MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Bandook


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184
SHA3-384 hash: 9f0d90b423f5308f9ff6361be72ef698d77a8e7d02da74b64fb1f73c640d7b4991a0e0ee9c1ee374a913ab1a4323103f
SHA1 hash: 380b93b1da44bbcd9d8a4da94d14685d02d865f8
MD5 hash: 08146193f2e19f8abf6b127acff0d82d
humanhash: kilo-ack-network-hawaii
File name:08146193f2e19f8abf6b127acff0d82d.exe
Download: download sample
Signature Bandook
Create hunting rule
File size:1'085'240 bytes
First seen:2021-03-24 22:08:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:OJ0xRUm06xF8tk7a+rn4h/7t1yxEFkxChx4Lfr:H/06xXrn8B9kxChx4Dr
Threatray 50 similar samples on MalwareBazaar
TLSH 9E35AD5C9E6FE147FBF00D768CA4C95995BB7C2A001EC87A1E8A728B91B1BC364345F1
Reporter abuse_ch
Tags:Bandook exe


Avatar
abuse_ch
Bandook C2:
http://194.135.20.72:3214/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.135.20.72:3214/ https://threatfox.abuse.ch/ioc/5168/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://gitlab.com/eu-trusted-developers/softdevII/-/raw/master/Install.exe
Verdict:
No threats detected
Analysis date:
2021-03-24 00:49:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5de0c1f8-257f-4c84-8791-8db3fe738de7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET-22.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ef94bf3-815f-4fb4-9299-214a2668f938
Result
Threat name:
Ramnit RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653116
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Ramnit VNC Module
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 375500 Sample: 8Asxd7kV85.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 8 other signatures 2->53 9 8Asxd7kV85.exe 3 2->9         started        process3 file4 31 C:\Users\user\AppData\...\8Asxd7kV85.exe.log, ASCII 9->31 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->75 77 Injects a PE file into a foreign processes 9->77 13 8Asxd7kV85.exe 15 24 9->13         started        signatures5 process6 dnsIp7 41 api.ip.sb 13->41 43 e.8helpify.ru 81.177.140.169, 443, 49737, 49738 RTCOMM-ASRU Russian Federation 13->43 45 2 other IPs or domains 13->45 33 C:\Users\user\AppData\...\1212391699.exe, PE32 13->33 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 13->83 18 1212391699.exe 14 3 13->18         started        file8 signatures9 process10 dnsIp11 35 192.168.2.1 unknown unknown 18->35 37 e.8helpify.ru 18->37 55 Multi AV Scanner detection for dropped file 18->55 57 Machine Learning detection for dropped file 18->57 59 Writes to foreign memory regions 18->59 61 2 other signatures 18->61 22 AddInProcess32.exe 2 18->22         started        25 AddInProcess32.exe 18->25         started        signatures12 process13 signatures14 63 Creates an undocumented autostart registry key 22->63 65 Writes to foreign memory regions 22->65 67 Allocates memory in foreign processes 22->67 69 Modifies the context of a thread in another process (thread injection) 22->69 27 WerFault.exe 22->27         started        71 Contains functionality to inject threads in other processes 25->71 process15 dnsIp16 39 23.108.57.102, 443, 49741, 49742 LEASEWEB-USA-MIA-11US United States 27->39 79 Contains functionality to inject threads in other processes 27->79 81 Searches for specific processes (likely to inject) 27->81 signatures17
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184/
Threat name:
ByteCode-MSIL.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-03-24 01:57:26 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ucuhryc67bdegv3kvux36f3uostyyj5hacqmz4fffbnz3gaygca._file
Verdict:
malicious
Similar samples:
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
Bandook
3785550afcc22a9c9cc82c4f6515f77eb9cc0984966aeb238d57e1ea3cb9d351
Bandook
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
Bandook
4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
Bandook
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
Bandook
6dabb536b810b343e17374dc7762923dbdc99ac5c0ce65222c2977d0c5a5a9a5
Bandook
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
Bandook
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
Bandook
f22462a16e1e5b3eed3a84c6003aef25eb4ccdd78cb7064fdb39404528f3b9f0
Bandook
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
Bandook
+ 40 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210324-mtw37ezgkj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/aafe3729-0940-4b85-8df8-3c1a93d7f732/
SH256 hash:
f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184
MD5 hash:
08146193f2e19f8abf6b127acff0d82d
SHA1 hash:
380b93b1da44bbcd9d8a4da94d14685d02d865f8
Link:
https://www.unpac.me/results/aafe3729-0940-4b85-8df8-3c1a93d7f732/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f50543c702f7c2321abb55697df8bba3a53c613d38050667852942dcecc0c184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments