MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457
SHA3-384 hash: 4f303cb94ed9fcb1e9215bb1cf1fed8b2084d13483659839298dd7fa29a6676e084dcdec515bbbaaebfeebe8c0628ce0
SHA1 hash: e8f972ad175df15313f5746af657bc6b4d2f7f8f
MD5 hash: 77a7d81463b497540b9b10658d25c19a
humanhash: double-harry-mango-west
File name:d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'879'360 bytes
First seen:2022-02-16 22:51:19 UTC
Last seen:2022-03-16 20:11:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep 98304:540g8FnLYlEoKajqtfSrOdIi3VlCa5X3OEcmF:54iFn+EocSydLPT3OEck
TLSH T1263633B59300BC12F406653444EF0CE93C9FE21D439D52D246AEC64BEAECB97D75A8E8
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
46.8.153.20:25828

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.8.153.20:25828 https://threatfox.abuse.ch/ioc/388274/

Intelligence

File Origin
# of uploads :
3
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242087/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/620d801aac8ad0468b48d01d/reports/3a8807f4-10a4-47a5-a053-19bce3ed91dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46d7cbd5-b8b5-4c03-8b11-7c62b7679976
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941245
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573723 Sample: d18fcd892cfdce30de3d7ff4f59... Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 8 other signatures 2->76 10 d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94.exe 1 2->10         started        13 MicrosoftApi.exe 2->13         started        process3 signatures4 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->84 86 Writes to foreign memory regions 10->86 88 Allocates memory in foreign processes 10->88 90 Injects a PE file into a foreign processes 10->90 15 AppLaunch.exe 15 7 10->15         started        20 conhost.exe 10->20         started        process5 dnsIp6 58 46.8.153.20, 25828, 49764 DATACHEAP-LLC-ASRU Russian Federation 15->58 60 cdn.discordapp.com 162.159.129.233, 443, 49797 CLOUDFLARENETUS United States 15->60 48 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 15->48 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->64 66 Tries to harvest and steal browser information (history, passwords, etc) 15->66 68 Tries to steal Crypto Currency Wallets 15->68 22 MicrosoftApi.exe 1 4 15->22         started        file7 signatures8 process9 file10 50 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 22->50 dropped 52 C:\Users\user\...\MicrosoftApi.exe.log, ASCII 22->52 dropped 78 Multi AV Scanner detection for dropped file 22->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->80 82 Machine Learning detection for dropped file 22->82 26 MicrosoftApi.exe 1 4 22->26         started        signatures11 process12 file13 54 C:\Users\user\AppData\...\tmpD23D.tmp.cmd, DOS 26->54 dropped 92 Multi AV Scanner detection for dropped file 26->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->94 96 Machine Learning detection for dropped file 26->96 30 cmd.exe 1 26->30         started        34 cmd.exe 1 26->34         started        signatures14 process15 dnsIp16 56 192.168.2.1 unknown unknown 30->56 98 Uses schtasks.exe or at.exe to add and modify task schedules 30->98 100 Adds a directory exclusion to Windows Defender 30->100 36 powershell.exe 23 30->36         started        38 conhost.exe 30->38         started        40 timeout.exe 1 30->40         started        42 conhost.exe 34->42         started        44 timeout.exe 1 34->44         started        46 schtasks.exe 34->46         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-16 22:52:19 UTC
File Type:
PE (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gh43cjm7xhdbxr5p72plfh7vqpcrbtzax4uv7kynrx77a5wgrlq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-2td65aeac5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
f9d91cb0c444eb95c42e91bd991b17deac14dea3e098d8d466ef09fd1e6c9405
MD5 hash:
449fcc997f66590efa51cb53f96bea6f
SHA1 hash:
d0b072d5278e285aff74d743df57444a06d5d9f1
Link:
https://www.unpac.me/results/b1d34b54-e7da-40ae-9ecd-b60f5959c034/
SH256 hash:
55a510817e9642c78bedce3178fd078e4a0ce9765c7007d2bf964fe8f1084dcf
MD5 hash:
dc7c87e4ef413afcb798737b3f7f4625
SHA1 hash:
9cf1a4315d1387b42063f262dcb1d02ab3dfe7e5
Link:
https://www.unpac.me/results/b1d34b54-e7da-40ae-9ecd-b60f5959c034/
SH256 hash:
d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457
MD5 hash:
77a7d81463b497540b9b10658d25c19a
SHA1 hash:
e8f972ad175df15313f5746af657bc6b4d2f7f8f
Link:
https://www.unpac.me/results/b1d34b54-e7da-40ae-9ecd-b60f5959c034/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242087/

Comments