MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf
SHA3-384 hash: 902cb5472e0bdf24e5de35076f028c9aa72682d11facc3c46fa9bc99652d87b4c2e744ad8afe1525fbc7c79dcc4c2752
SHA1 hash: ba8f67519eb7e0d1a19234868318d06408007c91
MD5 hash: 7a02cac061509ebec49b26f72dc7ec3c
humanhash: alaska-comet-white-alaska
File name:99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:313'856 bytes
First seen:2023-01-23 09:20:24 UTC
Last seen:2023-01-24 23:36:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e72f606dd0982c47d40a1b2d2827cdc0 (30 x Smoke Loader, 15 x Tofsee, 7 x CoinMiner)
ssdeep 6144:QmwQL3wM0KaUSQAgccOF1x0pQVHzKJHg8yDQfPn:VFsM0KL1chF1OW5zSHgDgn
Threatray 14'523 similar samples on MalwareBazaar
TLSH T13D64F12072E2D472C55F40705824EFA2ABBBF471463A954B37943E6F9FB02E0AA57347
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00080c128a020222 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
142.202.242.197:35704

Intelligence

File Origin
# of uploads :
3
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 09:23:20 UTC
Tags:
redline
Link:
https://app.any.run/tasks/9de99c52-5f25-4a86-b631-bb3c96287a11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355830/
Detection(s):
Win.Packed.Botx-9984956-0
Create hunting rule

Win.Packed.Botx-9985011-0
Create hunting rule

Win.Packed.Botx-9985032-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62424/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar greyware packed shell32.dll tofsee
Link:
https://www.filescan.io/uploads/63ce517f2b351a3d0ea7dbfe/reports/cd63ff12-9abc-4eec-bedf-ca160dec1510/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cef8feb-0cea-49dc-92e9-a4bd7110ba69
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156834
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 03:23:52 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thksu6hytmah4papse4q5rxursqw4d4od6r6t33bvgcttzsrd7pq._file
Verdict:
malicious
Similar samples:
1f1716a324a5a05290c792e8a1f9636e274c5624886ae24b9eef5c9e9bb42493
RedLineStealer
34f45aa85febada4ad0fbc160288ed21a6ea1dac8b3165ad953abfb0933369a4
RedLineStealer
469bb2e0e9f48a661156adc335133e1610b2000674e1f0f48b5bbbaa846269a6
RedLineStealer
7a3ead0106401ff0d0354af5e31dda262aa16738f84b0f431807d84012e76ed0
RedLineStealer
7d24918d8668d6c8256f2992beeafa2ef8a54e5f56545d77ec03db72586d2f1d
RedLineStealer
98f15bd234e0fed5e94dbfab24d170b79311722fd751582170119232fc360ec5
RedLineStealer
f2609207a1256edd5866e25d1b9dffdbe9d730df93fe7c44684ba77fe384819d
RedLineStealer
+ 14'513 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230123-lbcmkscf84/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
142.202.242.197:35704
Unpacked files
SH256 hash:
f85a2e86759fe4871b1f2d09adb742c3e6c0827f540ba454e9c812f0f654c01b
MD5 hash:
e0bf48530d2536788665e7c87c61f10e
SHA1 hash:
f406ffa3278eaf93eb554817e84264f9ced706d3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/84d7ebee-4218-44dc-9f4e-c35f2603dcf3/
SH256 hash:
2d83b616d1c059d38d3833fd976dd2639c4cd3c60e2e16b6d6ccd11f2e028c23
MD5 hash:
e5674e295839ad024501073db56cff5e
SHA1 hash:
de1f0c7ed982e90283713cdec33c2144cd89c2aa
Link:
https://www.unpac.me/results/84d7ebee-4218-44dc-9f4e-c35f2603dcf3/
SH256 hash:
26db9aba792b5904d0776705b768a9bea30a7c69efa04f43bb9283f5a7875d7b
MD5 hash:
4aa108836b2f6d16a69c3ec905b4c485
SHA1 hash:
0de7c10144862cb2f41ea12e79a8c538946e5a68
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/84d7ebee-4218-44dc-9f4e-c35f2603dcf3/
SH256 hash:
99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf
MD5 hash:
7a02cac061509ebec49b26f72dc7ec3c
SHA1 hash:
ba8f67519eb7e0d1a19234868318d06408007c91
Link:
https://www.unpac.me/results/84d7ebee-4218-44dc-9f4e-c35f2603dcf3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99d52a78f89b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 99d52a78f89b007e3c0f91390ec6f48ca16e0f8e1fa3e9ef61a98539e6511fdf

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/355830/
  
URLhaus
https://urlhaus.abuse.ch/url/2516209/
  
Delivery method
Distributed via web download

Comments