MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
SHA3-384 hash: 1f6e9c2d3a180dffb93d7e6c4ba317276260ffc5875a2049de6fddfbd8cbc89f6c7ff7e13b13bcb9bfaeb73c0d3b54ab
SHA1 hash: e1ba34a4b8d896a1eb4fb29205344edcf7415fd7
MD5 hash: d5225490a6d5fb75a9d3cd6dae2ab934
humanhash: autumn-east-summer-nuts
File name:d5225490a6d5fb75a9d3cd6dae2ab934
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:359'424 bytes
First seen:2022-12-25 13:37:43 UTC
Last seen:2022-12-25 15:31:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8514760d95d5a493235b8748f65885e5 (9 x Smoke Loader, 7 x RedLineStealer, 4 x Amadey)
ssdeep 6144:iILXENKoULg7nT0Km1vCT/PCK48G4J/4GymI:FbvoUs/av+p4Z4VMm
Threatray 12'455 similar samples on MalwareBazaar
TLSH T10C74E1002294DCA2C7C24B71496BE7E96B7B7C919AA796F33744AF2F3D701B09D12247
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acedecee6eaee (119 x Smoke Loader, 44 x Amadey, 41 x Tofsee)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d5225490a6d5fb75a9d3cd6dae2ab934
Verdict:
Malicious activity
Analysis date:
2022-12-25 13:40:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c5d23704-b628-4f41-b9e8-4e632cbf2252

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4451.6995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63a8523d898959f356c5e3a4/reports/5c220b0b-8b14-46c9-a1b2-a2150ac053a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/702f40da-ddb7-4dcc-a65d-5425eecbe070
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140839
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 12:46:13 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=thv35scvie3ss6kqgr27acbiqdp2rius2g564fi3c6g3rwykfvsq._file
Verdict:
malicious
Similar samples:
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
RedLineStealer
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
RedLineStealer
41f7de00c520011be602acf6cee0b2d6342729621336ca9c2f5da205ee3af85c
RedLineStealer
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
RedLineStealer
80e78163acd3b14cc83ce01c8a9203236cfde0dedbc98259ff9e88b230982b32
RedLineStealer
86fe0a5aae7bcf333119902b9e2bbc5464fb0a89391b5534898f45680fcae9e9
RedLineStealer
8b0ac449b6ad803b6141bf9807c0178b22e83e48028a5a64dff6c5c5be3a8ff9
RedLineStealer
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
RedLineStealer
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
RedLineStealer
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
RedLineStealer
+ 12'445 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:trud discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221225-qxdh8aef8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
31.41.244.198:4083
Unpacked files
SH256 hash:
65f75c671b35cbde3bc6a355f88bf821f74c8a082c9744480a59bbd72defe0c7
MD5 hash:
1904c9b0a20ab75b269c4a8f7d30dacc
SHA1 hash:
c1aecaaf9ff915be2950fcdaa149dc773d349630
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/16498091-d0f1-46c8-a061-da803e96b8fa/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
315a47e1c9e838302bd1efa869f010dfae0c61d5fa53493d2ca083bf8fa59d19
eeacb2599b7e2a2cae190aefd594780c6c2f397e6f56a5df4990088a37e7d29a
4df9a237fc5204f2c6b7274fd2514bf888d8f7d959f171668354b8d6087d0a90
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
f03f253e87c36202f2d106679e503f25add063c8f9ddab8d4b0313cc19a65f01
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
1fc1cd4294d1ada2d5b9749125ac1c8fff4fd65d25b59ea9590e9f8545a02f77
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
6efb2e32950265ab4042fc55e79f9791940bd1e228ab626193a6aef2f8ac937d
777e65e00628ae01a5be7027d471bae921525620493656033d2823eb9c275ff5
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
7f17b3efdb1542d1da494d21dcc6dfe9fa956bd1094788fca1c5ce06a9644ab5
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
ee9d04da3b8770a6f316ee28a7393cae837735d5d3b8d7b4b56e2b7494bf6f5b
SH256 hash:
46229e0cb12020a35b50685fe5362b96c904c8eb7273c82b428581f3e97359de
MD5 hash:
bc6a96556d5bd384c225494896e016f2
SHA1 hash:
6db5fb667d0d4a3943c43785e2956c21bbb957ce
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/16498091-d0f1-46c8-a061-da803e96b8fa/
Parent samples :
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
e448a7badd2b06dbd62d095c5c299ed5c9eda3bccb7f49cd5bb197b08199317c
0969698e9298154bd93a23d103a942a2937ed1ad1fef8c1ecc6282a57d3c4711
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
ae2b1fc1616ef5f45b445f766f8bef9cfa464b41f3319b05b2d48c0e8b73f7e7
140f3aa7c2db1fd5335dbe01511bc09e4f90d79ad8af94b2f04cda775f3d8c70
SH256 hash:
8c2b9b552189c223962478ce334b2f4e29536f8c6773c1a2c1a367cf1f9127c9
MD5 hash:
078f90abfc1dddd108adcb85761689d0
SHA1 hash:
51a86a74c011e0a6813b0058104f6b21765ed99c
Link:
https://www.unpac.me/results/16498091-d0f1-46c8-a061-da803e96b8fa/
SH256 hash:
99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65
MD5 hash:
d5225490a6d5fb75a9d3cd6dae2ab934
SHA1 hash:
e1ba34a4b8d896a1eb4fb29205344edcf7415fd7
Link:
https://www.unpac.me/results/16498091-d0f1-46c8-a061-da803e96b8fa/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99ebbec85541/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 99ebbec85541372979503475f0082880dfa8a292d1bbee151b178db8db0a2d65

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2486085/
  
URLhaus
https://urlhaus.abuse.ch/url/2485560/

Comments


Avatar
zbet commented on 2022-12-25 13:37:46 UTC

url : hxxp://62.204.41.165/true/trud.exe