MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
SHA3-384 hash: cf1ee6bd786a83ea08aa9db6234943a0efe9750918d21977dac7366149250e9ad38eb0294cae6aa13721c7b8cc5bafb9
SHA1 hash: 0516ce68fe6941ccf87c185b8886695f475f427c
MD5 hash: 4d9fc9471444c9b6b7e01e4bd0985431
humanhash: muppet-friend-princess-kilo
File name:9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'766'719 bytes
First seen:2023-04-28 22:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/WGqKYlKic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEU7GlKIy029s4C1eH9L
Threatray 175 similar samples on MalwareBazaar
TLSH T13E85CF3FF268A13EC56A1B3245739320997BBA61B81A8C1E07FC344DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.54:27914

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee0.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-28 22:56:40 UTC
Tags:
installer
Link:
https://app.any.run/tasks/373b0c0c-04cf-430a-a252-2bdd09796950

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385616/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.10361.7260.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81921/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/644c4f071facab193c66ab1b/reports/aedd2803-8014-48a6-99f5-52e2296a7b3d/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1254054
Link:
https://www.hybrid-analysis.com/sample/9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/37897f81-ebdf-4e62-9fb2-c6d7b97716e3
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1223269
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 856220 Sample: 9e9e150d6ff9170caa0ffaab653... Startdate: 29/04/2023 Architecture: WINDOWS Score: 34 42 www.migglesshop.com 2->42 48 Antivirus detection for URL or domain 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 9 9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee0.exe 2 2->9         started        signatures3 process4 file5 34 9e9e150d6ff9170caa...df4a849b0a5cee0.tmp, PE32 9->34 dropped 54 Obfuscated command line found 9->54 13 9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee0.tmp 3 20 9->13         started        signatures6 process7 dnsIp8 44 www.migglesshop.com 194.213.18.22, 443, 49699, 49700 HA-SDCGB United Kingdom 13->44 36 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 13->38 dropped 40 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->40 dropped 17 s0.exe 2 13->17         started        file9 process10 file11 24 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 17->24 dropped 46 Obfuscated command line found 17->46 21 s0.tmp 6 19 17->21         started        signatures12 process13 file14 26 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->26 dropped 28 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 21->28 dropped 30 C:\...\unins000.exe (copy), PE32 21->30 dropped 32 7 other files (none is malicious) 21->32 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-28 22:56:10 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2pbkdlp7elqzkqp7kvwkmzn35fijgykltxacx4kf55zjv7e7pzq._file
Verdict:
unknown
Similar samples:
345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
RedLineStealer
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
RedLineStealer
af7d9d69a2dfbcedc5d2e94cdb681a8ac5356131486129a4ba505a3dc6f2411e
RedLineStealer
b715f22a9e37049d09b06c26ca899c4be3c6c21386f70d6d357b3bd481ee1794
RedLineStealer
ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
RedLineStealer
cbe9dedc91d7a886adf9f3f8a3b01d525279fd935616f10a5eb08f64882f0654
RedLineStealer
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
RedLineStealer
+ 165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230428-2wpewaag2x/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/cbead712-f504-49e0-a667-d03e91bd03a6/
SH256 hash:
0e34f2806be9ed2792a2d39f0c26c7ece08bde350cbe19cecdc27a68f56f5b0f
MD5 hash:
02888b17e48445ce19f20c6884648542
SHA1 hash:
2f511581a6b2d54a0cb72334e588cd28a4606266
Link:
https://www.unpac.me/results/cbead712-f504-49e0-a667-d03e91bd03a6/
SH256 hash:
9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
MD5 hash:
4d9fc9471444c9b6b7e01e4bd0985431
SHA1 hash:
0516ce68fe6941ccf87c185b8886695f475f427c
Link:
https://www.unpac.me/results/cbead712-f504-49e0-a667-d03e91bd03a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner
Rule name:win_vidar_a_a901
Create hunting rule
Author:Johannes Bader
Description:detect unpacked Vidar samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/385616/

Comments