MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7
SHA3-384 hash: bbf9b50e8bd912222f58926305aa679fd0f9c3abb1579edc324c390356290ccffbd86b778ef05c4d3041c8a580882dc0
SHA1 hash: 8bf05837afea96228bf9646b3b507b3f4f77921a
MD5 hash: dbb81ae91156f1198a2d70148142f1aa
humanhash: speaker-skylark-moon-victor
File name:DBB81AE91156F1198A2D70148142F1AA.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'673'156 bytes
First seen:2023-08-13 11:35:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/SvKic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEUcKIy029s4C1eH93
Threatray 6 similar samples on MalwareBazaar
TLSH T18B75BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.167:19615

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DBB81AE91156F1198A2D70148142F1AA.exe
Verdict:
No threats detected
Analysis date:
2023-08-13 11:37:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/148a20d9-93c4-4376-b89b-09b74bb72357

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442500/
Detection(s):
SecuriteInfo.com.Generic.Adware.Campaignz.A.1DA17618.6169.10622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102773/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Gathering data
Verdict:
Malicious
Labled as:
TR/Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d4ee47dc-a5c3-4518-a2ba-2912f183120a
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad.troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1290658
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290658 Sample: iX7ahNVKav.exe Startdate: 13/08/2023 Architecture: WINDOWS Score: 48 187 www.google.com 2->187 189 djvu2hsbbodb7.cloudfront.net 2->189 191 3 other IPs or domains 2->191 233 Antivirus detection for URL or domain 2->233 235 Antivirus detection for dropped file 2->235 237 Antivirus / Scanner detection for submitted sample 2->237 239 2 other signatures 2->239 13 msiexec.exe 2->13         started        17 iX7ahNVKav.exe 2 2->17         started        19 Windows Updater.exe 2->19         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 159 C:\Windows\System32\vcruntime140_1.dll, PE32+ 13->159 dropped 161 C:\Windows\System32\vcruntime140.dll, PE32+ 13->161 dropped 163 C:\Windows\System32\vcomp140.dll, PE32+ 13->163 dropped 175 62 other malicious files 13->175 dropped 247 Infects executable files (exe, dll, sys, html) 13->247 24 msiexec.exe 13->24         started        29 msiexec.exe 13->29         started        31 msiexec.exe 13->31         started        33 msiexec.exe 13->33         started        165 C:\Users\user\AppData\...\iX7ahNVKav.tmp, PE32 17->165 dropped 35 iX7ahNVKav.tmp 23 31 17->35         started        199 allroadslimit.com 188.114.96.7 CLOUDFLARENETUS European Union 19->199 167 C:\Windows\Temp\...\Windows Updater.exe, PE32 19->167 dropped 37 Windows Updater.exe 19->37         started        201 3.5.25.131 AMAZON-AESUS United States 22->201 203 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 3.97.187.4 AMAZON-02US United States 22->203 205 8 other IPs or domains 22->205 169 C:\Users\user\...\DigitalPulseService.exe, PE32+ 22->169 dropped 171 C:\Users\user\...\DigitalPulseService.exe, PE32+ 22->171 dropped 173 C:\Users\user\...\DigitalPulseService.exe, PE32+ 22->173 dropped 39 tasklist.exe 22->39         started        41 taskkill.exe 22->41         started        43 4 other processes 22->43 file6 signatures7 process8 dnsIp9 213 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 24->213 215 collect.installeranalytics.com 54.160.207.153 AMAZON-AESUS United States 24->215 217 192.168.2.1 unknown unknown 24->217 141 C:\Users\user\AppData\Local\...\shi370B.tmp, PE32 24->141 dropped 143 C:\Users\user\AppData\Local\...\shi3630.tmp, PE32 24->143 dropped 241 Query firmware table information (likely to detect VMs) 24->241 45 taskkill.exe 24->45         started        145 C:\Users\user\AppData\Local\...\shi2B44.tmp, PE32 29->145 dropped 147 C:\Users\user\AppData\Local\...\shi2AB6.tmp, PE32 29->147 dropped 149 C:\Windows\Temp\shi89CF.tmp, PE32 31->149 dropped 151 C:\Windows\Temp\shi8903.tmp, PE32 31->151 dropped 219 sistersshame.xyz 35->219 221 sistersshame.xyz 172.67.134.52 CLOUDFLARENETUS United States 35->221 223 dogquarter.website 188.114.97.7 CLOUDFLARENETUS European Union 35->223 153 C:\Users\user\AppData\...