MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d
SHA3-384 hash: 6e676e76e8a03c5c311aa49effadfe3c61c172ba579db3a21aa9342fbfbe50b08c56d1aab11b8ca9abb9bacdee4330fb
SHA1 hash: 3e7c359b68addb53bd7d8ce63be1f32732c8d39d
MD5 hash: 6cc26551fed4831f520dd19d387ac05b
humanhash: gee-triple-wyoming-lion
File name:6cc26551fed4831f520dd19d387ac05b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:303'616 bytes
First seen:2021-11-24 01:40:19 UTC
Last seen:2021-11-24 04:35:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4266e36aeae4bf1789c82b3b7f7f3122 (2 x RedLineStealer)
ssdeep 6144:xRL6G9fz31znezOOUdwDbeDCHqxrlYafMQRAv93yHaTzzyt:xd6G9fb1syse+HqY8RA1C6/z
Threatray 2'645 similar samples on MalwareBazaar
TLSH T1C654F1D1B6B19032D0D226352431CBA05E3E7D32697040CBE7987B2E6E7D7D14BAA74B
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c0 (41 x RedLineStealer, 30 x RaccoonStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.69.123.221:25706 https://threatfox.abuse.ch/ioc/253752/

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6cc26551fed4831f520dd19d387ac05b
Verdict:
Malicious activity
Analysis date:
2021-11-24 01:41:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/22dab093-d208-457b-b720-b80e498e0fbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.6639.8157.26.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/619d9830b71ceed4152dcaa6/reports/aec143d3-ae40-4369-99a0-d7c4548da5da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50d24335-bc54-42a5-904b-f967268a3cf8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895124
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 18:24:30 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddtgw6yksvihhyyn4lzshbkl6p7ig6mluhf6v5ksufnzdhffg5gq._file
Verdict:
malicious
Similar samples:
136b09653c55e04d3c4162c116bebb52dc337d62cdd69e2f0977fbc17e69dfd0
RedLineStealer
a47d05aa2716526495ade91c8295683fb0a34ffc9a848d65f06e38b680840016
RedLineStealer
b2b9f079053580b7c336bdd15d2e82129945467efef5c5df084811c5b6bea228
RedLineStealer
d0be08a619428c154db10f8d8f434a0825d0057bb75928c63b8f99fe81596304
RedLineStealer
ed786315c90cafc4e4b6fe237cebec8a8bd038b6203da8477d19ec8bbb9a09e4
RedLineStealer
+ 2'635 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:22.11 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211124-b34v2aehd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
159.69.123.221:25706
Unpacked files
SH256 hash:
5a5e7adaaff82d7cfbd65d10f307112fcd958a456531b48a53097f5fe8df6e57
MD5 hash:
567c27a5a88f4bdd572414d5b8802e82
SHA1 hash:
8a4ee0c964726c92892baa16d699edf284246bc4
Link:
https://www.unpac.me/results/4763f1b9-e8b6-4170-b325-1ebdb0cb26b0/
SH256 hash:
b45e7b4f4f0c9f5be3423bed0986918b63a1b2a1a4fb38c82079f87e794e7ab9
MD5 hash:
b8b66c0b74e98f8ef319f01fbf06bced
SHA1 hash:
41b9d235893dc71a983fd956eb726b7eb5d32609
Link:
https://www.unpac.me/results/4763f1b9-e8b6-4170-b325-1ebdb0cb26b0/
SH256 hash:
83c2f532667eb69b09468a7e7ea12ef727d68f4780f128a221688af52bb55018
MD5 hash:
2b3233562ecac0ef44c58c9a4202438b
SHA1 hash:
34a22195637b756a73eda603f0e25dbded67d073
Link:
https://www.unpac.me/results/4763f1b9-e8b6-4170-b325-1ebdb0cb26b0/
SH256 hash:
18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d
MD5 hash:
6cc26551fed4831f520dd19d387ac05b
SHA1 hash:
3e7c359b68addb53bd7d8ce63be1f32732c8d39d
Link:
https://www.unpac.me/results/4763f1b9-e8b6-4170-b325-1ebdb0cb26b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 18e66b7b0a955073e30de2f323854bf3fe83798ba1cbeaf552a15b919ca5374d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1811081/
Cape
Cape
https://www.capesandbox.com/analysis/208851/

Comments


Avatar
zbet commented on 2021-11-24 01:40:20 UTC

url : hxxp://193.142.59.14/myblog/posts/291.exe