MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45
SHA3-384 hash:	fd189077147997732362f88bc0140e0cb4689d3bd1fba32e04c0ee45ba3a7f789ae9ef05ee84fbe09c13e3b6ccf4a793
SHA1 hash:	b7b0151626c098ef2ac887732e90b76790200b5f
MD5 hash:	c67a1736d52b895cac3146b6e7d43f81
humanhash:	march-shade-skylark-venus
File name:	Lunar_Builder.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	8'068'096 bytes
First seen:	2022-07-23 13:10:16 UTC
Last seen:	2022-09-21 04:03:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	196608:Z1BPNXt4lrVh8aNN33XkQ5FRf/H3NyAqsJUeDtS7m:Z1BPNXt4lrVjnnXkQHRnXNyARJUz7m
TLSH	T1F98633786F98C305F3966B74E4F66582376AAB797A0ECAC1D0052FB93A12E015FC3117
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	f088ac568cdcf0f0 (1 x Nitro, 1 x CoinMiner, 1 x GandCrab)
Reporter	milannshrestga
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Lunar Builder.exe

Verdict:

Malicious activity

Analysis date:

2021-10-17 16:22:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/591d31c5-4880-4438-8603-5f6b2f867b68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293667/

Detection(s):

Win.Malware.Vmprotect-9951746-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Creating a file in the %temp% subdirectories

DNS request

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed virus

Link:

https://www.filescan.io/uploads/62dbf3828fbcdde360697c0e/reports/29eee671-0ee5-446a-a282-1af90679aeb2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d64a9d46-cc7b-4f42-8a2e-d61cb2740202

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1030929

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2021-07-07 07:10:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tljh7kf3pwbfr6y6k4wjjuihdan2emkkjw2ngirmhyg4ib2jhncq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220723-qext5seff3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Loads dropped DLL

Unpacked files

SH256 hash:

d95d7cdb4a549a7f9a06c9059027bd90e926a15b21f118a59536ee9b5febb768

MD5 hash:

a956773892ea3bb538c4656475c35126

SHA1 hash:

e2cc84075cd18b96623fd29d529873f379e398c2

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

SH256 hash:

eb3897f301ae50717ef88553416800425f79d48b5a1abfdccd5d63dde3f1bca1

MD5 hash:

b6691fa95db88f556f27b087c072e8fb

SHA1 hash:

c4d70895888268e03f6e6d328a01a7d34989f261

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

SH256 hash:

5ab5aae30a73f39d027c2afda59e90410cef6cc2eddb172086b0ef47b3d1d897

MD5 hash:

fc41cd42f63851f55bda16ad21eaa941

SHA1 hash:

76a634e2a69cbd41c71a8b5e442af1ece0c07177

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

SH256 hash:

f47186f92a5e156e7b3be0e777045a63fd39ee626d3bd56171d049106cb78ce2

MD5 hash:

90b0d77a49738f3093354b2a10ad5c8e

SHA1 hash:

23eaa5b99b203d428da8e33439f28906b6ed4006

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

SH256 hash:

58b9f3d41c8be2eae74aaf749b4ee7f2fc048a87322eeb3f11dafab6d02bc946

MD5 hash:

4223bb4ab8eaf0039fddcf8c1527185f

SHA1 hash:

2189e71da5b4e70ab0b598d111fdc2577edd35e5

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

SH256 hash:

9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45

MD5 hash:

c67a1736d52b895cac3146b6e7d43f81

SHA1 hash:

b7b0151626c098ef2ac887732e90b76790200b5f

Link:

https://www.unpac.me/results/c9bdce20-e441-4d21-95bd-0d92538c7af6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/69984daf-7e0a-47c0-8683-8cb843c68cae/#

Cape

https://www.capesandbox.com/analysis/293667/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample