MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4
SHA3-384 hash: 87ef401e690cfc76b344e3beebf2b769d2aae15c3d672013f6dc9da9d164ecdacfd4030e178304fa31a33ae98572f780
SHA1 hash: 3797b52bb9480b3fb77c825f257adf102f7ff868
MD5 hash: ddc1e4f7216d422e2534c4cbc2ff34d5
humanhash: nineteen-black-cup-arkansas
File name:ddc1e4f7216d422e2534c4cbc2ff34d5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:340'480 bytes
First seen:2021-09-15 09:11:58 UTC
Last seen:2021-09-15 12:07:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:A+BDiSKPxCWScCUDgd35ZFj6uf3wwoBd78yxcvfz6uiFaCrB:3DizxBS1pZFmw3wwo73xSfA
Threatray 450 similar samples on MalwareBazaar
TLSH T14E749C2657D85F09E53E9B34853442045BF6B1029B33DB6EBE9840EA1E33B41CB6B71B
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ddc1e4f7216d422e2534c4cbc2ff34d5
Verdict:
Malicious activity
Analysis date:
2021-09-15 09:15:12 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/aa60d7eb-7e28-48a7-a08f-c5c99aa15e7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188128/
Detection(s):
SecuriteInfo.com.Variant.Bulz.719574.24654.12364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617518f7db358dd15ed92584/reports/c26c0d5b-10d0-40ba-8d2f-20e30cc9da0e/overview
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27d9785f-6a7b-4bf0-b798-901d0e07bf55
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851243
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483669 Sample: fCW92GQu51 Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 60 www.google.com 2->60 72 Antivirus / Scanner detection for submitted sample 2->72 74 Sigma detected: Powershell download and execute file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 4 other signatures 2->78 13 fCW92GQu51.exe 15 4 2->13         started        signatures3 process4 dnsIp5 66 www.google.com 172.217.168.36, 443, 49739, 49786 GOOGLEUS United States 13->66 56 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 13->56 dropped 58 C:\Users\user\AppData\...\fCW92GQu51.exe.log, ASCII 13->58 dropped 104 Writes to foreign memory regions 13->104 106 Allocates memory in foreign processes 13->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->108 110 Injects a PE file into a foreign processes 13->110 18 AddInProcess32.exe 13->18         started        file6 signatures7 process8 signatures9 70 Adds a directory exclusion to Windows Defender 18->70 21 cmd.exe 1 18->21         started        process10 dnsIp11 64 13.238.159.178, 49776, 49823, 80 AMAZON-02US United States 21->64 88 Suspicious powershell command line found 21->88 90 Tries to download and execute files (via powershell) 21->90 92 Adds a directory exclusion to Windows Defender 21->92 25 powershell.exe 21->25         started        27 powershell.exe 25 21->27         started        30 powershell.exe 21->30         started        33 2 other processes 21->33 signatures12 process13 dnsIp14 35 vbc.exe 25->35         started        102 Powershell drops PE file 27->102 68 192.168.2.1 unknown unknown 30->68 signatures15 process16 dnsIp17 62 www.google.com 35->62 80 Antivirus detection for dropped file 35->80 82 Multi AV Scanner detection for dropped file 35->82 84 Machine Learning detection for dropped file 35->84 86 4 other signatures 35->86 39 AddInProcess32.exe 35->39         started        signatures18 process19 signatures20 94 Adds a directory exclusion to Windows Defender 39->94 42 cmd.exe 39->42         started        process21 signatures22 96 Suspicious powershell command line found 42->96 98 Tries to download and execute files (via powershell) 42->98 100 Adds a directory exclusion to Windows Defender 42->100 45 powershell.exe 42->45         started        48 conhost.exe 42->48         started        50 powershell.exe 42->50         started        52 2 other processes 42->52 process23 file24 54 C:\Users\user\AppData\Roaming\vbc.exe, PE32 45->54 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4/
Threat name:
Win32.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 08:43:12 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3c3a536252b1c720434579c37748f0ba4178e7eedea1d841aa05e772118185b7
RedLineStealer
515aeac4841b51f4ef59ace6b939e49eb902b00c4bd2f7a0c433ac260448b93f
RedLineStealer
8085213a555a814fef5abfbdea92f1e695780a6292807016dc1814f040ea8325
RedLineStealer
9767f24cdeb959ecd20b003f7d9744c216b3bbcaae6ddc5d481a4cce2ea8e91f
RedLineStealer
be746b9dad08ffbb0d6f86c0a27dde469e3d1fa6500531636b6b68980a7c615a
RedLineStealer
e81816b3d339965775f2f4e2dd07e0e036a6cf1260d6967a02fc37b8e3939e25
RedLineStealer
f235f5460a16f4b3f9458ac7e65ac7758018184c10ac365ab69016de098a1846
RedLineStealer
f5d2a49f8800562ae2edb68fb838b64196844c2425fea90663baf4f7d7776f81
RedLineStealer
+ 440 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
agilenet
Link:
https://tria.ge/reports/210915-k56xvaach7/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Malware Config
Dropper Extraction:
http://13.238.159.178/truth/svch.exe
Unpacked files
SH256 hash:
d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4
MD5 hash:
ddc1e4f7216d422e2534c4cbc2ff34d5
SHA1 hash:
3797b52bb9480b3fb77c825f257adf102f7ff868
Link:
https://www.unpac.me/results/52522cbd-0a21-4d3e-b664-da6ab60bf530/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d8a64a77e6ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d8a64a77e6ee6cbbd28648418dc13b3c0906aece9be0744e90560f896d1a9aa4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1621486/
Cape
Cape
https://www.capesandbox.com/analysis/188128/

Comments


Avatar
zbet commented on 2021-09-15 09:11:59 UTC

url : hxxp://13.238.159.178/truth/svch.exe