MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
SHA3-384 hash: 119cdc29f686757ce2c4f12476aca4dc46eb1fc051d6f5c2be955acfadae2cb89ea34fff8e50f42f7528341caf84c7dd
SHA1 hash: f347872032eba7c0a83e3b02a320d0ff822a41f1
MD5 hash: 1e43d60694f42e1c1360f484a3d8af44
humanhash: bacon-vegan-alabama-glucose
File name:atikmdag-patcher 1.4.7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'594'406 bytes
First seen:2021-01-19 00:48:03 UTC
Last seen:2021-01-19 02:50:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:2c6/CelR7xEVbjM9cDUki5i3RNahYvKUriOJ8:2c6KelRhyDUXq3GYCS8
Threatray 199 similar samples on MalwareBazaar
TLSH A366123FB268643ED4AA4B3245B39360987BBB61741A8C2E13F4495CCF6B5701E3F616
Reporter o2genum
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atikmdag-patcher 1.4.7.exe
Verdict:
No threats detected
Analysis date:
2021-01-19 00:51:22 UTC
Tags:
installer
Link:
https://app.any.run/tasks/9c84a697-8914-4fb2-82aa-d2158a428146

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112711/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a process with a hidden window
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Threat name:
Quasar RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584345
Signature
Deletes shadow drive data (may be related to ransomware)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341208 Sample: atikmdag-patcher 1.4.7.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 126 ip-api.com 2->126 140 Malicious sample detected (through community Yara rule) 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 Yara detected RedLine Stealer 2->144 146 12 other signatures 2->146 15 atikmdag-patcher 1.4.7.exe 2 2->15         started        18 rundll32.exe 2->18         started        20 rundll32.exe 2->20         started        signatures3 process4 file5 122 C:\Users\user\...\atikmdag-patcher 1.4.7.tmp, PE32 15->122 dropped 22 atikmdag-patcher 1.4.7.tmp 3 13 15->22         started        process6 file7 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->100 dropped 25 atikmdag-patcher 1.4.7.exe 2 22->25         started        process8 file9 112 C:\Users\user\...\atikmdag-patcher 1.4.7.tmp, PE32 25->112 dropped 28 atikmdag-patcher 1.4.7.tmp 5 19 25->28         started        process10 file11 114 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->114 dropped 116 C:\Program Files (x86)\...\is-IROJ0.tmp, PE32 28->116 dropped 118 C:\Program Files (x86)\...\is-9EU2S.tmp, PE32 28->118 dropped 120 C:\Program Files (x86)\...\is-19SUS.tmp, PE32 28->120 dropped 31 keep.exe 21 28->31         started        35 atikmdag-patcher 1.4.7.exe 28->35         started        process12 dnsIp13 132 bitbucket.org 104.192.141.1, 443, 49707 AMAZON-02US United States 31->132 134 s3-1-w.amazonaws.com 52.216.200.123, 443, 49709 AMAZON-02US United States 31->134 136 bbuseruploads.s3.amazonaws.com 31->136 92 C:\Users\user\AppData\Local\...\stpopit.exe, PE32 31->92 dropped 94 C:\Users\user\AppData\Local\Temp\rt.exe, PE32 31->94 dropped 96 C:\Users\user\AppData\Local\...\rt[1].exe, PE32 31->96 dropped 98 C:\Users\user\AppData\...\stpopit[1].exe, PE32 31->98 dropped 37 stpopit.exe 1 6 31->37         started        40 rt.exe 1 6 31->40         started        file14 process15 signatures16 152 Machine Learning detection for dropped file 37->152 42 cmd.exe 1 37->42         started        44 cmd.exe 1 37->44         started        46 cmd.exe 1 40->46         started        48 cmd.exe 1 40->48         started        process17 signatures18 51 cmd.exe 42->51         started        54 conhost.exe 42->54         started        56 certutil.exe 2 42->56         started        58 conhost.exe 44->58         started        60 cmd.exe 2 46->60         started        62 conhost.exe 46->62         started        64 certutil.exe 2 46->64         started        