MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7
SHA3-384 hash:	349ced0d91fbe105d749fc80a807983524419cd1f987b54a75a3a76598894279231ea3fd9f3a8e643fd482cf8fbad765
SHA1 hash:	8b278efbe3666da07725a7dfd512c7aa9e12379b
MD5 hash:	e8cf0e1662dbf0059e06baa644cfe52c
humanhash:	chicken-shade-spaghetti-oranges
File name:	SecuriteInfo.com.Variant.Bulz.280947.15103.30535
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	380'416 bytes
First seen:	2020-12-24 11:39:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (239 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	6144:tDXbL1roObuu+lu+69uSPDY/6hiT6roWeqQl49uKNweAPFWfOPM50P4i:Nte/63DYScOeqQm97NweAPTEOwi
Threatray	253 similar samples on MalwareBazaar
TLSH	4F841379CEF4C1EDEC72CE75066CBDD1EA18E86421F866459C8CD15B27F5AACF609200
Reporter	SecuriteInfoCom
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

1'064

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Bulz.280947.15103.30535

Verdict:

Malicious activity

Analysis date:

2020-12-24 11:41:53 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/a2b53eca-b54d-43ff-b683-b06deb52b46a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/109333/

Detection(s):

PUA.Win.Packer.Upx-48

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

SecuriteInfo.com.Variant.Bulz.280947.15103.30535.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/569705

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7/

Threat name:

Win32.Trojan.BotX

Status:

Malicious

First seen:

2020-12-24 08:33:55 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=co2ek3azzfks2wmglawls7bcrcgxb6j3rdkporc22hasn3zh6x3q._file

Verdict:

malicious

RedLineStealer

3d2d9b8e5738024ffaa470410dfae954d73f049fdb2619be6864e399f3da6390

RedLineStealer

457aecc9187cb32bf4a2678fdf61450f013a48460d454e986bae391b03b3cb10

RedLineStealer

53694d09899c9de1600743b37ab45e9dc4e3eaf329dc410e87a3b7318d943012

RedLineStealer

5c014fbda22ed7eb3e16d6e7cefc5a2763dc3a7a419e428022dc58334e9770b5

RedLineStealer

7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb

RedLineStealer

bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222

RedLineStealer

c86ceb78c8aa8ecb5e96f7d44a8c593ef2c310102189366d4c0d35e80c0115c9

RedLineStealer

d94a672fd4dc3fd14b52c67d37822efd114ed1bbecc49633bbf74509843380a1

RedLineStealer

dfb1f00592d6264a6bf3ad8b02187dfad62d1526fa5b32e667cd6bf884d4db85

RedLineStealer

+ 243 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201224-m99x3711yx/

Behaviour

Suspicious use of AdjustPrivilegeToken

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

MD5 hash:

e8cf0e1662dbf0059e06baa644cfe52c

SHA1 hash:

8b278efbe3666da07725a7dfd512c7aa9e12379b

Link:

https://www.unpac.me/results/7d8e1ef1-5373-4da1-895e-3862c8797137/

SH256 hash:

2386f130f1b089da6fef1f2fa5a14ae21943e5fd1143409e741a84ec8ce13fac

MD5 hash:

a35843a70c0f8ec7f02208fba481fc49

SHA1 hash:

80ab7f65ae9d059856e64278d3e7d3efa84e095f

Link:

https://www.unpac.me/results/7d8e1ef1-5373-4da1-895e-3862c8797137/

SH256 hash:

4aaf20df6e103affb56ad302c069e6cecfd67f132d9e8de81515085c572bc5fb

MD5 hash:

b43d09fcac29f275d1fe7109ff4bc5c8

SHA1 hash:

837412a50a9e79499c5806ea5d9ca29da18dcfb1

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/7d8e1ef1-5373-4da1-895e-3862c8797137/

SH256 hash:

ff3d36a83a9e17f1ce4e299656df8a717d406277e814559f680761cf7e34f09d

MD5 hash:

b6db642eb5b50f3f5954eb5bc9d7c4cf

SHA1 hash:

d7e8a16349d6d874501bbf260bb5fcb57cd0c32e

Detections:

win_redline_stealer_g0

Link:

https://www.unpac.me/results/7d8e1ef1-5373-4da1-895e-3862c8797137/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13b4456c19c9552d5986582cb97c22888d70f93b88d4f7445ad1c126ef27f5f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/