MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9
SHA3-384 hash: dd49c159f43446821268f0b5093f008e14194ffc79a5257529f67400c4286be226a4ea1a908056fcd2cffb74ebe78f2c
SHA1 hash: f8f2a87053f4fd1d0554c63efeebe0caa88df4d1
MD5 hash: bf4e5ac0527759c56339a568e5a8c58f
humanhash: spaghetti-avocado-oscar-mars
File name:qu394494.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:437'760 bytes
First seen:2023-05-13 22:55:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8effd33c0c7d3209e4d0dde05803b13b (7 x Smoke Loader, 6 x Amadey, 4 x Vidar)
ssdeep 12288:u1Ki5cV9VLattHU96ljO1h8+zeUXBcCF+ZbJxuLkPuk:u/5cV9B8xUYNO1h8GBcCFWJqkPu
Threatray 276 similar samples on MalwareBazaar
TLSH T1F4940112F5F0E863C433957818B1D5B19A3EBC91965585DF32987BBF3E302824B6B31A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 000088a88c447090 (1 x RedLineStealer)
Reporter JaffaCakes118
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
qu394494.exe_
Verdict:
Malicious activity
Analysis date:
2023-05-10 01:37:51 UTC
Tags:
redline
Link:
https://app.any.run/tasks/2d9ef68f-c5fd-43f8-97db-7b0349d7e50c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389199/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/84033/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64601597fe2f8f2723bae2dd/reports/35b6b638-9e69-4375-a042-8bee35148bb6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85cdbbe3-8ff4-40bf-8420-6f614590ffad
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232382
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-09 06:48:33 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcrdl3xazrk4qskakkzinzlc46v62z55n7yma2377l3aloxgi7uq._file
Verdict:
malicious
Similar samples:
226bf8dd8c4a99f5d52f52e87492651d401917200197e9b532d47cbb9caa23f1
RedLineStealer
490a129409796902017b1f5f18bf95b45ad1242bcf04d6116e22af89c8832a89
RedLineStealer
5f821802017f5e261c88e4eb0285f774699dfd2ce1a0779e694783b39bc7acfb
RedLineStealer
6bd68b7e22845afd09f658e7327669685342759cf434b8cba1103da610144658
RedLineStealer
b86c78fbf4b7672193f551fa74ddb233788653279d0de8d1d6b05c12aac7e1d1
RedLineStealer
beed521707a73b04283324055c87eb566c4ec8b93d0c12c0f01671c7897e8ad5
RedLineStealer
c77a7c5d79cace1bf132e94127ce606201488695f801225b480bd80fef2cb90d
RedLineStealer
d2ea897e01e9c84ca92af78c45bbf095f31a76a0e22402737ddb0a78679a51b4
RedLineStealer
d46848443b2cdf8495919b789cc6bf0592e1ef2b0d896fdb77c1b63ffd4447c5
RedLineStealer
dbc938c54ee9ab6845123f4667ef4737dc180abc2c8a2e530c3b03b512823052
RedLineStealer
+ 266 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:norm infostealer
Link:
https://tria.ge/reports/230513-2wtplahg96/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.124.145:4125
Unpacked files
SH256 hash:
89c3ecc861034306b290edcb2472e5918c817188b8abb31a0bd7f7016959c289
MD5 hash:
b98cf332c5b43976627c313cb0012111
SHA1 hash:
8ff175fb8ba62e6dd79d4383bc00fb3b285224f0
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
SH256 hash:
3a05abe53f2ffbb7958aa6278e515e72d26e7faad1f4ed5a5aef9027ba5a42bb
MD5 hash:
d0824c2eb4cf0d9fe6eb03869e41cf7f
SHA1 hash:
fbdab3d4ba22e160093895e06465834346ac326a
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
SH256 hash:
b7cc9e892130bcc038db3b6c51e18ae01d710d5288d1c29aaaace0ee48583a12
MD5 hash:
b158a288a6bb911245fed7688c07af04
SHA1 hash:
e1155ba10ca45db84239c5b764b6498ae897faaf
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
SH256 hash:
4557d1ff3ee9cb0a8759896d45e76732cc264795a0e0ccca0ed06a5118718186
MD5 hash:
07cd8d0a8b91369f670a46d76c308897
SHA1 hash:
beff684fc005f2c6e39b45fe5bc7518a0db16c20
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
SH256 hash:
a4c40c824fb579316879382752213c58ce98414f6954f88e93b408cd7627c8eb
MD5 hash:
b4bd360443ddfd3b578351c1813083b7
SHA1 hash:
ac68a441841f4acfd5dbfb72275f87fbc3df5d66
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
Parent samples :
18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9
cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9
SH256 hash:
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
MD5 hash:
1073b2e7f778788852d3f7bb79929882
SHA1 hash:
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
Parent samples :
18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9
cd6b42df418c54a291b058fd2900cc3d2519376461a9d1a11b108f3a389caab9
SH256 hash:
18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9
MD5 hash:
bf4e5ac0527759c56339a568e5a8c58f
SHA1 hash:
f8f2a87053f4fd1d0554c63efeebe0caa88df4d1
Link:
https://www.unpac.me/results/481ee4ed-4da0-44ab-91f9-a11a5c588822/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18a235eee0cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eternalblue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18a235eee0cc55c8494052b286e562e7abed67bd6ff0c06b7ffaf605bae647e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389199/

Comments