MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af
SHA3-384 hash: effc14b022062edad47fc3e16c97b46fbfa8a2c0cd924d2b050bf8ac43a171e4c1e23ad08a5065d3cc5b8c4ceb0e46a9
SHA1 hash: 16be133e8deb4455da2452527d5f72e068f73417
MD5 hash: 92bfafc1e9023665745fee7ef443712e
humanhash: summer-hamper-black-virginia
File name:92bfafc1e9023665745fee7ef443712e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'047'552 bytes
First seen:2021-08-23 22:43:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Od/hAxno0yu937wR85lwQpsZG0FHBLLdJZdrvPkYxs4tLm8O/Qk8boAvRc+rM6dW:4AxquZwBQSZGcH5TPxhL3XK+wLQ7gVv
Threatray 697 similar samples on MalwareBazaar
TLSH T1E5253E3D19FE162BC0E1D376CBE18423B0549C5F7810ADA568D273760BA7A9735CB22E
dhash icon 71f4a2c8cc8ac061 (1 x RedLineStealer, 1 x AsyncRAT)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92bfafc1e9023665745fee7ef443712e
Verdict:
Suspicious activity
Analysis date:
2021-08-23 22:44:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79232cdf-1bcc-411f-a7eb-fd3f5d8e3457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181654/
Detection(s):
Win.Dropper.Nanocore-9839214-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6807531-bf17-4354-a566-9a08faaad5de
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/837860
Signature
.NET source code contains very large strings
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470291 Sample: fLOoHPMSby Startdate: 24/08/2021 Architecture: WINDOWS Score: 96 21 Found malware configuration 2->21 23 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 5 other signatures 2->27 7 fLOoHPMSby.exe 3 2->7         started        process3 file4 19 C:\Users\user\AppData\...\fLOoHPMSby.exe.log, ASCII 7->19 dropped 10 fLOoHPMSby.exe 1 7->10         started        13 fLOoHPMSby.exe 7->13         started        process5 signatures6 29 Injects a PE file into a foreign processes 10->29 15 fLOoHPMSby.exe 10->15         started        17 conhost.exe 10->17         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 10:26:38 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
RedLineStealer
3a6c6ec5b5e168e0452009714a8d37581459b8d386c26ef69c98a6802d5e65d6
RedLineStealer
3d83689d7e648cf09e37e7a0d16a99bd9b0484da6e6ab75cae43907d95c7253d
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
97c558bcbdaf21258e91098900d19e1ba944379a779a6a7c57aec46ea3de5438
RedLineStealer
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
RedLineStealer
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
RedLineStealer
+ 687 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210823-m2vdzsewr6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
04d7bbb2c24f0fe9ce61d82e9e679b98b4df56e2ac5f81b13944468db5a40dd6
MD5 hash:
7fe7bb385a4c5b086d2b769503871478
SHA1 hash:
ba8298817a4638fbe4212f91801c0470fc74e428
Link:
https://www.unpac.me/results/1337b5ac-7bab-422e-bd60-7d248f7546d6/
SH256 hash:
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
MD5 hash:
296968fa478ce8b4832446c33afc37a5
SHA1 hash:
b8331521ad1beb8814c5b50d9e16430440bb2947
Link:
https://www.unpac.me/results/1337b5ac-7bab-422e-bd60-7d248f7546d6/
SH256 hash:
33ac6b8012ce739e72022086b5d39b7fc030c20fa72988f76957685509d5c041
MD5 hash:
83f8ae95a7e6f016f6b00482588086e6
SHA1 hash:
70392939d6d60a913b51084ec1d98eaae8ca4868
Link:
https://www.unpac.me/results/1337b5ac-7bab-422e-bd60-7d248f7546d6/
SH256 hash:
4d768034c34a47d4c51af9acfeca8951234f7ac48d9dd345943cf013f9a93ea0
MD5 hash:
f55c7017dedc382126fe1f1737042b14
SHA1 hash:
6f2a87b9b4e0ea521ac850197e0f0f1399b8b632
Link:
https://www.unpac.me/results/1337b5ac-7bab-422e-bd60-7d248f7546d6/
SH256 hash:
f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af
MD5 hash:
92bfafc1e9023665745fee7ef443712e
SHA1 hash:
16be133e8deb4455da2452527d5f72e068f73417
Link:
https://www.unpac.me/results/1337b5ac-7bab-422e-bd60-7d248f7546d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f017121c738f72b1b65e4abe141f1659b13c53a0fc8d253c0bc8bb419ecc34af

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1558467/
Cape
Cape
https://www.capesandbox.com/analysis/181654/

Comments


Avatar
zbet commented on 2021-08-23 22:43:49 UTC

url : hxxp://45.90.46.71/clip.exe