MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d
SHA3-384 hash: ea499595740e8c330aa3e064c6fccd4baeb46690fc6195ad0f07a17ecdcd102ff4180d41f6ed92f679aea87b8770eaa5
SHA1 hash: 713b655c76b2d0e4e17d5e3f19d6b01ec21bf81d
MD5 hash: 7c884f63b2d812d757ce6bb0bb33d15d
humanhash: hot-crazy-failed-alabama
File name:7c884f63b2d812d757ce6bb0bb33d15d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:467'456 bytes
First seen:2021-09-21 19:26:26 UTC
Last seen:2021-09-21 20:09:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55a99143707a26596b2c60570843c661 (1 x RedLineStealer)
ssdeep 6144:E03PbAMTTfZ5/ekjZiueWuJpKMk79uW6hpSw7hWQKHeC:d3PbAAZ9ZjZ4JpK6xpSwNK+C
Threatray 2'035 similar samples on MalwareBazaar
TLSH T11CA48D6AAB43C801E12D57F082A34F944D2757943E21C9EB96F6DADC2E793C07C0BE46
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7c884f63b2d812d757ce6bb0bb33d15d.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 19:33:02 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6e810c94-6cb3-4535-9db4-b35554f4bf78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189979/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.30173.12412.UNOFFICIAL
Create hunting rule

Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34489290-4b5d-490d-85f4-8598689393f5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855173
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 19:27:09 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
RedLineStealer
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
0ed83aa95f87e65e843b791c92419d0c1d34e5b01cc0be01715009f679ddc220
RedLineStealer
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
4e1f4798d90934bc4331147bd26f38692aa8852bdecb10ef55c07fdd03e5516b
RedLineStealer
9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
RedLineStealer
b821da19f3f294e14b95e0a9c2b2926fbac983986494e81278ba4d3b7c5502a4
RedLineStealer
bf07b65101a8edaf131b6f3f5431a6eab676c6c59ef6129ff935f0ee44b34902
RedLineStealer
+ 2'025 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:rabotaisuka discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210921-x53xeaadf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
lanazavis.xyz:80
Unpacked files
SH256 hash:
332874d70e2206c2ae388c43fa34658e11c9ca67d1314f17ac2039aa6e7668d6
MD5 hash:
8c88c7959d4080f93a09f281eae81a06
SHA1 hash:
a42f7db9370280b3a1f224536c8d21caf5047f94
Link:
https://www.unpac.me/results/4764b819-3060-451a-98c2-e0a55869367a/
SH256 hash:
c8282fd4a7bf804f20a0867acdd0c5eda10a843f8ebffd57ea2231d42b338fdf
MD5 hash:
a432896c3d41805c72505c24a1ccb9e5
SHA1 hash:
6689ef7d2fae8cce9262cb5e241cb34feacf4795
Link:
https://www.unpac.me/results/4764b819-3060-451a-98c2-e0a55869367a/
SH256 hash:
8a370f2ea9c2e2193151ec7b9819026d7574b227c04b37a558175771871c77a9
MD5 hash:
43e5f2890f6e8eefa81939c3d7e46024
SHA1 hash:
055510518c807e264553c1994e52e6e745ecadc7
Link:
https://www.unpac.me/results/4764b819-3060-451a-98c2-e0a55869367a/
SH256 hash:
99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d
MD5 hash:
7c884f63b2d812d757ce6bb0bb33d15d
SHA1 hash:
713b655c76b2d0e4e17d5e3f19d6b01ec21bf81d
Link:
https://www.unpac.me/results/4764b819-3060-451a-98c2-e0a55869367a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 99f6d5723f93ac9689ea1f428b9a090b55f068ecdebcfdff854bef0dbd26db6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1493684/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189979/

Comments