MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc
SHA3-384 hash:	3e61683ad609d180736045505fba75d845fa9c09fb6cff33431fda00f09b4490d10296412ccfff6d5bd88ee7cdd776be
SHA1 hash:	b4c0b664854737d1b55e56dc2ff0f4c1ab0d182c
MD5 hash:	34ae36e699bc0f4fc4e153eea47729f6
humanhash:	maryland-music-bacon-arizona
File name:	3953_1647869815_826.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'305'776 bytes
First seen:	2022-03-25 07:21:32 UTC
Last seen:	2024-07-24 19:28:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0f485dd67db0934c1142793ca6636d72 (1 x RedLineStealer)
ssdeep	24576:05OJ5SBoY3wigrK0pCDP2Tt+VH6ZpDrUJwFm07vdFVQnsUFS2CW:1vYgi1xP2gVH0Dr4emsasUFS2z
Threatray	1'062 similar samples on MalwareBazaar
TLSH	T1E35523D08BE0CE65D722557D85AA498D5364EC2CED388E5E1B6CF3784A313F53B1A02E
File icon (PE):
dhash icon	cfb1e9cccce9f0dc (2 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/257555/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.24720.14833.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit fuerboos greyware overlay packed pandora shell32.dll

Link:

https://www.filescan.io/uploads/623d6dda1f20423948275878/reports/c7ccc990-8d94-4813-835d-ea60fa0f2ebd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f2443ec-60ec-4097-a9cb-70b2ebe8398b

Result

Threat name:

PCHunter tool RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/964340

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Yara detected PCHunter tool

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-03-21 15:28:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 42 (64.29%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

bbd758f37aeef6a57927c486286c6d4725901ecb399ca9b26a0a0936a5b1050b

RedLineStealer

ddf1bac1a33f6668bd6606659c30f6e63d4674fc9b482d0a3d37601a818a67b8

RedLineStealer

e347cd6db9c802638a546510c858928f9e69325d092c937ef3f33497d7d8c844

RedLineStealer

eed3dc3bd8fe006447ebd633cd8ce00a38f96c69f05d7a621c852ef2c45192ae

RedLineStealer

fb3104bd722fc507244ba989afa2ee924f43fbdfd617973ebdf6b8f8f9478ea0

RedLineStealer

+ 1'052 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline infostealer

Link:

https://tria.ge/reports/220325-h7albagddn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

RedLine

RedLine Payload

Unpacked files

SH256 hash:

080b9da953f09bc428d1d7b1d3c70038fc57ef5d506d9f888a813b00943efd05

MD5 hash:

2981067f1c7a075db8ea7c0562212a8f

SHA1 hash:

b5bf38d5ad1ab8c90557ca4ec84cd534d1f38012

Link:

https://www.unpac.me/results/43a31270-3ea8-4a39-ae82-ce39ad6c15e2/

SH256 hash:

99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc

MD5 hash:

34ae36e699bc0f4fc4e153eea47729f6

SHA1 hash:

b4c0b664854737d1b55e56dc2ff0f4c1ab0d182c

Link:

https://www.unpac.me/results/43a31270-3ea8-4a39-ae82-ce39ad6c15e2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 99bf05da1be178fe731b05f86f0d95f4816a25bdf273fc1e6f0f6268dd8ae9dc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2109530/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/257555/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample