MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5
SHA3-384 hash: 0d7b5ebf2d7c2e269eb5b4c3373a4e2dcd156b733d5b29d86ccc414189430119c2334a4e2dd42dba68c78b5facd3c0e5
SHA1 hash: 3c898f7fcb8d629b319e2ffe82857257fe1f21d5
MD5 hash: ce9900e14a97293121190bfe5c0beb8a
humanhash: four-kilo-winter-earth
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'591'264 bytes
First seen:2022-12-03 19:09:45 UTC
Last seen:2022-12-03 20:27:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2272bd1fadcc3c967b255c33596d9f56 (2 x LgoogLoader, 2 x RedLineStealer)
ssdeep 49152:jN7UKV/itZgVKsYlkbEkX+zFdEMcAs6dn:J7UKVAgVnbJg7nB
Threatray 15'984 similar samples on MalwareBazaar
TLSH T184752209A7E15872DD66067094B84BB11238F831A7AECB4773C10B2DED713F16E6678B
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 008af2bebe9ec2c0 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:*.fandom.com
Issuer:GlobalSign Atlas R3 DV TLS CA 2022 Q2
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-29T16:20:14Z
Valid to:2023-06-30T16:20:13Z
Serial number: 0140594ccaad5348bfaf7de297272e29
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b9a4a4ad15961c232d38e7d1b2728674e8e45e7efce6b24093ef3f571168f1d8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.36/files/spacemen.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-03 19:10:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ae63e0f-16b9-4210-a167-e08974874bd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342336/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.173537.12887.20282.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638b9f0d527933be940d3fdc/reports/9b69abc7-88da-4616-bafd-abbcd48f6b2e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46856096-1d07-45db-8262-54e33e05fa36
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127185
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 19:10:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cijkyien6clcw7iti6ynvw55ktudxhou2mgel53akrhsp2oa662q._file
Verdict:
malicious
Similar samples:
2c3310a45db53d2bc092521b417c9434c919dce00876b386e39a5b7cffa3c58f
RedLineStealer
2c989418ee6df1ae08f2332ca25edc3c7ace2aa9f8ef710b80857c500b4f4c01
RedLineStealer
3c645242b178e6248f189ace55b2c3c0af905b5f35a0cc7d03600dd148ae915a
RedLineStealer
44212fc0e7338e59097d84235ef677051327e3486960b2801099ab57f51de83a
RedLineStealer
44593f2948e2800c83e9d21abb9759e206ea94385ee5c0ddc9dc6a3e4d09273d
RedLineStealer
616812fc478db8cb2f4be4aae6094fb9e93ca2449c9b0841beeb9f7960914437
RedLineStealer
94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
RedLineStealer
9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
RedLineStealer
cf944362d88ca9e50ddba1ac4661c6185e9d2be1727ec4c78bb003fa3f4a9309
RedLineStealer
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
RedLineStealer
+ 15'974 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221203-xvc81abh3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/674c9152-a546-47ff-abc4-6b44498cff0a
Unpacked files
SH256 hash:
898fcbeb6d96f4bca4aa219da850c4c3c0c147324f4620dbe9818d7181cee75b
MD5 hash:
9c9262060325dff56d8c539dc4f9226b
SHA1 hash:
8d24d3e3fe4e3e623c2b9f27ca61c1aa8718b5f1
Link:
https://www.unpac.me/results/17c59df7-8c1c-4a5e-9163-074460580235/
SH256 hash:
1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5
MD5 hash:
ce9900e14a97293121190bfe5c0beb8a
SHA1 hash:
3c898f7fcb8d629b319e2ffe82857257fe1f21d5
Link:
https://www.unpac.me/results/17c59df7-8c1c-4a5e-9163-074460580235/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/1212ac208df0962b7d1347b0dadbbd54e83b9dd4d30c45f760544f27e9c0f7b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/342336/

Comments