\setup.exe (copy), PE32 35->153 dropped 155 4 other files (3 malicious) 35->155 dropped 243 Performs DNS queries to domains with low reputation 35->243 47 setup.exe 2 35->47         started        225 dl.likeasurfer.com 104.21.32.100 CLOUDFLARENETUS United States 37->225 157 4 other malicious files 37->157 dropped 50 v113.exe 37->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        56 conhost.exe 43->56         started        58 conhost.exe 43->58         started        60 conhost.exe 43->60         started        62 conhost.exe 43->62         started        file10 signatures11 process12 file13 64 conhost.exe 45->64         started        177 C:\Users\user\AppData\Local\...\setup.tmp, PE32 47->177 dropped 66 setup.tmp 21 28 47->66         started        179 C:\Windows\Temp\shi8625.tmp, PE32+ 50->179 dropped 181 C:\Windows\Temp\MSI8889.tmp, PE32 50->181 dropped 183 C:\Windows\Temp\MSI878E.tmp, PE32 50->183 dropped 185 2 other malicious files 50->185 dropped 70 msiexec.exe 50->70         started        process14 dnsIp15 193 www.mildstat.com 23.106.59.52 LEASEWEB-UK-LON-11GB United Kingdom 66->193 195 downloads.adblockfast.com 104.26.14.74 CLOUDFLARENETUS United States 66->195 197 6 other IPs or domains 66->197 121 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 66->121 dropped 123 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 66->123 dropped 125 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 66->125 dropped 127 4 other files (3 malicious) 66->127 dropped 72 s0.exe 2 66->72         started        75 s1.exe 66->75         started        79 s2.exe 66->79         started        file16 process17 dnsIp18 129 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 72->129 dropped 81 s0.tmp 31 22 72->81         started        229 collect.installeranalytics.com 75->229 131 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 75->131 dropped 133 C:\Users\user\AppData\...\Windows Updater.exe, PE32 75->133 dropped 135 C:\Users\user\AppData\Local\...\shi2885.tmp, PE32+ 75->135 dropped 139 3 other malicious files 75->139 dropped 245 Multi AV Scanner detection for dropped file 75->245 85 msiexec.exe 75->85         started        137 C:\Users\user\AppData\Local\Temp\...\s2.tmp, PE32 79->137 dropped 87 s2.tmp 79->87         started        file19 signatures20 process21 dnsIp22 105 C:\Users\user\AppData\...\unins000.exe (copy), PE32 81->105 dropped 107 C:\Users\user\AppData\...\is-M0JDM.tmp, PE32+ 81->107 dropped 109 C:\Users\user\AppData\...\is-6AJS3.tmp, PE32+ 81->109 dropped 119 4 other files (3 malicious) 81->119 dropped 231 Uses schtasks.exe or at.exe to add and modify task schedules 81->231 90 DigitalPulseService.exe 81->90         started        93 _setup64.tmp 1 81->93         started        95 schtasks.exe 1 81->95         started        97 schtasks.exe 1 81->97         started        207 api.joinmassive.com 65.9.95.17 AMAZON-02US United States 87->207 209 65.9.95.49 AMAZON-02US United States 87->209 211 aka.ms 23.199.216.144 AKAMAI-ASUS United States 87->211 111 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 87->111 dropped 113 C:\Users\user\AppData\Local\...\is-DMVUC.tmp, PE32 87->113 dropped 115 C:\Users\user\AppData\...\PEInjector.dll, PE32 87->115 dropped 117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 87->117 dropped file23 signatures24 process25 dnsIp26 227 bapp.digitalpulsedata.com 3.98.219.138 AMAZON-02US United States 90->227 99 conhost.exe 93->99         started        101 conhost.exe 95->101         started        103 conhost.exe 97->103         started        process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 12:16:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6mzuxr4cam34lkdbufs73y4pyvrwofjnq573gegkbv4j4n7fx3q._file
Verdict:
malicious
Similar samples:
1062b856e7580e1d5b19bdbe87a233343c39c5a41860358c854586f52dbf906f
RedLineStealer
5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
RedLineStealer
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RedLineStealer
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
RedLineStealer
8fc055b97e29323ef0f570ef76b2bacdceb4f8d1b8a2eb62bb974f0abf03e5c0
RedLineStealer
aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7
RedLineStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-nqkylsde9z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
9729b30686da9e78af91a817a01a3f8598826859b8ac2419b9da318386059d09
MD5 hash:
8a7430f6d4a969c2e48427d1e3139efe
SHA1 hash:
82202ea739275e387150043e698f9dd633bc33fc
Link:
https://www.unpac.me/results/277f98ba-6f25-4288-82b8-1a3e3ab74f23/
SH256 hash:
07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7
MD5 hash:
dbb81ae91156f1198a2d70148142f1aa
SHA1 hash:
8bf05837afea96228bf9646b3b507b3f4f77921a
Link:
https://www.unpac.me/results/277f98ba-6f25-4288-82b8-1a3e3ab74f23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442500/

Comments