c7c4925da77f97492
MD5 hash: 9521ec6ed6d66fc5142696205002291e
humanhash: papa-neptune-comet-social
File name:desktops.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'472'752 bytes
First seen:2021-07-13 18:40:04 UTC
Last seen:2021-07-13 19:51:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:KNQ//5PPhGNV4AiaaOJJj8cYQGd08pM3yYIO88hfMRcvbuhZUTdoDQXUUUUUJUUt:KNm/5XhG34AiROPwQG68pMp8SfcgbQs4
Threatray 6 similar samples on MalwareBazaar
TLSH T1256523265F0CDC57C0961E700AB01B8552F8AFAA1C1D82EF61617D6DEE307E5AC90E6F
Reporter James_inthe_box
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Mozilla Corporation
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-05-07T00:00:00Z
Valid to:2021-05-12T12:00:00Z
Serial number: 0ddeb53f957337fbeaf98c4a615b149d
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1dd436f9e9a33ccbf19a785fbdccf512f36c753bbb9cf3787b4200162a6bdfe4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.Agent.gen.13789.26741.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca9eaacc-f84e-4563-b3f2-d1ce0efdd6c3
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/815837
Signature
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Drops PE files to the user root directory
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448249 Sample: desktops.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 34 73 www.thunderbird.net 2->73 75 support.mozilla.org 2->75 77 8 other IPs or domains 2->77 87 Multi AV Scanner detection for submitted file 2->87 89 Machine Learning detection for sample 2->89 91 Sigma detected: Execution from Suspicious Folder 2->91 10 desktops.exe 16 58 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 81 lohmein.org 104.194.222.17, 443, 49720, 49721 DEDIPATH-LLCUS United States 10->81 57 C:\Users\Public\curl.exe.tmp, PE32 10->57 dropped 59 C:\Users\Public\birds.exe.tmp, PE32 10->59 dropped 61 C:\Users\Public\Support\support.exe.tmp, PE32 10->61 dropped 63 43 other files (1 malicious) 10->63 dropped 97 Drops PE files to the user root directory 10->97 21 birds.exe 126 10->21         started        25 support.exe 1 10->25         started        83 192.168.2.1 unknown unknown 15->83 85 127.0.0.1 unknown unknown 17->85 file6 signatures7 process8 dnsIp9 49 C:\Users\user\AppData\Local\...\setup.exe, PE32 21->49 dropped 51 C:\Users\user\AppData\...\thunderbird.exe, PE32+ 21->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\xul.dll, PE32+ 21->53 dropped 55 58 other files (none is malicious) 21->55 dropped 93 Drops executable to a common third party application directory 21->93 28 setup.exe 131 215 21->28         started        79 103.159.132.236 TWIDC-AS-APTWIDCLimitedHK unknown 25->79 95 Contains functionality to detect sleep reduction / modifications 25->95 file10 signatures11 process12 file13 65 C:\Program Files\...\xul.dll, PE32+ 28->65 dropped 67 C:\Program Files\...\updater.exe, PE32+ 28->67 dropped 69 C:\Program Files\...\helper.exe, PE32 28->69 dropped 71 71 other files (34 malicious) 28->71 dropped 99 Drops executable to a common third party application directory 28->99 32 maintenanceservice_installer.exe 28->32         started        35 regsvr32.exe 28->35         started        37 regsvr32.exe 28->37         started        39 3 other processes 28->39 signatures14 process15 file16 43 C:\Users\user\AppData\Local\...\System.dll, PE32 32->43 dropped 45 C:\...\maintenanceservice.exe, PE32+ 32->45 dropped 47 C:\Program Files (x86)\...\Uninstall.exe, PE32 32->47 dropped 41 maintenanceservice.exe 32->41         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18955e0d050b9ce796bd444e130c12b4428b304b0d4eb16b54f77657d8ec0379/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-13 18:39:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3c245e6f199b0d579015fc5bc4322710133ef58d61f3df034d862085aecb3a14
RedLineStealer
5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd
RedLineStealer
c660a1270e4617197004bb01cf785ddcbf5c17875864aaeaab7660e78ba7eb01
RedLineStealer
e0e20159839ff7fa71278a67d90b7fa685733d19c3eb36de406669e6c070c60e
RedLineStealer
f635354e86b28a65eb77122574493cfe2e37efeca2d3df316a4880db6e3786b9
RedLineStealer
f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210713-2sm139714j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
1fd393de0b28f9b91f7bba6550fffef816bb467e9af630b7be6b63f3fc72f4c1
MD5 hash:
ec765328801f70a96330444850c98ccf
SHA1 hash:
963231d026c1fce77ef995506811ecb2d49144b1
Link:
https://www.unpac.me/results/7858b60e-92a2-44e9-bb20-cf3e5699ca38/
SH256 hash:
7f306d6347baedbcfe0b351f2ab5ad5027df36cf69be9f8a942cba6a97a3c6bc
MD5 hash:
77b1020dbfd12050ea7cca64290c5a0e
SHA1 hash:
6f50392c66f85e58d27c64e77a44632ef41e27b9
Link:
https://www.unpac.me/results/7858b60e-92a2-44e9-bb20-cf3e5699ca38/
SH256 hash:
72a6e71a42caad0ba8a4682608e78320694e5fc1b25d122cb5eec1ef72ae46ad
MD5 hash:
f2d743697f68ba5c59500ce6431ee0ae
SHA1 hash:
1c7250f5ecf43832f9da6214b46955ecbd392912
Link:
https://www.unpac.me/results/7858b60e-92a2-44e9-bb20-cf3e5699ca38/
SH256 hash:
18955e0d050b9ce796bd444e130c12b4428b304b0d4eb16b54f77657d8ec0379
MD5 hash:
9521ec6ed6d66fc5142696205002291e
SHA1 hash:
aa7b234fa3cedcb1b899c89c7c4925da77f97492
Link:
https://www.unpac.me/results/7858b60e-92a2-44e9-bb20-cf3e5699ca38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/18955e0d050b9ce796bd444e130c12b4428b304b0d4eb16b54f77657d8ec0379

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments