MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687
SHA3-384 hash: 14c7aa4985c8acfc13a3d09096d649c1f5d6cfade79fb4541502b75d290f1e9d05be33f50a1da2f8c509063ee8e638e3
SHA1 hash: 847fa265770c0048d34549b4a2251e832e42c582
MD5 hash: 18b953ff1dbc1eb84d82d90098909277
humanhash: summer-delaware-video-johnny
File name:18b953ff1dbc1eb84d82d90098909277.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:353'792 bytes
First seen:2021-08-24 06:29:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4dcb3c3a3fe5e134dd41266130cc79d2 (6 x RaccoonStealer, 4 x RedLineStealer, 3 x Tofsee)
ssdeep 6144:bEqc4rwm0j3mkFJC1xQOYCK3KXveNKDh/YtoSt3/WpyTB29k5YrpW:tcGwmQWkiuDsvKKDBYt7F/dTBEk5Yrp
Threatray 5'073 similar samples on MalwareBazaar
TLSH T12B74AE30AAA1C435F5F612F845B682B8B93A7AB16B3050CF62E51AED17347E5EC30747
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18b953ff1dbc1eb84d82d90098909277.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 06:32:55 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/e0d9cb7d-8332-4725-9b3b-b80272f7e595

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181744/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.25700.6011.17604.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Sending a UDP request
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afe4bf97-68af-4a8a-b5d6-b26edd3acf03
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/838005
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 20:42:15 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
64eb44d654d183e8f4736bd96c1b487e0f7b39243fe1016fe5d108b6c3f98bad
RedLineStealer
68c309ec74f6dd5ec81d2fd23378a84b9d8091ccd28bc8e5f962fabd82e526f8
RedLineStealer
6add6946515bb807ad4f84713b4492c279cd502cb0b462bb1d65faf3976fd55e
RedLineStealer
806b94827deeb8e69adb9119e604d571af1dc3d4a60025d5faa9a6243f040f4a
RedLineStealer
8f308760b57ddfb34fbbcd49563b3056dabdb589d1999265bc8952453c36d261
RedLineStealer
aa5c88d32d0495a0111354db177f21f2affb17d3d93ff4103f9f3fd3d1cbd51e
RedLineStealer
cb3d5d5034a9b2034732e9d9f805cc355ef2259285631154ad841e1c0a4e6381
RedLineStealer
cf149347cf39386229225de9128d40c7d5cd6c7e0a922bbe1d42f96b39d69864
RedLineStealer
+ 5'063 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210824-vh7s2ld2he/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:8678
Unpacked files
SH256 hash:
9535c968deac76b07b81338316691050af68de604c5ac9b8ce88fb13af79aa22
MD5 hash:
b726df75f1ef2ca4e8e4c201cc323464
SHA1 hash:
afbc5f2384bad1cf44d88b3e6a0e2e08683ddfcf
Link:
https://www.unpac.me/results/6fa215ae-4062-44d1-b367-21d5f62477a0/
SH256 hash:
49024e791cf17a4255a3b5a33bfede6ed8f9ab28c34d7b10ce7c3676498fa969
MD5 hash:
0d79cf0987744082d998343280d9b2d5
SHA1 hash:
6810c7f1f15bdd644e0c0ffd0e341c71dc2deeeb
Link:
https://www.unpac.me/results/6fa215ae-4062-44d1-b367-21d5f62477a0/
SH256 hash:
71834babc65f6ca37d984e3cd28656ccfdfc7947d65c92080c84df0dd261b3d0
MD5 hash:
930113d93ac139570d8cf41e39400215
SHA1 hash:
0152da485ccfb299b2f17bd3af7e5c733b1f294d
Link:
https://www.unpac.me/results/6fa215ae-4062-44d1-b367-21d5f62477a0/
SH256 hash:
99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687
MD5 hash:
18b953ff1dbc1eb84d82d90098909277
SHA1 hash:
847fa265770c0048d34549b4a2251e832e42c582
Link:
https://www.unpac.me/results/6fa215ae-4062-44d1-b367-21d5f62477a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 99b59b6c40f3c17f4d3b19e76ec464774d54dad4b14b9d9e7d92610589c82687

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/181744/
  
URLhaus
https://urlhaus.abuse.ch/url/1557165/
  
Delivery method
Distributed via web download

Comments