MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b
SHA3-384 hash:	7cf42a916501c44b373db26cac3cf408efb7cda377d9d1cbe60eb14db00a9c70b0b6b580484795bf939b13fc3d425595
SHA1 hash:	26bdf06b010c27c919a904a738becbdc0c482d0b
MD5 hash:	6d9a74c2e38cae6f2bd5b81c529ef782
humanhash:	echo-fruit-white-monkey
File name:	SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.23033.9046
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'551'872 bytes
First seen:	2021-10-01 18:10:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:PQtKC/2Sn+UZ7k3uqaZcFXokezj6E/gVSrhrnhnIeeF0zs3DSq/IwrBezalZpAR2:0nn+UZYOZpQ/
Threatray	9'832 similar samples on MalwareBazaar
TLSH	T1B075929C3650B6DFC85BCE728AA81C64EA6074BA830FD243A01715EDDA4DA97CF145F3
File icon (PE):
dhash icon	f4fafce4e8f896e0 (3 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.23033.9046

Verdict:

Suspicious activity

Analysis date:

2021-10-01 18:19:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4ebe2d23-a6a1-40f6-bc5e-477c119d151b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194038/

Detection(s):

SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.23033.9046.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d233b459-5bd3-4723-92a4-63fe99946bcc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862849

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-19 16:41:42 UTC

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

RedLineStealer

3e27409e26109793a8a424e232d605acf75360ac30027f5553f780b06ca0dffb

RedLineStealer

4251026babadcdbe35d2bd5ac89c51f3a1752df2c49ff6fdb352ba5c1b509245

RedLineStealer

441a0a46bcdfdee8c8b6761798e75a65204eac43b47547557604f80f26b87e95

RedLineStealer

59ced73cabf35385aaedb67d1b0cd813cc16f5f8e056add78cf50f3abc28351a

RedLineStealer

6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5

RedLineStealer

8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4

RedLineStealer

9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145

RedLineStealer

c5e2e6ca1132790699601f8a322bf098ecfc4001063a94ba0fb1861e73748fd7

RedLineStealer

cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017

RedLineStealer

+ 9'822 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:4psn loader rat

Link:

https://tria.ge/reports/211001-wr2lrachd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.leqi166.com/4psn/

Unpacked files

SH256 hash:

1dd6a152739479ce4fa562c5070fbb22e73688ac5bba113149d94e32e9006366

MD5 hash:

3903ec5d571981ba9c277550311852ad

SHA1 hash:

b291ab771c7bac078973aaffde8bfbb6c32ac5b5

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c0b653e2-df16-4004-9f9d-9458b1e06d97/

Parent samples :

1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
3e27409e26109793a8a424e232d605acf75360ac30027f5553f780b06ca0dffb
a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b
4251026babadcdbe35d2bd5ac89c51f3a1752df2c49ff6fdb352ba5c1b509245

SH256 hash:

e7649236134abf9f0a89f90630cb457fed23551d54b298259a6925f6a638d06b

MD5 hash:

128e40ac3ea4e9a88c69c2a84d1a018e

SHA1 hash:

892d5e2aa3ea437a1f30dbf8a21d850cf3842925

Link:

https://www.unpac.me/results/c0b653e2-df16-4004-9f9d-9458b1e06d97/

SH256 hash:

276912e14ee201ae382bd823edc518521ddc3cc34dadee2662941cfd3ea21a99

MD5 hash:

c10fe0b032ee2139580842ed8f4158db

SHA1 hash:

35983629080fc495acfe519847f4782afdc130c6

Link:

https://www.unpac.me/results/c0b653e2-df16-4004-9f9d-9458b1e06d97/

SH256 hash:

a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b

MD5 hash:

6d9a74c2e38cae6f2bd5b81c529ef782

SHA1 hash:

26bdf06b010c27c919a904a738becbdc0c482d0b

Link:

https://www.unpac.me/results/c0b653e2-df16-4004-9f9d-9458b1e06d97/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample