MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284
SHA3-384 hash:	df665e717c6dd3b49ff67fe2a6806fe59f6134b3536377f44027cadd999c0aeb41c7eff8e5f42e06a06fe32455f84e3d
SHA1 hash:	b7458c9207961a3e8187862f6d6d5b2abf89df95
MD5 hash:	8d093a4353d11b4a6591d945f4a4855e
humanhash:	magnesium-carpet-angel-violet
File name:	99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'000'960 bytes
First seen:	2023-08-08 11:40:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	99618c39aafbf01419fbcd53cea0e110 (10 x RedLineStealer)
ssdeep	12288:HehArhpIF+G5PMZ619yEaLup3mzrgSyszQuUAAks3duzzoK0fJBzEy25Cddh:+h4hpIwG5PMZ6JgQuUAc39JBN
Threatray	2'085 similar samples on MalwareBazaar
TLSH	T109256B603CE08926DEA610BB09ADF924027E90A20F235ED755C77FEB96109D16F37787
TrID	56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4505/5/1) 3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284

Verdict:

Malicious activity

Analysis date:

2023-08-08 11:40:33 UTC

Tags:

redline

Link:

https://app.any.run/tasks/8f18ae69-a420-42c3-b265-14987ca030d5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/441340/

Detection(s):

SecuriteInfo.com.Trojan.PWS.RedLineNET.7.14419.13466.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7949e8f7-76db-493d-93d7-eb1b42bfd7f8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1287714

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-07-29 02:33:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tg6zjg5zlvjrzachvxqv34dgmjox6u2imsspubtlgvfzlc3cakca._file

Verdict:

malicious

RedLineStealer

199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7

RedLineStealer

252055d82e07b21166bc7cd77e43635b582947c7bdc60646c5edc4766bcc7f4c

RedLineStealer

2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418

RedLineStealer

712bd451f71fe3a5a3ad3b2d0965b0dd872c5348f8338af96c222add990a5326

RedLineStealer

90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8

RedLineStealer

a603f24dcfe2d6c509d38aa796680ba1ec48af5c984bceb106c7b28224cbfcbb

RedLineStealer

a85b8341d1594f4ec7d0aaf1cb367c0fe92ecd1914666107d1ed720d2bb7a1a2

RedLineStealer

b02a04e65ae9453f1c3bc5fcfd47686be2fb8b8f978c3ec29a0c6749106ed4f7

RedLineStealer

dd7559d441f5207d13dd4e8486af5146085c326b27e0ba2b4a72acbcd2a60984

RedLineStealer

+ 2'075 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1red1 infostealer

Link:

https://tria.ge/reports/230808-nte7jadg9v/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

RedLine

Malware Config

C2 Extraction:

77.246.110.195:8599

Unpacked files

SH256 hash:

8bdc99aa861fda33fa66e72c65451b225a41c21da51dec53137dd3ef0f325e14

MD5 hash:

f7d837a34678f655d2600cd6d38e1fe2

SHA1 hash:

79ccca01271d8501632411192432dde1e5536d85

Link:

https://www.unpac.me/results/98da6786-de59-4a1f-9dc0-ae5b6701e801/

SH256 hash:

a2fdc80a877bef92cd569982f379331c821c337a322547d89c698cbe415b859e

MD5 hash:

5f0f246ed497a8ff9d80004efe068346

SHA1 hash:

cb997a3c1a1f4884d17d1f5a2c86c277f323124b

Detections:

redline

Link:

https://www.unpac.me/results/98da6786-de59-4a1f-9dc0-ae5b6701e801/

Parent samples :

a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
dae4ef263266f77d4bc88a23772a5a65e8ffe9ce69e3446019fbc2cd6b87df79
4c3b0c1e5e66b0f794e09afe724a3a805610becebc02741f009603ab2e2bb689
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284

SH256 hash:

99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284

MD5 hash:

8d093a4353d11b4a6591d945f4a4855e

SHA1 hash:

b7458c9207961a3e8187862f6d6d5b2abf89df95

Link:

https://www.unpac.me/results/98da6786-de59-4a1f-9dc0-ae5b6701e801/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/99bd949bb95d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/441340/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample