MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d
SHA3-384 hash: 1210eefd6c919371c0c615e134c3444e6efc4a842f4c6f2703680dd3a7adf91e50fb39d84147e052e48c3cdbfaabd61e
SHA1 hash: f1ceb718cc9c34709e1904877124dde04b27d9ee
MD5 hash: aefe3f1a68ea2505a667ffeb6ffa0509
humanhash: beryllium-charlie-kilo-emma
File name:Dhl.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'606'656 bytes
First seen:2021-08-31 14:20:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:wUBHz7SDcXyUyMpj7ouXQqWQLEmAQnVVpLCm/wb+ZT1dk6mpbf:wWTC8yUyMt7o6xEmffpuE6YDkLf
Threatray 2'288 similar samples on MalwareBazaar
TLSH T19175287F19BDA127A175C6E58BD38423F0018BAF71206965B6D743164323A7AB4F332E
Reporter GovCERT_CH
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dhl.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 15:46:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dfcec840-cce9-4d7e-9bb9-428290662e94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184235/
Detection(s):
SecuriteInfo.com.generic.ml.26719.18230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/659e81ca-2481-4ced-9bb9-310ce61c2d72
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/842692
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 14:21:04 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6wua53dl64r3udzim5jtgid6yss2gpepnid3ewb3wwjze7bjuwq._file
Verdict:
unknown
Similar samples:
0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2
RedLineStealer
12f249adf9e96719d8999e5ff16ca67fb252cb38edf05851577a564b3044f987
RedLineStealer
22916cd876516df90c959904823fbc25a331cd7f8e70343cc05f4674128f07e1
RedLineStealer
4b611d0f1bcb7daca27c3093c8c7ea6359e5b6e5b6b4c91e4cba798f60b3413c
RedLineStealer
61b36c03b131bf1dac4d6ddf392b9ebd48a0d6c723abb9119c308dd22b5432db
RedLineStealer
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
RedLineStealer
8c35b3d63f5644c97f5e9a1215ac4d9a4486eb78ff8a1410da52fa6853c99bf8
RedLineStealer
dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a
RedLineStealer
eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae
RedLineStealer
fc3325548497708c387234e5c4e1457c3a46bc7061e272c1c35c4668d42a776f
RedLineStealer
+ 2'278 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210831-nm5t2fhx6x/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/cfcab1c2-7ae9-488c-a714-7c066a238489/
SH256 hash:
d07f2e5f72101c777d9b4978352e32162ed7f3add98c7baf9b507c67a82c1153
MD5 hash:
8cee6d2543924091c35bf17c619b6747
SHA1 hash:
6ae39e22f8df04b3d3d3c36cf1ca941994b8acbf
Link:
https://www.unpac.me/results/cfcab1c2-7ae9-488c-a714-7c066a238489/
SH256 hash:
5d0ccb79001ca1e4ef057216c532e2f16e32b002c6450be58765efcc79b01507
MD5 hash:
5cb62607ad1f400bb8b0259467693967
SHA1 hash:
5c32f8570d14c298ded3185797aed281dab28373
Link:
https://www.unpac.me/results/cfcab1c2-7ae9-488c-a714-7c066a238489/
SH256 hash:
17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d
MD5 hash:
aefe3f1a68ea2505a667ffeb6ffa0509
SHA1 hash:
f1ceb718cc9c34709e1904877124dde04b27d9ee
Link:
https://www.unpac.me/results/cfcab1c2-7ae9-488c-a714-7c066a238489/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17ad4077635f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184235/

Comments