MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50
SHA3-384 hash: 9aa00fea773d8f73afbc8a098edf1a9660092eefd6789981c5451d8c12e371227359395ec6e0f36d0eee105fac4754ed
SHA1 hash: 5a872dc9324fa05b3dde0e2bc639d65a129401c4
MD5 hash: 60d014bb9981fef3b7eb88f64cf8f4fe
humanhash: xray-harry-bravo-blue
File name:Ujmadjok.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:603'648 bytes
First seen:2021-05-11 06:42:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:o1WHFMw7Y9MA59CyMAn00su197k2851Jw4+I7LXoWiGmQDwzPr70qkSj5pqBQkMF:lH+w09tVyuzAz5+I7LXoWiGmQDwzPr71
Threatray 29 similar samples on MalwareBazaar
TLSH CAD412496E09A802CA4E6D37D1E50EF043313D76E052D6796B8C3281DAF3BDE7A5D06E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154821/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/778851
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411252 Sample: Ujmadjok.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 88 44 Multi AV Scanner detection for submitted file 2->44 46 .NET source code contains potential unpacker 2->46 48 Machine Learning detection for sample 2->48 50 Sigma detected: WScript or CScript Dropper 2->50 8 Ujmadjok.exe 4 9 2->8         started        12 Data.exe 2 2->12         started        14 Data.exe 2 2->14         started        process3 file4 26 C:\Users\user\AppData\Roaming\Data.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\Ujmadjok.exe, PE32 8->28 dropped 30 C:\Users\user\...\Data.exe:Zone.Identifier, ASCII 8->30 dropped 32 3 other malicious files 8->32 dropped 52 Writes to foreign memory regions 8->52 54 Injects a PE file into a foreign processes 8->54 16 wscript.exe 1 8->16         started        19 Ujmadjok.exe 2 8->19         started        56 Multi AV Scanner detection for dropped file 12->56 58 Machine Learning detection for dropped file 12->58 signatures5 process6 dnsIp7 36 Wscript starts Powershell (via cmd or directly) 16->36 38 Adds a directory exclusion to Windows Defender 16->38 22 powershell.exe 26 16->22         started        34 51.222.195.7, 30351 OVHFR France 19->34 40 Multi AV Scanner detection for dropped file 19->40 42 Machine Learning detection for dropped file 19->42 signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 06:43:19 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drwimb7jfmi5tdzgkqhyjkjcu5etrpo36wvty3zsmgiwrfr3j5ia._file
Verdict:
unknown
Similar samples:
0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c
RedLineStealer
230105e9e7579165b1cfa4088219f9b16723242873b5167f55e639b0b2376b49
RedLineStealer
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
RedLineStealer
553b47b0f65169baa0d9da7945dc86ac597400e7aadc8ce50e0c5481dd60ea24
RedLineStealer
85e74e088eaf61b95d366932ff738a2c100eef6f07960860028af7d789063330
RedLineStealer
9cc5b0fd79e8aa94ce95bd47d074b18583b0690881d742841848aff2865f3714
RedLineStealer
a608e12ae5bb4560a9ca9d4be49ddf2e04a3cb65ff3367b5bd8e4a8cc9325a48
RedLineStealer
aa8387d7f0ca4dd4df76445ce68a9851356a9407084c999190baf887ff617bfe
RedLineStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RedLineStealer
c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766
RedLineStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210511-d7xy8s3pxa/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154821/

Comments