MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
SHA3-384 hash: b1494aa75b746f1189a92ef3165c2e703aa2ee969d4ba6514e9f03710136ef47aceb1cb925c70a2fac3b35f5d4bf415b
SHA1 hash: 0d04b8139fe71a1736a8168fbf072df61d7d7bd6
MD5 hash: 40ec0e62856036983be04f31ce670fb9
humanhash: carolina-violet-illinois-bulldog
File name:HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'025'984 bytes
First seen:2022-09-21 04:03:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:z/TeYoeb67sc8+otH8SESePujd2kTCMZehZtzMuuQzBLerxA/GWeGMEd022XbTFi:z/yYoebe5JotHESxjuM63KI
Threatray 3'294 similar samples on MalwareBazaar
TLSH T10A95B071496B50CCD9FFA4516AC2E79CDE471F442A7CB0AB941C4A6B8B12004EF72F7A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter petikvx
Tags:exe Ransomware RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
makop
Create hunting rule
ID:
1
File name:
mc_b12.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 20:32:09 UTC
Tags:
ransomware makop oled evasion
Link:
https://app.any.run/tasks/41482d97-25c8-4435-b0cb-653d732b36d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311858/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.772.12910.25732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Creating a window
Moving a file to the Program Files subdirectory
Deleting volume shadow copies
Creating a file in the mass storage device
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632a8d7b36ba812561a5ee3a/reports/2883d96e-a125-4802-be4a-38ca24ad4de5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phobos Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/036f2896-7026-4879-8ceb-4dde1ade83e4
Result
Threat name:
Makop, Oled
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074265
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Makop ransomware
Yara detected Oled Ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706807 Sample: 5y4GrPbpA9.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 9 other signatures 2->66 8 5y4GrPbpA9.exe 6 7 2->8         started        12 wbengine.exe 3 2->12         started        14 vds.exe 2->14         started        17 vdsldr.exe 2->17         started        process3 dnsIp4 54 C:\Users\user\AppData\...\5y4GrPbpA9.exe.log, ASCII 8->54 dropped 56 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->56 dropped 72 Adds a directory exclusion to Windows Defender 8->72 74 Writes many files with high entropy 8->74 76 Injects a PE file into a foreign processes 8->76 19 5y4GrPbpA9.exe 9 8->19         started        23 powershell.exe 18 8->23         started        25 AdvancedRun.exe 1 8->25         started        78 Creates files inside the volume driver (system volume information) 12->78 58 192.168.2.1 unknown unknown 14->58 file5 signatures6 process7 file8 46 C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi, DOS 19->46 dropped 48 AdobeARM.msi.[71B4...q.com].makop (copy), DOS 19->48 dropped 50 C:\Users\user\Desktop\...\HQJBRDYKDE.pdf, data 19->50 dropped 52 24 other files (22 malicious) 19->52 dropped 68 Creates files in the recycle bin to hide itself 19->68 70 Modifies existing user documents (likely ransomware behavior) 19->70 27 cmd.exe 1 19->27         started        30 5y4GrPbpA9.exe 2 19->30         started        32 conhost.exe 23->32         started        34 AdvancedRun.exe 25->34         started        signatures9 process10 signatures11 80 May disable shadow drive data (uses vssadmin) 27->80 82 Deletes shadow drive data (may be related to ransomware) 27->82 84 Deletes the backup plan of Windows 27->84 36 conhost.exe 27->36         started        38 wbadmin.exe 3 27->38         started        40 vssadmin.exe 1 27->40         started        42 WMIC.exe 27->42         started        44 5y4GrPbpA9.exe 30->44         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 19:14:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbmgvvwuislyvlchg3yfx3zhkhkjskooesyypwrz3xcnbsexsuqq._file
Verdict:
malicious
Similar samples:
43a062acd30484965319e8a817402ec33f3733cb9b9544d5efb7f76ddd4b4237
RedLineStealer
47c064565ab56878166a8eadab62d8463730988df14c5c06ed9a319aa45eaae6
RedLineStealer
4d8c698bf4dd87a8e8e69d4941576dcab345b5e9e12bc9233711a7d2db23d858
RedLineStealer
4f166ddf1cb703473aab067ef7042038b536a0c7c81803e8a29545e20d800cac
RedLineStealer
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
RedLineStealer
8f348bddd7f0130d5cb44993275cc8fa322b48e0a54ec61dc8449dd20d02fd75
RedLineStealer
c9975525ec628621b49048340bf4d1bc0c46fb96263885682dc4832549391221
RedLineStealer
e358b710d57d85fdfaf26cbec319efd66c1827629ce4b270b5ad80ea367e3e20
RedLineStealer
f26badc088e1178d2ed4428a9f85c507925b15f39d3cc7ff477fb80a7bde5f82
RedLineStealer
+ 3'284 additional samples on MalwareBazaar
Result
Malware family:
makop
Create hunting rule
Score:
  10/10
Tags:
family:makop evasion ransomware trojan
Link:
https://tria.ge/reports/220921-emxzbsaeem/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Windows security modification
Deletes backup catalog
Executes dropped EXE
Stops running service(s)
Deletes shadow copies
Nirsoft
Makop
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Turns off Windows Defender SpyNet reporting
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01e2dfa6-8e4a-4c7f-8aab-9db1b1fd67ba
Unpacked files
SH256 hash:
e4807fa18843d662c5ef8c9c84f89b7b94ed234017c88e78fc7b286a47c503aa
MD5 hash:
e888c0380e7ccd0a1deb1d091039b7fe
SHA1 hash:
e65df27fda9dd9043c037d4e04dffd53bf11926a
Link:
https://www.unpac.me/results/48921f13-5259-4e6a-88a5-1dc100f29c53/
SH256 hash:
c863974a67d67e03ed085cbba4c8b4e97b738dc0b29533a558ef9b7e4d5fb3ba
MD5 hash:
94b7dbf6ce3c98d49f3e6d06199aae67
SHA1 hash:
cd106ee3065ce4af6c9fbc7bcd041df7ff6563b4
Detections:
win_makop_ransomware_w0
Create hunting rule
Link:
https://www.unpac.me/results/48921f13-5259-4e6a-88a5-1dc100f29c53/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/48921f13-5259-4e6a-88a5-1dc100f29c53/
SH256 hash:
48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
MD5 hash:
40ec0e62856036983be04f31ce670fb9
SHA1 hash:
0d04b8139fe71a1736a8168fbf072df61d7d7bd6
Link:
https://www.unpac.me/results/48921f13-5259-4e6a-88a5-1dc100f29c53/
Malware family:
Makop
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48586ad6d444/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311858/

Comments