MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393
SHA3-384 hash: f1b5aeebbe4cdb2474ca782a5a2ca3b81840e905796f33e658c2b88379e84af61aac8d9130ac011361471f206c1826b3
SHA1 hash: 70d421f217eabe72a45adf1af9e5c7087302bb9e
MD5 hash: 1bda1c74826d6c13ac1f4ba9c09e9495
humanhash: sixteen-seven-lamp-maryland
File name:1bda1c74826d6c13ac1f4ba9c09e9495.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:369'664 bytes
First seen:2023-10-17 09:52:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c347d587a6b42414b9cc837958b02c5 (20 x RedLineStealer, 3 x Amadey, 2 x Formbook)
ssdeep 6144:D4K3l99cV4EiGAtb26blStS49njhQhPDEuWDkhpL/BF+2vw0xnd:sK199En1tS49jhQhYkL5F+2o0xnd
Threatray 104 similar samples on MalwareBazaar
TLSH T190744AFFB0876493EB421776372ABD1C8871CBEEC55DED537E4883D14DB69818068A82
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-17 08:58:45 UTC
Tags:
stealer redline loader smoke
Link:
https://app.any.run/tasks/33c1059e-3905-4c76-a463-083d034fd44d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455246/
Detection(s):
Win.Trojan.Pwsx-10011340-0
Create hunting rule

Win.Trojan.Trojanx-10011459-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/652e59838d16e62970c8cea0/reports/a7413c06-b38c-49e8-91f3-bfcc6129f5db/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c45993b-9c39-446d-9487-87a4966e3471
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327138
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 07:59:04 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqmk3dzmek7s54blhzloez4nphdm25zz3ewxvpoidpl7dhe44ojq._file
Verdict:
malicious
Similar samples:
0f8721767a309b62a166170c8d734d8532b3f18d4948f35629f988a53b871f60
RedLineStealer
1e39a11203193be6c4ca338e7eb39030b173ae0ff1dbb86eb713f9341491b8f2
RedLineStealer
4c49995d1c5c64500be537e329377c55393eb5a558bb58113300d76923f7f0b1
RedLineStealer
b46c4bed3c12284f3e859adce2327b2b604ef458a5f2552d8ce6babf6aaf23cf
RedLineStealer
c493780ea2425e01bbcec109e8da6b53421bae924e2674bf2118ed3c262edfed
RedLineStealer
d0db4bf4979a4573a9933fec9f93616520592172dce856c8f648c2fa94c10f35
RedLineStealer
e6c5d204e8eb958a201fe74e33562c38eab437c31ddfe043662f6e550a3dc3ad
RedLineStealer
e794a44733960e4e2187646a9032f34b170c5e082a61e34c2df72f4036cbd1ba
RedLineStealer
eaca4ed4963317e8d9086c7ef86b90d185a8e14830e7863db9c989d86a5552cf
RedLineStealer
ef5c75eb4f74e74aa7b959cb11c008e530946a792897584dc5b2a82c2dcab1d9
RedLineStealer
+ 94 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:breha infostealer
Link:
https://tria.ge/reports/231017-lwmchsba3w/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
MD5 hash:
8905918bd7e4f4aeda3a804d81f9ee40
SHA1 hash:
3c488a81539116085a1c22df26085f798f7202c8
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/68ab6516-c429-4f36-acac-2cbbaa780cc3/
Parent samples :
eb37b948c22a10c325ee2b09a22ecaf10fe29a120eb0daff6db894a3b8ee2cc4
6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393
1ef24be692d22d09c4e52b2c806d475454879f40adc851d1e919f7be8a3ccb72
7828c63b2a9ab476823166f76ac7df8f81726f813b9132adbc5f694045c5a17d
SH256 hash:
6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393
MD5 hash:
1bda1c74826d6c13ac1f4ba9c09e9495
SHA1 hash:
70d421f217eabe72a45adf1af9e5c7087302bb9e
Link:
https://www.unpac.me/results/68ab6516-c429-4f36-acac-2cbbaa780cc3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c18ad8f2c22/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c18ad8f2c22bf2ef02b3e56e2678d79c6cd7739d92d7abdc81bd7f19c9ce393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455246/

Comments