MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3
SHA3-384 hash:	a80357dbe205b98b7bbd393cdbf432e7c55103e6e4b2c3ade259c01d8c47f19849e3698d15eaf70f0488b6b5a4d9d3f2
SHA1 hash:	3fc9deec2f504c216504d2092de8bdd8724723af
MD5 hash:	16366a76d3794eb82399340fe756cbe9
humanhash:	massachusetts-wisconsin-emma-timing
File name:	f18ddf6b5463037a5ea928e0aba4b0783621211b0afa1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	311'808 bytes
First seen:	2021-09-25 09:49:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	98349bc8fa025f57a9d49df3092c15be (10 x RedLineStealer, 2 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep	6144:qygAnf5q6xr9rXG0mVbMTATlZgkljBwjtw:vgoRdr9ze2Af7jBai
Threatray	5'971 similar samples on MalwareBazaar
TLSH	T18964F1003A60CB31C69311719B25D7E15EBA78A25DB1938727E776AEEF303D0376631A
File icon (PE):
dhash icon	327a7c7d727e6e76 (7 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.244.180.224:39957

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.244.180.224:39957	https://threatfox.abuse.ch/ioc/226450/

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://52.34.126.150/?614b6ea22b463=565390085009650d61ef472d69ae93f795b49308Array&m=252&q=Windows%205.3.1.1880%20Crack%202021%20%20%20Registration%20Code%20[Latest]&dedica=18&

Verdict:

Malicious activity

Analysis date:

2021-09-22 18:01:49 UTC

Tags:

trojan rat redline evasion loader stealer vidar opendir raccoon

Link:

https://app.any.run/tasks/98b0e89c-aceb-40a0-92bc-83da52c9ef82

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191491/

Detection(s):

Win.Packed.Generic-9895572-0

Win.Packed.Fragtor-9896091-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10d56c3c-af1f-4f26-a6aa-dc9fbfe2ea11

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/857946

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-21 20:53:55 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gg5622ummbxuxvjfdqkxjfqpa3ccii3bl5bp5favdwwyhuactrq._file

Verdict:

malicious

RedLineStealer

32b9b4bce4d318a9df816799b1ab544126244277da5d9d5395f05e926c238cc0

RedLineStealer

35e01293efaa4e9616a8431691e332f49a939942100f6e6662145df7c4602040

RedLineStealer

55415e508d283bfd58795c2f0d4455c43ac03fca354c007fd8cd46a756bf342c

RedLineStealer

71f8415c24040b573b4852f93ba4df25f83f2a57c536ca9b19011b6ceb9c4528

RedLineStealer

729439c4ee7b6b04bd443520adfae3c5b2eb69981319547e21a9060d64be7693

RedLineStealer

ad0048e191fb0db386dfada7927fc139777d8a85858073fd014c0989794b9e73

RedLineStealer

b2bbf81e6846b2cb9f72eccbb9e04ad7ade462b048b8cd846db957c38a3c1ff5

RedLineStealer

df7563759edf4cc1e5beba3490e43eda0d4ea5c4c3623f7cef37560f4d6bbc38

RedLineStealer

e56b53500bf0072f709cec8121a19d8d98a42672ff4df8c3079518d68b6c4f3f

RedLineStealer

+ 5'961 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:10k ruzki discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-ltz6labad6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.244.180.224:39957

Unpacked files

SH256 hash:

e95ed270027baf73bb63f0cf2d53ffb8182525a02d7016e56dabc051dc54294b

MD5 hash:

21421b0615f842fc2516551ce10e3b66

SHA1 hash:

d46d636c3b4533b3b26040a191130444787cb341

Link:

https://www.unpac.me/results/06ebad05-f6e9-4b5c-ab89-71bf65cccb8a/

SH256 hash:

12b55e2f0d6734bfb09e5e667b9288fbff0de33ce8e392b4f53b242f8f702983

MD5 hash:

7d7293905f2394cecf55a694ee518e11

SHA1 hash:

3b12c53bee8ce53bc1d56cd478632a1c641df76c

Link:

https://www.unpac.me/results/06ebad05-f6e9-4b5c-ab89-71bf65cccb8a/

SH256 hash:

eb9f9706103f6cb326b7d034e0e60a5c6bfa5cc9d96c5551b27a6a80b907a49e

MD5 hash:

2902fa85e07eaf0fc10682f2b8802678

SHA1 hash:

19ad225b4511d453bdeed691fec5b484fe5c1f51

Link:

https://www.unpac.me/results/06ebad05-f6e9-4b5c-ab89-71bf65cccb8a/

SH256 hash:

f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3

MD5 hash:

16366a76d3794eb82399340fe756cbe9

SHA1 hash:

3fc9deec2f504c216504d2092de8bdd8724723af

Link:

https://www.unpac.me/results/06ebad05-f6e9-4b5c-ab89-71bf65cccb8a/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f18ddf6b5463/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f18ddf6b5463037a5ea928e0aba4b0783621211b0afa17f4a0a8ed6c1e8014e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191491/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample