MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9
SHA3-384 hash: 15b587e568962f9905e77f640c234941416380cadc8dc5c0937e522765b176fe6087ae88e162022c7e33058dabcaf888
SHA1 hash: 4fe6566dc11863d493a7f694c249393f7fcb16b3
MD5 hash: 9123cb4d13520582f72266cdfe2eae59
humanhash: cardinal-iowa-carpet-bravo
File name:Zlmwf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'084'416 bytes
First seen:2021-05-08 06:45:31 UTC
Last seen:2021-05-09 09:14:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:GaPSbvrwbkNr3J8ATm3nxHw8sq66sHN6nMH8pOjQ:vSbUbo3F4AN/H8
Threatray 11 similar samples on MalwareBazaar
TLSH 23356C649BFDCDAED07A257CA03051104AB2FE875703E78C6459BD39AC32702E995B3B
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153003/
Detection(s):
SecuriteInfo.com.Artemis9123CB4D1352.18880.29470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/717971
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 407915 Sample: Zlmwf.exe Startdate: 08/05/2021 Architecture: WINDOWS Score: 76 50 .NET source code contains potential unpacker 2->50 52 Sigma detected: WScript or CScript Dropper 2->52 8 Zlmwf.exe 4 9 2->8         started        12 App.exe 4 2->12         started        14 App.exe 2 2->14         started        process3 file4 30 C:\Users\user\AppData\Roaming\App.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\Temp\Zlmwf.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\zMdjzevkbiltt.vbs, ASCII 8->34 dropped 36 C:\Users\user\...\Zlmwf.exe:Zone.Identifier, ASCII 8->36 dropped 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Injects a PE file into a foreign processes 8->58 16 wscript.exe 1 8->16         started        19 Zlmwf.exe 2 8->19         started        38 C:\Users\user\AppData\Local\Temp\App.exe, PE32 12->38 dropped 22 App.exe 12->22         started        24 App.exe 12->24         started        signatures5 process6 dnsIp7 42 Wscript starts Powershell (via cmd or directly) 16->42 44 Adds a directory exclusion to Windows Defender 16->44 26 powershell.exe 24 16->26         started        40 51.222.195.7, 33750, 49724, 49725 OVHFR France 19->40 46 Tries to steal Mail credentials (via file access) 19->46 48 Tries to harvest and steal browser information (history, passwords, etc) 19->48 signatures8 process9 process10 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eguavt3t4pza4frlzwphbkx2fbubxyrqavvfdpmsm55fkttnhlmq._file
Verdict:
unknown
Similar samples:
0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c
RedLineStealer
0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e
RedLineStealer
1a3c8d4c234d4766225d3b266d3287d2412c1f7a7349456490971fdd811ce5e7
RedLineStealer
230105e9e7579165b1cfa4088219f9b16723242873b5167f55e639b0b2376b49
RedLineStealer
2afd183ed90b0d240dad19c417fa762da0295aa0614dd20809b406e33ff2304f
RedLineStealer
6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
RedLineStealer
85e74e088eaf61b95d366932ff738a2c100eef6f07960860028af7d789063330
RedLineStealer
c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766
RedLineStealer
f13627e2828eca6397c7dc7af40f006250e7583857e909615aad94b340bcb30e
RedLineStealer
ff6299f111f535583b9cc7ae47657986e2a8cce1eade0adfb4443aceeca44693
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210508-hr25q358q6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f7e237d76659fb03a6c2a5f715d5140d3c007ba4a2e06637688d4d9730440277
MD5 hash:
0f840cbd77e372159f1eab935c966271
SHA1 hash:
f70c0e7bc354a76394a8049c261da87508200f3c
Link:
https://www.unpac.me/results/274a9438-bd47-4ca7-a66f-d93114a4485b/
SH256 hash:
7bb9bc33ec13b617ed51e0ae5e4469a154733b79aeea6ba33eaba0c5a2b0ab29
MD5 hash:
80cfb65c7a249d444556fa75ad17250b
SHA1 hash:
4d727aef2e0cb6ca28872f39e9557afa1cab430a
Link:
https://www.unpac.me/results/274a9438-bd47-4ca7-a66f-d93114a4485b/
SH256 hash:
df2fdf8648f0c4d088215c9fca04b644616cb4d00e716afb1948a3162fa3981b
MD5 hash:
0218e3fccaa5b194fc4c3fddc147d972
SHA1 hash:
3275c2c285560a411722606a8e5f0c34b33e87df
Link:
https://www.unpac.me/results/274a9438-bd47-4ca7-a66f-d93114a4485b/
SH256 hash:
21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9
MD5 hash:
9123cb4d13520582f72266cdfe2eae59
SHA1 hash:
4fe6566dc11863d493a7f694c249393f7fcb16b3
Link:
https://www.unpac.me/results/274a9438-bd47-4ca7-a66f-d93114a4485b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153003/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 07:35:46 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [B0023] Execution::Install Additional Program