MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f
SHA3-384 hash:	6cb690094cbf9455dd22144e219566086554c94266251b45ad2fe3268918ec314125f7deb06b04602bfa133f223cbb1d
SHA1 hash:	c4368949e474c4d6009576f0160dbb41b62b9f77
MD5 hash:	0160e32d94d073452d3d32b7db8bc8a2
humanhash:	nitrogen-paris-charlie-montana
File name:	9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'303'608 bytes
First seen:	2022-05-20 06:54:42 UTC
Last seen:	2022-05-20 07:59:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	06a834e3824803366fcfecb5c9777295 (3 x RedLineStealer, 3 x ArkeiStealer, 1 x Gozi)
ssdeep	24576:U4Lvy+XtiBHmfNdV/YtfZu6cVh0zWVwSjBon5dYrLnyoFlZAK3mGjGxH4HbnkhYD:UGyeaq8KTwS4wyoFMc6xH4wYMEF
Threatray	5'790 similar samples on MalwareBazaar
TLSH	T1D45512106776C834F87A9DB08EA5169AEE3FBE115704D1EF528672D506322CDCEF8227
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0d4b2e0b2b2f0cc (1 x RedLineStealer, 1 x AveMariaRAT)
Reporter	JAMESWT_WT
Tags:	exe exxon-com RedLineStealer signed

Code Signing Certificate

Organisation:	exxon.com
Issuer:	GeoTrust RSA CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-12-30T00:00:00Z
Valid to:	2022-09-02T23:59:59Z
Serial number:	0a2787fbb4627c91611573e323584113
Intelligence:	18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	299997b9c15bad977cd4f62701346284be6f69e9d0ea7a6b41bb4fddc4d2610d
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f

Verdict:

Malicious activity

Analysis date:

2022-05-20 07:23:20 UTC

Tags:

redline

Link:

https://app.any.run/tasks/5ed05d60-3a38-4cae-88cf-7e7e87a4a047

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/272866/

Detection(s):

SecuriteInfo.com.Variant.Jaik.74668.8580.26877.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19154/overview

Behaviour

MalwareBazaar

SystemUptime

CallSleep

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62873b59054dcf0ecad0757a/reports/7d82f22e-8c69-445d-a141-7b179e97708c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19666ba8-0f7e-4ff1-9d4b-d75ccd515bbc

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998328

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-05-20 06:55:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

788c479dd24438feffbe33fda214468f3fbb2948d1c4c5ab24468544c7d8feed

RedLineStealer

a7e01ef5e3aa602f27910b30a66dbc82bd0845f0148a86e4d11b6bbd6c2c994c

RedLineStealer

ad10c5da6a30db60f1f6f9506d9f5ad05e129972fdb59fa393fbf9102971b605

RedLineStealer

dcc028b3f9cf27ce82f5c4aff114e0b664cbdc39a65bd81c234f111bbfd9429e

RedLineStealer

+ 5'780 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1 infostealer

Link:

https://tria.ge/reports/220520-hpsdeahfhq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

65.21.239.87:34105

Unpacked files

SH256 hash:

8c895f408adae00f2661e790665619c8d0eb47c99446232982cd5f3977b5c3d3

MD5 hash:

160d713bcbe72fe96fdba4713d765761

SHA1 hash:

5d1c4087d83abc23922223606e60c47a367b2bba

Link:

https://www.unpac.me/results/17a85ff0-4695-46fd-8381-59342a3c9743/

SH256 hash:

b5c9381285aab0c8d312d7199e70bb65b59ebe3ba02642640e4555358523f449

MD5 hash:

93a94444dbd1c1a135bc6a8c30ae884c

SHA1 hash:

0c44db9cbd6c91156e72f548f4ef821ed67596dc

Link:

https://www.unpac.me/results/17a85ff0-4695-46fd-8381-59342a3c9743/

SH256 hash:

60bf72b8cb7f7157d3d3696f192d48c899d3325590ca19cdef343b6722a0ccdc

MD5 hash:

be1037c4bed84e48e2806031db5e5a07

SHA1 hash:

b9eb364cdb13cb41e6c1012d83effdb8f55f6659

Link:

https://www.unpac.me/results/17a85ff0-4695-46fd-8381-59342a3c9743/

SH256 hash:

9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f

MD5 hash:

0160e32d94d073452d3d32b7db8bc8a2

SHA1 hash:

c4368949e474c4d6009576f0160dbb41b62b9f77

Link:

https://www.unpac.me/results/17a85ff0-4695-46fd-8381-59342a3c9743/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d999627deac3d67198da86f03c85f6b41e3caa929ea311656b592766642ae1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/272866/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample