MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20
SHA3-384 hash: 9410437c86817965c57200a03b47b32daccb26c3c07eb613920bdd86186a84f4ec71170070a262cea3031ea0cb5d667a
SHA1 hash: 2b7b0947c3f4dcd2f28b87aff2f2c8b821300d3a
MD5 hash: c9da7eeb35209ea9a47fcde193e77266
humanhash: nine-wisconsin-two-two
File name:c9da7eeb35209ea9a47fcde193e77266
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:787'504 bytes
First seen:2021-09-21 10:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XZG+/gecNU2zqX6lUB2AkeR3ACtjm94vD0n5P+MmZZL:pG7DNgWUB2AkeR3APuLWI
Threatray 22 similar samples on MalwareBazaar
TLSH T1C8F48CA077F89A25E6EE3731F030466827F7F80AA57DD34D9906E4AE1D82B814D507B3
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://km.popmonster.ru/75796491.exe
Verdict:
Malicious activity
Analysis date:
2021-09-14 02:36:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3f1fde9-cec6-4f62-9839-8e79c0063f73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189838/
Detection(s):
SecuriteInfo.com.Malware.AI.1767554360.29023.9314.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5869ee9b-b551-42ab-bff9-c2dd81c2e490
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/854783
Signature
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487212 Sample: bSoYkVJOso Startdate: 21/09/2021 Architecture: WINDOWS Score: 76 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AntiVM3 2->39 8 bSoYkVJOso.exe 6 2->8         started        12 service.exe 2 2->12         started        process3 file4 29 C:\Users\user\AppData\...\bSoYkVJOso.exe, PE32 8->29 dropped 31 C:\Users\...\bSoYkVJOso.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\...\bSoYkVJOso.exe.log, ASCII 8->33 dropped 43 Writes to foreign memory regions 8->43 45 Injects a PE file into a foreign processes 8->45 14 bSoYkVJOso.exe 3 8->14         started        18 powershell.exe 18 8->18         started        47 Multi AV Scanner detection for dropped file 12->47 signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\service.exe, PE32 14->35 dropped 49 Multi AV Scanner detection for dropped file 14->49 20 cmd.exe 1 14->20         started        23 conhost.exe 18->23         started        signatures8 process9 signatures10 41 Uses schtasks.exe or at.exe to add and modify task schedules 20->41 25 conhost.exe 20->25         started        27 schtasks.exe 1 20->27         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 18:54:26 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc
RedLineStealer
3b7d5786e440b36bd5a12e1293465683353c7dd3b843eef7a0313b7a0245ccc2
RedLineStealer
409f15acc9e425d5f0cd8f1c6820b44067b5628c60a3a58114db3abf1196215b
RedLineStealer
4fba7e249712965407354d147dc082ea3b69c76ef50d232becb6f626184bd8c4
RedLineStealer
6e1f730a547e9168139aea155ea6ea02f788b4c0011541ef6f424fd5dc20f1fd
RedLineStealer
ae3f08ee06ddd2f9080d22a345aa9a5862b64f9a90001244b035ceac8b54dc24
RedLineStealer
bb56b47dae434fc40a2c391c1901232bb2d43c90dfca1c282667f954fdc3da92
RedLineStealer
db1d1d237d2c8cd79f1b82eaf0d773ee15f8a5234a3c2bfb89a6b10c95d3825b
RedLineStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210921-mtzqhabhbq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
7892af50a47b18c0a71aa0ebfe71e274c82333876294ddb7c08cad569c4ef1ec
MD5 hash:
5e77b147f3fef67d4476e4eb96156837
SHA1 hash:
e02683f9f2c47b7e3792dcccd345903df25cb598
Link:
https://www.unpac.me/results/7e963039-54a2-44b3-8059-4febfa5af0a4/
SH256 hash:
c541e5825a57350329de14ae1f4d53d16b00c3f60f5a639f96920cc4aa52e6a3
MD5 hash:
45a1f5abde059b00099afb2d3ee430ad
SHA1 hash:
1cc56cb1588fea0ce937b767fb08110ca49f1081
Link:
https://www.unpac.me/results/7e963039-54a2-44b3-8059-4febfa5af0a4/
SH256 hash:
c218f64bc0bebb1b09a577c1808c41f40336b3a6f61e53646a47d205fdcee568
MD5 hash:
a0747d6f3a86b863160c16a03fb8129c
SHA1 hash:
dbdd4704318d059a5a31ec8b75a7b975bb4b8dc5
Link:
https://www.unpac.me/results/7e963039-54a2-44b3-8059-4febfa5af0a4/
SH256 hash:
6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20
MD5 hash:
c9da7eeb35209ea9a47fcde193e77266
SHA1 hash:
2b7b0947c3f4dcd2f28b87aff2f2c8b821300d3a
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e963039-54a2-44b3-8059-4febfa5af0a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6861164d09d90910f41f977e32f0d4ecf23441c143b56f3b2a12fdd1d2d8da20

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638212/
Cape
Cape
https://www.capesandbox.com/analysis/189838/

Comments


Avatar
zbet commented on 2021-09-21 10:45:19 UTC

url : hxxp://km.popmonster.ru/75796491.exe