MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db
SHA3-384 hash: 0f3089774a3a8760ae6438a6e60a37804d58967162936a8daee4d38d3cea380e0ffaae40d648695a83756a318c118067
SHA1 hash: 669b14836b543ad8d3ede74851ddbe03bfa41ec0
MD5 hash: 6019f40140d681249f8a3b4c73dcf8ab
humanhash: sink-ack-fourteen-magazine
File name:Owbtvvu.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:124'416 bytes
First seen:2021-06-07 19:41:06 UTC
Last seen:2021-06-07 20:41:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:P/uoeWt8zzWR1AG4aYdAB+NQe6vMv7xR/AD:P/uogSR1lB+NQe6EjX
Threatray 335 similar samples on MalwareBazaar
TLSH 2DC39E1AB7A75B22C14C1AB6C4D3412803F2E7837137D79B7D4692D60F033D6AE8AB85
Reporter James_inthe_box
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Owbtvvu.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 19:42:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de7823bf-7066-485a-bdea-dd901c62f2bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165102/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17231.13162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/798349
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 19:40:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
RedLineStealer
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
RedLineStealer
3e75632899bd44ec5be0f6ad8ddd6b04f949a30527b6448c84a6b0f30f0a4087
RedLineStealer
5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa
RedLineStealer
6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d
RedLineStealer
6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6
RedLineStealer
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
RedLineStealer
a517552827e4823129d29a86c716decae6366d7bad5d8521ba6d1fd52547147d
RedLineStealer
a58d9469e992503f643880102b279956e2672580e212a54ce896b1784f59526b
RedLineStealer
dafee937bbe45fe3398e06d60f2177c42a20e41f9bc5c22dcadbf284cdf4fb75
RedLineStealer
+ 325 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210607-hvzjsl46lj/
Unpacked files
SH256 hash:
c27f8abf2e28642c7631d6cb135eb3769e2510d75d81c558bc04324d03578507
MD5 hash:
90e9538eff9ff0f8b442ff26ae3fe93f
SHA1 hash:
0def1bf858f76642b5dacc410ee61ce5741d3474
Link:
https://www.unpac.me/results/9eaae25d-8bbc-4cbb-9384-857f84ac7375/
SH256 hash:
cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db
MD5 hash:
6019f40140d681249f8a3b4c73dcf8ab
SHA1 hash:
669b14836b543ad8d3ede74851ddbe03bfa41ec0
Link:
https://www.unpac.me/results/9eaae25d-8bbc-4cbb-9384-857f84ac7375/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/165102/

Comments