MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
SHA3-384 hash: 499a8faa22fbf2dd4bf3f6fde057030dd9dafd2fe006bd5698fb1bd00a13f955076220f8f5d06e85d3d5b0bb498097bc
SHA1 hash: da513c7a9fc8c8eb153370376419193cda98ccf5
MD5 hash: 9570c3db5910fcc8b5198c8cc14f8034
humanhash: connecticut-foxtrot-crazy-triple
File name:SecuriteInfo.com.Gen.Heur.MSIL.Bladabindi.1.22046.24481
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:283'136 bytes
First seen:2021-02-12 14:59:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 6144:SDKW1Lgbdl0TBBvjc/EaInquLi03gurUqdPY8AIWbZSgTi:0h1Lk70TnvjccquLXQ4GSlg+
Threatray 654 similar samples on MalwareBazaar
TLSH 8954D0213480C1B3C4B7153581E9CBB99A7970610B7A95D7BBDD2BBA6F203D1B2352CE
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cmd.bin
Verdict:
Malicious activity
Analysis date:
2021-02-12 08:37:32 UTC
Tags:
loader trojan stealer vidar rat njrat bladabindi
Link:
https://app.any.run/tasks/5a354632-e77c-42ab-8ff0-87bcad5c78fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116937/
Detection(s):
SecuriteInfo.com.Gen.Heur.MSIL.Bladabindi.1.22046.24481.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Creating a file
DNS request
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606864
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352464 Sample: SecuriteInfo.com.Gen.Heur.M... Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 9 SecuriteInfo.com.Gen.Heur.MSIL.Bladabindi.1.22046.exe 5 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\Cmd..exe, PE32 9->28 dropped 30 SecuriteInfo.com.G...ndi.1.22046.exe.log, ASCII 9->30 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->50 13 Cmd..exe 193 9->13         started        signatures5 process6 dnsIp7 40 web24host.com 198.23.213.114, 49713, 80 AS-COLOCROSSINGUS United States 13->40 32 C:\ProgramData\vcruntime140.dll, PE32 13->32 dropped 34 C:\ProgramData\sqlite3.dll, PE32 13->34 dropped 36 C:\ProgramData\softokn3.dll, PE32 13->36 dropped 38 4 other files (none is malicious) 13->38 dropped 52 Antivirus detection for dropped file 13->52 54 Multi AV Scanner detection for dropped file 13->54 56 Tries to harvest and steal browser information (history, passwords, etc) 13->56 58 Tries to steal Crypto Currency Wallets 13->58 18 cmd.exe 1 13->18         started        file8 signatures9 process10 process11 20 MpCmdRun.exe 1 18->20         started        22 taskkill.exe 1 18->22         started        24 conhost.exe 18->24         started        process12 26 conhost.exe 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 18:04:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ilqgkezjbywe2epu3bykxqtaqfqotpdrwofpsi3i7arsccc5xba._file
Verdict:
malicious
Similar samples:
033741ca568e4e71a586be960e503415579b0520d2c9ecd298ed03becf406b9c
RedLineStealer
1d1db9028a99d5ccfd2e898e61dd4c0fbd2b363934f0623aa9503280fa3229a9
RedLineStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
RedLineStealer
662df407f177b9d63dc16fe5c1068d65c8e1fbe602d05a7cae1db651179b746e
RedLineStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RedLineStealer
6f34fbbfbe526af81101fef3143797b2e5fddb2bb945c69e6ddd7dd7bf2cf7c7
RedLineStealer
7a7f8f5b41981d22a64654a713d5dfdfbe6cb5e0778364a594fbaee25efc5425
RedLineStealer
8959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
RedLineStealer
9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7
RedLineStealer
b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3
RedLineStealer
+ 644 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski infostealer
Link:
https://tria.ge/reports/210212-kcctkfw8aj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Oski
Unpacked files
SH256 hash:
a3b53fbb0ec9a005e6b2517f3a6fa4529303070b4769cb96017c9c79fface815
MD5 hash:
5a39ddc02819dfc4cb8cdffd7ad4a334
SHA1 hash:
679d9f0960277d749ca9b1e36672b3428337e18a
Link:
https://www.unpac.me/results/8eefe7b0-b0d5-4402-af7f-07113d3086db/
SH256 hash:
9e2455642e046af82e21bdc6bc8659a5acc10796e383dcd7064227b0e8c6675b
MD5 hash:
94835b6d4af91fc977e840d64adaa485
SHA1 hash:
77635f373780022f21f74ade8ee80d0e652248ed
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/8eefe7b0-b0d5-4402-af7f-07113d3086db/
SH256 hash:
360cb15b433b116702f9a4dbb7b1cdcdb2f7065c7cc349490ab25c717beb21d7
MD5 hash:
025d3c385e1fe4a99bb40f55cc245f58
SHA1 hash:
e91aa42e9a38182c5b45c7f9971b8138aef2f2b0
Link:
https://www.unpac.me/results/8eefe7b0-b0d5-4402-af7f-07113d3086db/
SH256 hash:
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
MD5 hash:
9570c3db5910fcc8b5198c8cc14f8034
SHA1 hash:
da513c7a9fc8c8eb153370376419193cda98ccf5
Link:
https://www.unpac.me/results/8eefe7b0-b0d5-4402-af7f-07113d3086db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002413/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116937/

Comments