138 Submitted sample is a known malware sample 48->138 66 conhost.exe 48->66         started        process19 signatures20 148 Obfuscated command line found 51->148 150 Uses ping.exe to sleep 51->150 68 Da.com 51->68         started        70 findstr.exe 51->70         started        73 certutil.exe 51->73         started        75 PING.EXE 51->75         started        77 Appare.com 60->77         started        80 PING.EXE 60->80         started        83 findstr.exe 60->83         started        85 certutil.exe 60->85         started        process21 dnsIp22 102 C:\Users\user\AppData\Local\Temp\...\Da.com, Targa 70->102 dropped 156 Drops PE files with a suspicious file extension 77->156 87 Appare.com 77->87         started        124 127.0.0.1 unknown unknown 80->124 104 C:\Users\user\AppData\Local\...\Appare.com, Targa 83->104 dropped file23 signatures24 process25 dnsIp26 128 ZxBgABegmSFyMxWuKGRJDopFhZDrh.ZxBgABegmSFyMxWuKGRJDopFhZDrh 87->128 130 192.168.2.1 unknown unknown 87->130 106 C:\Users\user\AppData\...\hOVfzhxptF.com, PE32 87->106 dropped 108 C:\Users\user\AppData\...\hOVfzhxptF.url, MS 87->108 dropped 110 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 87->110 dropped 154 Injects a PE file into a foreign processes 87->154 file27 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b/
Verdict:
malicious
Similar samples:
04a908a9e407549cb834e945f0afb49da90f7581bda7e2d2cd3871a55997d53b
RedLineStealer
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
RedLineStealer
1a3bf054f01ab4ec1c068ee4bbb5961a3109e61a12374c26501ce7a772279463
RedLineStealer
3c7744b3236b34b32adf0b3a3d5b7874533878c34d200d2c07fe0e0e37cb16f6
RedLineStealer
57372f78f979ab331a3ce1ebd9154c6eb4674db4de60c5c6b521934d7b9463ac
RedLineStealer
5c525f83e1414e33353169d89e84a5e22857c55727a30aa1c78fc1ccfb83900f
RedLineStealer
69bc65bef9fd7833c261434e1feb538861fc3359b66bde16a8cc0e8375a7b92c
RedLineStealer
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
RedLineStealer
a4fcf02ada330a1e50982618833ae730d5238adbf9407e303cc6c05fa8270ba5
RedLineStealer
d8cacda848bd2a780b1a081222e0eb609794e309b13327fb5fc59231022aba81
RedLineStealer
+ 189 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence spyware
Link:
https://tria.ge/reports/210119-fjk1ya3dgx/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
add43742c795370939b628e2c7f301ba7f12d9dfcf0bc42a2a571daade675c5f
MD5 hash:
89e2622c6adcbc3795828d1d8499fb38
SHA1 hash:
85c2a2693b6e14d8c2b3da518b89b57a8fa9bf9f
Link:
https://www.unpac.me/results/c5747007-9461-4299-8473-acc913a77cff/
SH256 hash:
476ee34ee6778452d4a66295a6d5f425dff80130c3cd71c62225f9ed3f4b332b
MD5 hash:
b50f36ec53cdc8ec24cb7f4224de8d19
SHA1 hash:
6bcd00f674b0c0328fafc5c8c93b6625454bce20
Link:
https://www.unpac.me/results/c5747007-9461-4299-8473-acc913a77cff/
SH256 hash:
40b2d087c73154e173aea536badba87306313b1254433936be237acdabf2a1c8
MD5 hash:
1ce29d1453a99e596cd40dabb2c025fc
SHA1 hash:
5b81b13b850b786f23b44c02077a821cd8fe88d7
Link:
https://www.unpac.me/results/c5747007-9461-4299-8473-acc913a77cff/
SH256 hash:
a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5
MD5 hash:
db27920346f23c1d742ec0722426417e
SHA1 hash:
adf18d452653e13ab5518706ea9c4c492a46f4f7
Link:
https://www.unpac.me/results/c5747007-9461-4299-8473-acc913a77cff/
SH256 hash:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
MD5 hash:
1e43d60694f42e1c1360f484a3d8af44
SHA1 hash:
f347872032eba7c0a83e3b02a320d0ff822a41f1
Link:
https://www.unpac.me/results/c5747007-9461-4299-8473-acc913a77cff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_21c9a6daff942f2db6a0614d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b

(this sample)

  
Link
https://crypto-bears.com/amd-ati-pixel-clock-atikmdag-patcher-1-4-7-1-4-8-skachat/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112711/

Comments