MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b
SHA3-384 hash: 640109ee6bd77859b66105746366b80fad4a8b8377c6a8ea57dc61f40d3424b3ba1d078d490fdff6c1f8b4662d13d364
SHA1 hash: 428e04633bb9fe16cf01fafe79a1aef5a4187ed8
MD5 hash: 28f2e058e623005690ab769aab559644
humanhash: juliet-ten-mountain-crazy
File name:28f2e058e623005690ab769aab559644.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:276'992 bytes
First seen:2021-04-29 18:08:46 UTC
Last seen:2021-04-29 19:04:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 83bd011ef23b4af0fb7ccf87a8ce5854 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 6144:BnL2O/YT6LrA+jGIlv7xWT7AdA41uOduv4t1V:BnaO/Yq6IJ1omA41uOW47V
Threatray 455 similar samples on MalwareBazaar
TLSH 8244E01179E4C032C492667E8C56DBB48EBB70A524666F8F2FD519F84F253E2DB2430E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146800/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/702904
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 18:09:13 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgpnx2yigplyox673ugjnejqxq6hspjeuvoohuqamtnrldbdkn5q._file
Verdict:
malicious
Similar samples:
02f5e35764a466a562681a6fd7d64e85bbb9a3369b66b4234919810f7c1ff9d5
RedLineStealer
20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9
RedLineStealer
2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044
RedLineStealer
4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce
RedLineStealer
7b9bd29f5c0787b2937b34493ca5a7128d476dc9f4257643f1fd47d48399eafa
RedLineStealer
9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725
RedLineStealer
a22f7128dc7ec5355df673780cb969b6fbd78a9e58aceeccb042713e5a35f06b
RedLineStealer
defc8c4fa50129d532f0a9bf7a314043fdd3adbf69e46a1b50b9ade98a75926a
RedLineStealer
f01f44864129ba56c115b4c4dcaf8373a1f7996a142e17ffcf4d7f4f875bcdaa
RedLineStealer
f3ec960fde547dac872a3fe8ee59c3beb063457673fcf50480e20c886c7f17fa
RedLineStealer
+ 445 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:118 infostealer
Link:
https://tria.ge/reports/210429-tpx1sf55tx/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
bumblebee2021.store:80
trusmileveneers.store:80
lazerprojekt.store:80
Unpacked files
SH256 hash:
2e3aa46dc81d14f2d06cf433a6001e21e319c865a9a17399304840132f01afd0
MD5 hash:
091fa34902321dc5010e5ff877d87de7
SHA1 hash:
ee6544cff495d341ca405cd46b0534f7232a23a2
Link:
https://www.unpac.me/results/90b6cb75-bbc0-4769-970b-da8b3711d692/
SH256 hash:
5376db69d806b5502a83df8d1a72b710f85e1cc836e4e99c28f597df579cf2e6
MD5 hash:
72265e2b34f180440c72aede18b7a2a5
SHA1 hash:
cee07fe1b8e187f2c86f416033b2d2318c18144b
Link:
https://www.unpac.me/results/90b6cb75-bbc0-4769-970b-da8b3711d692/
SH256 hash:
1945c220b4f0526f15cdf786499596a903439986d4cad85a340c5f31f86a6e15
MD5 hash:
beb73c5f7f931fe888343a7e27a4d456
SHA1 hash:
67d873cc5301efbe4bcd41fcd45193e939dc83ad
Link:
https://www.unpac.me/results/90b6cb75-bbc0-4769-970b-da8b3711d692/
SH256 hash:
a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b
MD5 hash:
28f2e058e623005690ab769aab559644
SHA1 hash:
428e04633bb9fe16cf01fafe79a1aef5a4187ed8
Link:
https://www.unpac.me/results/90b6cb75-bbc0-4769-970b-da8b3711d692/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/146800/
  
URLhaus
https://urlhaus.abuse.ch/url/1147433/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 19:09:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0049] File System Micro-objective::Get File Attributes
3) [C0051] File System Micro-objective::Read File
4) [C0052] File System Micro-objective::Writes File
5) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
6) [C0040] Process Micro-objective::Allocate Thread Local Storage
7) [C0041] Process Micro-objective::Set Thread Local Storage Value
8) [C0018] Process Micro-objective::Terminate Process
9) [C0039] Process Micro-objective::Terminate Thread