MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297
SHA3-384 hash: 8afa967423bfc66ea3523f42341e023be85a87ef1731d209008e21320746eee1869ca80ad2aacbdbd9d968ee0d39e7f3
SHA1 hash: c825fb4d24ef6f3b05a9d0d4df6e1cb513b56f27
MD5 hash: 6ce4ae01149b9e7a5a18bd7d017cf972
humanhash: hot-floor-wolfram-sink
File name:kdld.exe
Download: download sample
File size:4'241'408 bytes
First seen:2022-07-02 16:14:24 UTC
Last seen:2022-07-02 16:47:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:UtPyqkL1aNJdIBEwpJCXrsBnioWx4d/5ZASrX66ZzwrODQTOEsZMebzZlm:U9o83cFJCunpF5ZAKVZk0QTODVHZlm
Threatray 145 similar samples on MalwareBazaar
TLSH T1A21633CEE90A2C3AC54B09B57F6A4C44ABC685BE67837F8F03E611D639C7962B144CD4
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter iam_py_test
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
RiseChanger.exe
Verdict:
Malicious activity
Analysis date:
2022-07-02 16:07:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/0a03a94c-3226-4e9d-9825-452390ecf444

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285097/
Detection(s):
SecuriteInfo.com.W64.Agent.EBR.genEldorado.11420.16151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Running batch commands
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/62c06f0b76fa5a59943c1c1c/reports/6f5cf2de-1eac-465b-9917-d4c74487ea6f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
YTStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43a16455-4d18-48ef-9e8f-a0a73fbf4851
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1023550
Signature
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 656045 Sample: kdld.exe Startdate: 02/07/2022 Architecture: WINDOWS Score: 56 16 Multi AV Scanner detection for submitted file 2->16 18 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->18 7 kdld.exe 2->7         started        process3 signatures4 20 Tries to harvest and steal browser information (history, passwords, etc) 7->20 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 choice.exe 1 10->14         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297/
Threat name:
Win64.Infostealer.BroPass
Create hunting rule
Status:
Malicious
First seen:
2022-07-02 16:15:21 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=goiceckkc4s24fvyublr7ihmimqzjlytghdjhfbfjry6sqtrsklq._file
Verdict:
unknown
Similar samples:
1ed83cdde85305c31792de47f0b027895d9abf19382e571306b1ff6e9dc91ed6
27e097f778ff901a6ab3ec22ab871e5185328dd9243654087fa52926337d012f
37c78bff561491a320de992ff41277fd830e100c5ae3e7e83427f854b13c6355
3fd03e97e6f2458b005bdce0947812b5eba12f37580e4a961730fee4868b0fa4
4daa899b29dadd8692bdb7aa02d38fcfd53f720970b9429ac7e1380f0baa4c91
67b332100d772722736d2fd90514ef2af23d84e800c880155f3da38a21fea829
bec113f52e725b1e43720bb9ab1faece1043fc4562f1de3c3d43c1cfc97f2ada
c008dae28d28d9b7601321ca95b5785c346681b7b202ef8d1b43e43197baf1b7
c163314e4b432b5bd2955f79a65ce05d0ff92e4cad74c6e2685424946dd87363
d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528
+ 135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/220702-tp8k6sgbfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
a5b0b91f2590d81e1460591367a39d59d6cc629fb51de6465410c583ab790ee1
MD5 hash:
01338975ba2460875260fbde4244d67e
SHA1 hash:
c5888e57d83e8d301260400db4cb84c9dabea8a0
Link:
https://www.unpac.me/results/492dc4e5-dbbf-4243-bb8a-dcb2a082b8ef/
SH256 hash:
339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297
MD5 hash:
6ce4ae01149b9e7a5a18bd7d017cf972
SHA1 hash:
c825fb4d24ef6f3b05a9d0d4df6e1cb513b56f27
Link:
https://www.unpac.me/results/492dc4e5-dbbf-4243-bb8a-dcb2a082b8ef/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar 93d0f20b6f99e830bd77a28ed91b53fa904280e4b2ab75a92d99a5056f3a4952

RedLineStealer

Executable exe e0ff8d0d8988b4804a0442c0185f5e200849ad725a301678af8fd2c3ac81182c

Executable exe 339022094a1725ae16b8a0571fa0ec432194af1331c69394254c71e942719297

(this sample)

anyrun
any.run
https://app.any.run/tasks/0a03a94c-3226-4e9d-9825-452390ecf444#
  
Dropped by
SHA256 e0ff8d0d8988b4804a0442c0185f5e200849ad725a301678af8fd2c3ac81182c
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/285097/
  
Dropped by
MD5 b5d26e5a6cf0eb72d54f6fefd87ceffb

Comments