MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb
SHA3-384 hash:	e0607a33f5ae919dcadb3154c837fb65c324232628ba4df34cc717ca9b7a68a9f43b7996ddd1c1238ccbe1353b2fb189
SHA1 hash:	6c5a12188e6befa0cf52ed3c14b695f821fd24ce
MD5 hash:	674bbb246435921097548e2c4b519354
humanhash:	red-carpet-bakerloo-cardinal
File name:	ViewfileQA.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	55'808 bytes
First seen:	2021-06-07 18:18:04 UTC
Last seen:	2021-06-07 18:38:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:IyRDScFI5MIBF+7myR7lM6L3gJ+7qnYNOs/x6vQ2GzP:1RDS8GvBF+T7lM6L337FT/x6YP
Threatray	747 similar samples on MalwareBazaar
TLSH	644309027B874366C55C1571C0E31A3503FAE7872A33EB9E3DC402E98E927E69E9974D
Reporter	tildedennis
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ViewfileQA.exe

Verdict:

No threats detected

Analysis date:

2021-06-07 18:21:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/51c2bff0-6d93-416d-91e6-604804202534

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/165082/

Detection(s):

SecuriteInfo.com.Variant.MSIL.Krypt.37.19605.27471.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/798294

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-06-07 18:18:11 UTC

AV detection:

8 of 47 (17.02%)

Threat level:

5/5

Verdict:

malicious

Label(s):

masslogger

RedLineStealer

333d2806164361cd0bf4141ef5bcb154d1bc1fc8001ef933bbce0b24a1cbc2bc

RedLineStealer

3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26

RedLineStealer

48911ded8eb1be557009ec74a427c92481389c32e01c8a1c8935aa8db52bb558

RedLineStealer

4a9520a7a0c84108e696742a35f72cbd1ceecb341e30e174a5387b7e0a080254

RedLineStealer

641fe8dbcfc7cf68d594eda921ce75269e4d3bb74a02b7116facb091020f0806

RedLineStealer

78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df

RedLineStealer

7b3b68f664f29eafb166bff755303a2a953ebc7160cd476afbdca3cf154e20e2

RedLineStealer

9b5b44ded4ede28d92834c4db286780a5628d02597a739ff3633f808d47f0939

RedLineStealer

ab0abcde64d8e62223bd2e3f7dbb4fe88a4068c458b57eacc662aaac25bcd1a6

RedLineStealer

+ 737 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210607-wh7j4p5246/

Unpacked files

SH256 hash:

0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb

MD5 hash:

674bbb246435921097548e2c4b519354

SHA1 hash:

6c5a12188e6befa0cf52ed3c14b695f821fd24ce

Link:

https://www.unpac.me/results/8f275e63-0356-4a24-9339-112a8f592000/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165082/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample