MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 6
| SHA256 hash: | 1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c |
|---|---|
| SHA3-384 hash: | 26047fccef6fb480bd6059fedbd8317af16868756fa40974cfeea477edd7888e7b725d6483c0ff1ce3bb947e9c34cd2b |
| SHA1 hash: | 74f2013fc0df5a96d5edfcd77659fabe260c4a1d |
| MD5 hash: | f863b6b0881ef40a9919d966ea754c87 |
| humanhash: | four-enemy-bravo-harry |
| File name: | 41d4bcdb9da7c94b1b5e6e88a8518390 |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 352'256 bytes |
| First seen: | 2020-11-17 12:33:58 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 3b8971ee4a26a0684b3250332934a5cf (1 x RedLineStealer) |
| ssdeep | 6144:5WqkKHCQsHLuGKMDmeNfitnf7oOMgof////////R0Fc:5FkKHC9LuimnsO/ |
| TLSH | 1C74F121BA71C872D09A45744415A7806BBFF96127F0D5CB3BD82BAE1EF13C11AF6386 |
| Reporter |  seifreed |
| Tags: | RedLineStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Stealing user critical data
Threat name:
Win32.Trojan.Glupteba
Status:
Malicious
First seen:
2020-11-17 12:37:59 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
suspicious
Result
Malware family:
redline
Score:
10/10
Tags:
family:agenttesla family:redline discovery evasion infostealer keylogger persistence spyware stealer trojan vmprotect
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Looks up external IP address via web service
Checks whether UAC is enabled
Reads user/profile data of web browsers
Checks BIOS information in registry
Modifies file permissions
Executes dropped EXE
VMProtect packed file
AgentTesla Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AgentTesla
RedLine
Unpacked files
SH256 hash:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
MD5 hash:
f863b6b0881ef40a9919d966ea754c87
SHA1 hash:
74f2013fc0df5a96d5edfcd77659fabe260c4a1d
SH256 hash:
3db7de3f77c436297d18ab04c88c9041bf678cd80a12696afd664d04c8f2d100
MD5 hash:
d1eb8a25226c7b0267192ccb40f9b1a6
SHA1 hash:
9ce42bcceb46fc3fc63e4605195f8c5a22aee489
Detections:
win_redline_stealer_g0
SH256 hash:
82ac21f8c67b5d18d21a128a99707011e5e05f8c540b32763357bb9b941dce51
MD5 hash:
abe21c39050c7519335637b490a37eba
SHA1 hash:
a747f28a779eb098fd80834ff87e729ea7c63f09
Detections:
win_redline_stealer_g0
SH256 hash:
75e03cd584ea559745c998c0349f3c01f3a30b01a142769e543c06c2027af8f8
MD5 hash:
88f080d852facf9381107ed6ba9c57a8
SHA1 hash:
c5310648da78b4345a554cb53c238c2616101575
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.