MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389
SHA3-384 hash: 401eef7ed82967eb9cfebbb9a4a407b7847cd139026da8e2a6a5e5735836adbf5ad7debca7b4b6ce5deaa46050d6f9b0
SHA1 hash: d33f5df9f256a306f002d11ae5cee01f63d0b770
MD5 hash: d1b3e3f9c9687fa1c8c454a156a004dd
humanhash: sweet-seven-aspen-august
File name:d1b3e3f9c9687fa1c8c454a156a004dd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:328'704 bytes
First seen:2023-06-05 17:06:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5177a27e8edbe11fd6510fd6224a4fa1 (1 x RedLineStealer)
ssdeep 6144:CxVftECF2U3G6U6x+bNp5vKAiGGYNIw4k6j5:CHft9F2U3G6ebr5CAiQx47
Threatray 44 similar samples on MalwareBazaar
TLSH T1CD64E012B6B2C432E5E74174093DC7D47A7F78B26AB18CCB3354277E1E706918A6A723
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0020c09030341000 (1 x RedLineStealer, 1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d1b3e3f9c9687fa1c8c454a156a004dd
Verdict:
Malicious activity
Analysis date:
2023-06-05 17:09:26 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/cdc19336-0847-42b2-b743-b75a3f176daa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/395881/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/647e164f0182d50bc39500b9/reports/f5ac5f19-bab7-4f62-a2fb-63d48cb763b8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9213dc86-dd3c-4fe8-919b-36975b66fc4c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248984
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 17:07:04 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dc3ae56vyjnecchgxdys5xq2r4fu27fo5akfkmkecebh4dqqwoeq._file
Verdict:
malicious
Similar samples:
3c11dac0621f47c72e6a68d8530a2be70fa11a2cffc05d04344d49f2b837f3bc
RedLineStealer
474c58059750d9dc1146c1f4921437c8aac92b5a8544ca82c017b8ef5e62946a
RedLineStealer
5657fc736fa541e5ce3a07785e09100fd93b178e57f4cac7b961e57a1b4c72dc
RedLineStealer
665159ba5b8aab3fe2196934780c26ee1e191b262cecc200531821590e68c2ac
RedLineStealer
72038bf643a6ee49d3eaeade91a2a87c88e86084f5593dd9929e49e3fd9d8732
RedLineStealer
7ad4f4717e68ad2d2325c6c039c2b0875890ad9d0baba986d868535680591923
RedLineStealer
8a47d16dd380f046459e2fd1ebc636a1bba301d521587cc147b4240de545b20e
RedLineStealer
ace69ec865ded98976cddfe028ed70b5fa60a0fd5c01f1996ed160ecd3d5c859
RedLineStealer
e29264d11a7be505c2d3a54b49287a98445d6084492d51a343646aa2004b02a3
RedLineStealer
ed79b6198efd98d91026646c56cb7c9eaac381e310a05e63d4c8926393815ac7
RedLineStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230605-vmy5dsad4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
147.135.231.58:23368
Unpacked files
SH256 hash:
512d83827fb4cc01f99968876ec69ee13964731db25c148cfba84653b58a049e
MD5 hash:
f8f3508be1eb3d8db5ffb5155fdbd9f7
SHA1 hash:
b701892c40c4ab14e459a224e005ed44a050fbc0
Link:
https://www.unpac.me/results/c81ace73-1cfb-40c6-ad10-4494d60efc43/
SH256 hash:
a0aaf7f85180158380c403cc17563cad13adf88a00ccf23ca40dd80d944993ca
MD5 hash:
835fdf0fece95b7f40d742850ba16709
SHA1 hash:
b3a24db872e5165eaa2cfe6074a72082d36c1a70
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c81ace73-1cfb-40c6-ad10-4494d60efc43/
Parent samples :
00d923f969b5ac9c626e872c1d1434dba82747fdc59839e8fb90b8bf2e3bccdc
e131bcf15fec5a3a3ccf6b61bcd59c69d3cdced405a0a23f4604fa924539c1ef
474c58059750d9dc1146c1f4921437c8aac92b5a8544ca82c017b8ef5e62946a
18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389
b4811cfea7143cd12cb326703c2fca08d4c19a69fb47fa82b62528a2886784fe
152e5b0db37e3db74698841e417e95f57cfb235c213b4dd6165e3ff0734e1700
SH256 hash:
5e956acf35f1cd5cc6dc96a63d185fbdd230914872da9661f39dfca086401013
MD5 hash:
64843e263e30ebc34c8d7cfa3fc111d7
SHA1 hash:
60b4072c20f52da95e8633d98d44d6a20f13fd92
Link:
https://www.unpac.me/results/c81ace73-1cfb-40c6-ad10-4494d60efc43/
SH256 hash:
9a5b441ad4f651c1638ebc96542cd138aa08c9dc2682033f4a6324a59b905bf3
MD5 hash:
b31b14dd1ebed623aa14affd7323db58
SHA1 hash:
3914805f9aa9a7292a4ee9b410f683a01392be09
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/c81ace73-1cfb-40c6-ad10-4494d60efc43/
Parent samples :
00d923f969b5ac9c626e872c1d1434dba82747fdc59839e8fb90b8bf2e3bccdc
e131bcf15fec5a3a3ccf6b61bcd59c69d3cdced405a0a23f4604fa924539c1ef
474c58059750d9dc1146c1f4921437c8aac92b5a8544ca82c017b8ef5e62946a
18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389
b4811cfea7143cd12cb326703c2fca08d4c19a69fb47fa82b62528a2886784fe
152e5b0db37e3db74698841e417e95f57cfb235c213b4dd6165e3ff0734e1700
SH256 hash:
18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389
MD5 hash:
d1b3e3f9c9687fa1c8c454a156a004dd
SHA1 hash:
d33f5df9f256a306f002d11ae5cee01f63d0b770
Link:
https://www.unpac.me/results/c81ace73-1cfb-40c6-ad10-4494d60efc43/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18b60277d5c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 18b60277d5c25a4108e6b8f12ede1a8f0b4d7caee81455314411027e0e10b389

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2653042/
Cape
Cape
https://www.capesandbox.com/analysis/395881/

Comments


Avatar
zbet commented on 2023-06-05 17:06:08 UTC

url : hxxp://194.169.175.124:3002/