MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221
SHA3-384 hash: c200839f3c23eae1b9dc6b233b7ff75bcf415be7388f6e1f5c52c198b4740ce0dcd834e42acf743d647d8b9d84270dd8
SHA1 hash: 9d54fe69de74f3ac3d4f185dd2d228c4f8d37332
MD5 hash: b0e50123ba50bf69c5aaa319b9804210
humanhash: jersey-neptune-diet-don
File name:l2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:12'364'800 bytes
First seen:2023-02-13 19:25:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd87f79fc1bdaef4e66bba3ab9909015 (1 x RedLineStealer)
ssdeep 196608:uQdYPJJTZbT3iRiTk6DNvk8FD2ijYvCfqjdZ55zVqKntCSjlE9KfWa2NYRuwE5K5:b4Jd5SMYWN/jUCfOrjbjXYNm3sKJqG
Threatray 24 similar samples on MalwareBazaar
TLSH T1ABC623C11FDA82E8C0EA6B3069C7436BB4A173DEC0FD8A5F35C24C1A7691E565D4B1E2
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter iamdeadlyz
Tags:89-32-41-231 exe RedLineStealer SpacePearl


Avatar
Iamdeadlyz
From spacepearl.io (fake P2E game - plagiarised contents from multiple sources - fake team)
De-pump of 6606171a825e3f869b1b37e1d36a068a6afedcad4cf19b9cbed317c29d16eebe
RedLineStealer C&C: 89.32.41.231:10932

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
l2.exe
Verdict:
No threats detected
Analysis date:
2023-02-13 19:27:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c05e152e-6597-46ad-a495-c977d92a3f3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365238/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ea8ecc19bdad83463604f1/reports/fc57e034-cf2c-42b2-828b-b9c1ebd01ecb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5ccfd56-cdd6-4ae6-ab02-7108a60ae452
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1173731
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221/
Threat name:
Win64.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 19:27:13 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2mjp7mg55yy2t7z443wrtr6myduhjkilj6zyillp3v4rwii6iqq._file
Verdict:
malicious
Similar samples:
1ef0fe49cef266707c54468ea0113c06965f021ca19db32035d80007b6517c2b
RedLineStealer
58591d220d48fbc565054766db000c1d14250a02c160bfe86370877441e5d2da
RedLineStealer
804826c7da65f0ef6aba984fc65cd2e701f4d26ef52fedd3dcea5808c4c70542
RedLineStealer
90e7c78ca1612b6f6e0f2c25e00e4c73e9df86936a243a03a488a3b155334eea
RedLineStealer
b7e70119bad5c9fcd84035b4b9064911f45f0e95a2ec4a84b0ee10105d541055
RedLineStealer
c7d11c958c790562daf2522a05d7ba39e0c013e810f51ff2013af571d9394679
RedLineStealer
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RedLineStealer
e5af161ed00bec735dd830bdd0eb3d57aa0df83d75d85684bd5796fbc6565d66
RedLineStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230213-x5h71afe64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221
MD5 hash:
b0e50123ba50bf69c5aaa319b9804210
SHA1 hash:
9d54fe69de74f3ac3d4f185dd2d228c4f8d37332
Link:
https://www.unpac.me/results/1af815c2-d0ad-4a9e-a84f-ecf6d48bfef3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e3d8e24c2741cbdb8a0cd20da683c1df5d9589742bbc1589192a45fc661444ac

RedLineStealer

Executable exe 0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221

(this sample)

  
Dropped by
SHA256 e3d8e24c2741cbdb8a0cd20da683c1df5d9589742bbc1589192a45fc661444ac
  
Dropped by
SHA256 6606171a825e3f869b1b37e1d36a068a6afedcad4cf19b9cbed317c29d16eebe
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 d645f87e9effc9b26c410ee9b7269ec4094c23a7b46d7cee5720be9d630b7029
Cape
Cape
https://www.capesandbox.com/analysis/365238/
  
Dropped by
SHA256 f015cf03b22191ac595069ce9195f85ddd24664c6b1f4454c849479b9da97a67
  
Dropped by
MD5 4ebf576ccd688e32e71122d7f8be2d8f

Comments