MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898
SHA3-384 hash: b300a7053d35ab2598b7b71613c2e167b6a3aa0eaa692f313d85020a2c717822afceeddfe9bf1c04efba39ca9387b4dd
SHA1 hash: 3c93b67cc212e4e2ed071d8c1e9fd1deab53e638
MD5 hash: c5364af7c7b88a9663ce1332f973dfc5
humanhash: burger-alpha-salami-salami
File name:c5364af7c7b88a9663ce1332f973dfc5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'094'920 bytes
First seen:2022-03-08 17:41:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 98304:ZD3J2IiExVdL81peSqcC3IRBHZPAwFHKDSjajrSL:x3IIi4VUeAC3IRB5P5FQjrE
Threatray 1'582 similar samples on MalwareBazaar
TLSH T1491633D4D26DEF10D35309F8E959E6793E1806BAB1B503870C5AC4AECF79EB8852490E
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248419/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Asprotect-9940081-0
Create hunting rule

Win.Packed.Asprotect-9940109-0
Create hunting rule

Win.Packed.Fragtor-9940182-0
Create hunting rule

Win.Packed.Crypterx-9940465-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62279ae0b94fb38cb43fc0b6/reports/d1bd27cd-269e-486a-8ee1-4b6ffd46bd37/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f22e2116-48d8-496a-88f9-4e557dab26c0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952835
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 18:23:22 UTC
File Type:
PE (Exe)
AV detection:
24 of 27 (88.89%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=edwrrs6bkj66ywfekx3ep23it6aiop5srrtiowhwl2zczemibcma._file
Verdict:
malicious
Similar samples:
06de7a6020311d1148c053a1b4d620a556e4ec46c670b44f1f280b4fbd68dfd2
RedLineStealer
1237f60be32fedd4729cc33b077a902382c15c495327cfa55650ca66642506d1
RedLineStealer
3d812b2e320667c27f17889ab1ce9710ee126c1e0866a698c0aea3b3c1567a4a
RedLineStealer
773be0566a9429af2d1daf0d63ad488047a79747cfb910b115af939bfd1bd533
RedLineStealer
7a0ace49d3bdeb09fd1b43f8676d83862f15119039eaddf428e560eeea0eaa5c
RedLineStealer
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
RedLineStealer
a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2
RedLineStealer
b0d747fcff4576bf28d31bc2e7d681c5c08310ef212c96e63b7e60db6d015ec7
RedLineStealer
bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8
RedLineStealer
+ 1'572 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220308-v93fbscgem/
Behaviour
Program crash
Unpacked files
SH256 hash:
cfc481a1561dc9e56c2980037a74ca7154cabd0e745ba9ccf9509fe0ea28cd73
MD5 hash:
276ff60808a5b6cf81bec99a1efc2877
SHA1 hash:
ef1697e3a3aeaeb95fe45e64a54b9f5af5f4e521
Link:
https://www.unpac.me/results/be6e3939-2c2d-479e-a50d-200a077e9221/
SH256 hash:
63102f7ffac01dd6f4897b456a83b76b19d825edc34955d2aaa39f16c5ece0a8
MD5 hash:
9891c88fb37f7d25eae4a1e930e8dff3
SHA1 hash:
6298eb906369a7c254fe7abe6f29695eaadc750c
Link:
https://www.unpac.me/results/be6e3939-2c2d-479e-a50d-200a077e9221/
SH256 hash:
20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898
MD5 hash:
c5364af7c7b88a9663ce1332f973dfc5
SHA1 hash:
3c93b67cc212e4e2ed071d8c1e9fd1deab53e638
Link:
https://www.unpac.me/results/be6e3939-2c2d-479e-a50d-200a077e9221/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084487/
Cape
Cape
https://www.capesandbox.com/analysis/248419/

Comments


Avatar
zbet commented on 2022-03-08 17:41:42 UTC

url : hxxp://file-coin-coin-10.com/files/912_1645709079_3912.exe