MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9
SHA3-384 hash: 81c9bd617581a4542e7ee9042efbe5b13cc13dd9efa8d5a78c2a812753d6e97fb361ca6d56131526573fd4ad5665e134
SHA1 hash: 0e4367b1d0d7d9da3ab03bdcc54a2c44a8ce2a7a
MD5 hash: 8ae5c02ef7911653271eb9615c1ea04b
humanhash: bravo-sad-white-wyoming
File name:RFQ-998112537 (2).exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'039'857 bytes
First seen:2024-02-07 10:17:00 UTC
Last seen:2024-02-07 12:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:pRmJkcoQricOIQxiZY1ia7tCbK796Z/ITPNLgcx9h/:mJZoQrbTFZY1iaZh7QZgx0cxL/
TLSH T13D25CF1DA5857037C1A23E705D7AB3599639282503E6CD972FF43B290E723F32E2572A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 30a44a4c4c4aa430 (6 x Formbook, 4 x RedLineStealer, 2 x AgentTesla)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
367
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/475114/
Detection(s):
SecuriteInfo.com.FileRepMalware.26926.2027.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c358b629ab210c3fab6299/reports/e1333712-2255-412c-a641-1a893f196bcb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3469e8f-d7f0-42b3-97ea-4f12ac8ce9e7
Result
Threat name:
AgentTesla, PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388241
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9/
Threat name:
Win32.Worm.Harakit
Create hunting rule
Status:
Malicious
First seen:
2024-02-07 10:12:56 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwtmv2ap4sxnn4brcpgqzbyielzzzpyms25y3cdcmt2h5pu57suq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/240207-mbdejsgggj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
ad57ebba4b4bee5006f9a8785d552eb11cc8472a0553d93a399022533a5ee53e
MD5 hash:
c37d6672353ebd6b9deb971a0201e80e
SHA1 hash:
a7ec5dc76ee5996b23d7e378df5e99393514a37a
Link:
https://www.unpac.me/results/38d538f3-2f5d-4847-8640-f88703a6d0db/
SH256 hash:
ddaf61df65216b7317c2d5286c1d17456524a0fdf0daec26a35685829963f856
MD5 hash:
f4c2ccf6a36e238e6a57be6de20b94c3
SHA1 hash:
4a0bf62a4859d090531e9614b3b9047266e6f4a7
Link:
https://www.unpac.me/results/38d538f3-2f5d-4847-8640-f88703a6d0db/
SH256 hash:
8d3963cec06e02a9574d40ccf2040d4495d07bdf673fd589b24601a519486be6
MD5 hash:
f9fdc4e29a3888aab65803cffbde8ce3
SHA1 hash:
6bc5dd21cac1d5a181e8e8982b196dc093f27f1d
Link:
https://www.unpac.me/results/38d538f3-2f5d-4847-8640-f88703a6d0db/
SH256 hash:
0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9
MD5 hash:
8ae5c02ef7911653271eb9615c1ea04b
SHA1 hash:
0e4367b1d0d7d9da3ab03bdcc54a2c44a8ce2a7a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/38d538f3-2f5d-4847-8640-f88703a6d0db/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0da6cae80fe4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 0da6cae80fe4aed6f03113cd0c870822f39cbf0c96bb8d886264f47ebe9dfca9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/475114/

Comments