MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c
SHA3-384 hash: 5c88a4d500883fe485f2b54738c54305a400b0da006d8237dc7633e5574a9a931ac22241ee9db83963b4641c9c1267e5
SHA1 hash: 4279457fccd405df392cf21e0036496e411e4532
MD5 hash: d4f2a89e1cebeebe2bf856d413fb7e05
humanhash: mango-robin-yankee-louisiana
File name:DOCS-0094-LPO.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:434'176 bytes
First seen:2021-10-04 11:45:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:yoQoefGHfcG+P8g4WO4Y0mLs3o+GdW/vlj2sQ9H5z82aPLcpd7gQvJNDQDXq9F6f:fCGEG+ERWbm43o+3Hl/Qt5aKgkJNUZ
Threatray 9'912 similar samples on MalwareBazaar
TLSH T1D194E000A3DCDE9FE3196A7858156E1182A2C3ED20A2DE0AED5D55B13DE625CFB10FD3
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCS-0094-LPO.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 11:49:30 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/07491776-2a6d-4241-a2dd-36b916dfb6b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194592/
Detection(s):
Porcupine.Unclassified.101808.UNOFFICIAL
Create hunting rule

Win.Packed.Pwsx-9897383-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c0fa0e3d213d202b76f2f/reports/29a341b0-d0e1-4e4b-a02c-c4748ba4f537/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2644282-6cb7-43e9-9bfb-52b7de1090be
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863909
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496335 Sample: DOCS-0094-LPO.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 29 adl.windows.com 2->29 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 10 DOCS-0094-LPO.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\...\DOCS-0094-LPO.exe.log, ASCII 10->27 dropped 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Injects a PE file into a foreign processes 10->57 14 DOCS-0094-LPO.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 msiexec.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Self deletion via cmd delete 17->37 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 23 cmd.exe 1 17->23         started        31 www.charmfulland.com 156.234.200.100, 49864, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 20->31 33 www.zuridesire.com 199.34.228.166, 49890, 80 WEEBLYUS United States 20->33 35 27 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 45 Performs DNS queries to domains with low reputation 20->45 signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 10:13:36 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vouff37zwu4ermtgekbedgiuaomt653jlb3re6kowx2antsmtjwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1076b9efbc0e135c85f1228253f9a1d2f35f4fd49c70d290de72808f72bd56eb
RedLineStealer
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
RedLineStealer
151ac73a940835aa086b34eb4a68f0a8cd5a124622f9f4173a2072cfd1c9ed82
RedLineStealer
2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
RedLineStealer
c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175
RedLineStealer
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
RedLineStealer
c4c9d27ea805c32e7f0e66dc0d9534d8fbd87f4c1327727b2e1e9ae937f02c45
RedLineStealer
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
RedLineStealer
ea12191fcd49d36b68be2c466a24cac87cfd79f9d1fb18ef252037f0fb976979
RedLineStealer
f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941
RedLineStealer
+ 9'902 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b5ce loader rat
Link:
https://tria.ge/reports/211004-nxa2zsgcb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.rheilea.com/b5ce/
Unpacked files
SH256 hash:
142d782507a3a68a4d1dea29e52f0699923a9c2b09803813a91087fd28557389
MD5 hash:
c10bac73d5f73b68877844c80e799670
SHA1 hash:
3c07ba2b4c7896264925e18f2c46eae383238b9c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e7db023-b32b-489b-819c-aa1ed55ee43f/
Parent samples :
1076b9efbc0e135c85f1228253f9a1d2f35f4fd49c70d290de72808f72bd56eb
c4c9d27ea805c32e7f0e66dc0d9534d8fbd87f4c1327727b2e1e9ae937f02c45
2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
151ac73a940835aa086b34eb4a68f0a8cd5a124622f9f4173a2072cfd1c9ed82
aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c
73db754f5e709731e9c07c230fa6512ee75e07184c367e3f80b1bf646e7b72da
3c185c2191d1bc3a281f26cb51114b69b6d36a9fd63b3103d6c41608c8baf8a8
eafdeb6ac0b1bd6f065c70b3b2892bf04c6d5d674751e64b7583ba13ddf6ebd5
de12f96f01168f625165bda83f4d556d00d6c473e61aa5c6f424aed07ae9cc04
5d5aa4f1afaa9dd98bc1317f5b8e190cf21130d465da575fac9d4fbc6b3fb3af
d2aa010515bc8390084659013a1fd1e3e476e36ce46293281deb95c4469663f9
70b60d915bfc7bbbf6087ce59d289d7cf48a4c4b8a5e03bc5c24a2f9b7eaf915
SH256 hash:
5e3399d0a2ce21cf8b96510f69e25cf3744460a1f68784bd828fed1ae72cab30
MD5 hash:
064b994e07367a1f18bba1c800b77a42
SHA1 hash:
dde43e72998c9d04b4213e10714d632aef85323f
Link:
https://www.unpac.me/results/1e7db023-b32b-489b-819c-aa1ed55ee43f/
SH256 hash:
2241e105f4d9d02f898d8395a712a1c61bcae5d5cf5e52dc37cccd9a4cbe7bb1
MD5 hash:
36fa916ea33da29b017dc9b363834024
SHA1 hash:
a75acb3c65f0a012f58a4c00b4d0c9eb7bf38da6
Link:
https://www.unpac.me/results/1e7db023-b32b-489b-819c-aa1ed55ee43f/
SH256 hash:
cf641783d23dac22fb8fd1475853516c178149914aadef483e0513777b0a90e8
MD5 hash:
e32c30f640ced61f03bf1d253a462018
SHA1 hash:
64af6bce1462461e178c580960da1391f649a8e3
Link:
https://www.unpac.me/results/1e7db023-b32b-489b-819c-aa1ed55ee43f/
SH256 hash:
aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c
MD5 hash:
d4f2a89e1cebeebe2bf856d413fb7e05
SHA1 hash:
4279457fccd405df392cf21e0036496e411e4532
Link:
https://www.unpac.me/results/1e7db023-b32b-489b-819c-aa1ed55ee43f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe aba852eff9b53848b266228241991403993f7769587712794eb5f406ce4c9a6c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194592/

Comments