MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13
SHA3-384 hash: 434be0424f1c91db038bce3257254717f021ecc23b2719ef51408f4e5187dcfe9c6f301054248304459c440c9b364e2b
SHA1 hash: 520f5870394c9976db688f77bc651ff0a3935691
MD5 hash: 49d3d360aa4d5801e3e6cf63d799c793
humanhash: zebra-nevada-oklahoma-utah
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'328'680 bytes
First seen:2022-12-07 00:28:03 UTC
Last seen:2022-12-07 02:27:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea99070f73acd93ad4801f9c4cb273d7 (3 x RedLineStealer, 2 x LgoogLoader, 1 x AveMariaRAT)
ssdeep 24576:pj4Pq3FyJga5jGIwtwS7TSNqAzjuY4+1ziRN+FtxA8Xc009GtfzZfCev5mF62X+E:pjsZJj5jG9WoTy72YlziRaK0+Gt1
TLSH T176551288FBBB4369E45359BC017ED3A32459FD7C753841433A643E275FA62B28864B0E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8f0b27169e8f0f0 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:www.wiley.com
Issuer:DigiCert TLS RSA SHA256 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-11T00:00:00Z
Valid to:2023-11-21T23:59:59Z
Serial number: 0fafd8d91668bd873d0a7e5abd46a0e9
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e2ad9e9ebc60f28cd067d3ce66f851504d06cd4aac503861f28d448566928842
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/hamburger.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-07 00:30:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a10c5695-7dea-4ea4-982a-f05fbc5a5761

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343650/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.12512.19817.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638fde189a505ad9423dbd88/reports/e2b6025f-e130-4324-b802-0285ddf09432/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55c3cd7d-341b-41f2-9f4a-251f0c176ed0
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129514
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 762238 Sample: file.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 96 fm7dr4wmmoljrgs2mpcnvcfpjcrgafm.8tmlr0rtwb6y0mojn4s9rpbc 2->96 98 api.ip.sb 2->98 100 5 other IPs or domains 2->100 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 8 other signatures 2->120 12 file.exe 10 2->12         started        16 Kihoniv jakaveh xahalexe.exe 12 2->16         started        18 explorer.exe 5 4 2->18         started        20 explorer.exe 2->20         started        signatures3 process4 file5 86 C:\Users\...\Kihoniv jakaveh xahalexe.exe, PE32 12->86 dropped 88 Kihoniv jakaveh xa...exe:Zone.Identifier, ASCII 12->88 dropped 148 Self deletion via cmd or bat file 12->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 12->150 22 Kihoniv jakaveh xahalexe.exe 20 12->22         started        27 cmd.exe 1 12->27         started        29 schtasks.exe 1 12->29         started        152 Writes to foreign memory regions 16->152 154 Allocates memory in foreign processes 16->154 156 Injects a PE file into a foreign processes 16->156 31 ngentask.exe 16->31         started        signatures6 process7 dnsIp8 102 bitbucket.org 104.192.141.1, 443, 49836, 49838 AMAZON-02US United States 22->102 104 s3-w.us-east-1.amazonaws.com 52.217.70.116, 443, 49837, 49839 AMAZON-02US United States 22->104 82 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 22->82 dropped 140 Writes to foreign memory regions 22->140 142 Allocates memory in foreign processes 22->142 144 Injects a PE file into a foreign processes 22->144 33 ngentask.exe 3 3 22->33         started        37 backgroundTaskHost.exe 22->37         started        146 Uses ping.exe to check the status of other devices and networks 27->146 39 PING.EXE 1 27->39         started        42 conhost.exe 27->42         started        44 chcp.com 1 27->44         started        46 conhost.exe 29->46         started        84 C:\Users\user\...\vbzjwjnnpaxubndpmqj.exe, PE32 31->84 dropped 48 ComputerDefaults.exe 31->48         started        50 explorer.exe 31->50         started        file9 signatures10 process11 dnsIp12 72 C:\Users\user\AppData\...\cesiopwgiic.exe, PE32 33->72 dropped 108 Creates an undocumented autostart registry key 33->108 52 ComputerDefaults.exe 12 33->52         started        55 explorer.exe 33->55         started        106 127.0.0.1 unknown unknown 39->106 110 Suspicious powershell command line found 48->110 112 Adds a directory exclusion to Windows Defender 48->112 57 powershell.exe 48->57         started        file13 signatures14 process15 signatures16 134 Suspicious powershell command line found 52->134 136 Bypasses PowerShell execution policy 52->136 138 Adds a directory exclusion to Windows Defender 52->138 59 powershell.exe 52->59         started        61 conhost.exe 57->61         started        process17 process18 63 conhost.exe 59->63         started        process19 65 fontview.exe 63->65         started        70 fontview.exe 63->70         started        dnsIp20 90 t.me 149.154.167.99, 443, 49843 TELEGRAMRU United Kingdom 65->90 92 95.216.205.133, 49844, 80 HETZNER-ASDE Germany 65->92 74 C:\ProgramData\nss3.dll, PE32 65->74 dropped 76 C:\ProgramData\mozglue.dll, PE32 65->76 dropped 78 C:\ProgramData\vcruntime140.dll, PE32 65->78 dropped 80 3 other files (none is malicious) 65->80 dropped 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 65->122 124 Tries to harvest and steal browser information (history, passwords, etc) 65->124 126 DLL side loading technique detected 65->126 128 Tries to steal Crypto Currency Wallets 65->128 94 109.206.243.58, 49845, 81 AWMLTNL Germany 70->94 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->132 file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 00:29:11 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thfz5kmy252ka56xmd3koz3gbjjaxsecu4yzlm6nakbmf2lh7mjq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221207-asdqeshf39/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
37820c7c241c9ce2bc756e71d92b881ba1f3d14e006625d83ed593f7c0b4f552
MD5 hash:
45aee0bb6a8d9f901788741ecf235a01
SHA1 hash:
f69a5c9385b1abb32d0b7c1a790c4fa18d709819
Link:
https://www.unpac.me/results/49a678bf-5f81-454c-b719-1be2b674e0d4/
SH256 hash:
99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13
MD5 hash:
49d3d360aa4d5801e3e6cf63d799c793
SHA1 hash:
520f5870394c9976db688f77bc651ff0a3935691
Link:
https://www.unpac.me/results/49a678bf-5f81-454c-b719-1be2b674e0d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2446783/
Cape
Cape
https://www.capesandbox.com/analysis/343650/

Comments