MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0
SHA3-384 hash: 90256393436dc6585c882c0059d50ceff6d97d1d3f3eddf19b2e5752f558866133d0d3660713205c40664a6dee64956e
SHA1 hash: 734c8cd69d8406b86035cec9ce12899186eb26d8
MD5 hash: 2f03b0220d26e7677a5e265c1d0f8b74
humanhash: quiet-red-snake-fish
File name:QUOTE928821_991929388102pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'015'296 bytes
First seen:2021-01-07 17:58:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:y0Jxt7WsoySg3hE4b7pTpyvEoEXzHCgLtJ79MEeHprjZ4ilc8XB+kSOQmQRkMkdf:d1psxjZ46pS5mQRkMkl
Threatray 32 similar samples on MalwareBazaar
TLSH 51256C0866152A60F3BE473B94AC500CE7EDAD4DD79BD53EECE03C884672BA5A5F0136
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp.fuse.net
Sending IP: 64.8.71.14
From: Lydia Yonkers<rbowman1@fuse.net>
Subject: Quote Request
Attachment: QUOTE928821_991929388102pdf.img (contains "QUOTE928821_991929388102pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTE928821_991929388102pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 18:02:25 UTC
Tags:
rat redline trojan evasion stealer
Link:
https://app.any.run/tasks/6190bda7-f903-4f92-88fd-c33e034dbd6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110873/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/576108
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 17:59:09 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cx3bfg6fkwc4rwu66voovowayxb2hawnl43etrcqetf57wyhflia._file
Verdict:
unknown
Similar samples:
2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0
RedLineStealer
4893bcf8553f34fcbd61f3da087f9e9ed9f8f0ec50d9a121859316642e055524
RedLineStealer
5c262eeac56f9ceeb0b44f0b0c46535aa23c3f1317d2c03148648342854fb98c
RedLineStealer
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
RedLineStealer
64fa98c6d88fdd55fa6c93b8ab2f08e6e5b3347b102651f86a9f9ac569e2a239
RedLineStealer
824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f
RedLineStealer
9603997de7895ccfbd7b9493e7c64a9a089adc98a4929308ff74f18e88f9eac7
RedLineStealer
a730154eedce8c175f18e82c1102e01a7ee94fd74cbee7df85b473233ea764e6
RedLineStealer
c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8
RedLineStealer
e28ed19326e3b7a86441b0e66f286e70fa1f9cf0131d5821e303d4ea6225fe06
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210107-7b9nsxqrce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/5bb03586-4b55-48ca-91ce-df1bee9c2a99/
SH256 hash:
13440c6aebabdb008679e5500869e65b81cd9d15cd78b6d89c1f85e2658e6f6a
MD5 hash:
15af5b5537af4d76fe4366c5817a6249
SHA1 hash:
2799b0645dc401537e77b906536ddc3eccc2c3cc
Detections:
win_redline_stealer_g0
Create hunting rule
Link:
https://www.unpac.me/results/5bb03586-4b55-48ca-91ce-df1bee9c2a99/
Parent samples :
0eb70fd1476d81dcf01cef53f0cc4f6eb2718c86722eb8a08667f929a8254430
15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0
ea817dad9e775458a44b3675cb377d42545005114862f36f6818e5c4dd0bf68e
dd364f123e241e6edd773382a05180e538e93eb6d471856f2217422e47526e51
d7e41edbdfb2f64098382cea28b8069402da3ae4c0e4511fecd81df614c23a31
SH256 hash:
59914dc20816857cdf8ba90f4de25469bd6378f094df007d4344c0d6a3ee5ea4
MD5 hash:
eb68c49e3d25a5c5bf5b2bbbda9f0e98
SHA1 hash:
eeb7742630a408fc144f1bfedfd828bff74ee2e3
Link:
https://www.unpac.me/results/5bb03586-4b55-48ca-91ce-df1bee9c2a99/
SH256 hash:
15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0
MD5 hash:
2f03b0220d26e7677a5e265c1d0f8b74
SHA1 hash:
734c8cd69d8406b86035cec9ce12899186eb26d8
Link:
https://www.unpac.me/results/5bb03586-4b55-48ca-91ce-df1bee9c2a99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

img ade5871bfef9768f1286eb791b896cdb26d4c994a5d53534904090cbf498efa5

RedLineStealer

Executable exe 15f6129bc55585c8da9ef55ceabac0c5c3a382cd5f3649c45024cbdfdb072ad0

(this sample)

  
Dropped by
MD5 1a8ebe6d73244b8cf86cbbdcc70c7fce
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110873/
  
Dropped by
SHA256 ade5871bfef9768f1286eb791b896cdb26d4c994a5d53534904090cbf498efa5

Comments