MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f6f4b913fe7cafc611a1ff5ac857ed342a0bc5a83ae5b3cb2485d5beaa31b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	4f6f4b913fe7cafc611a1ff5ac857ed342a0bc5a83ae5b3cb2485d5beaa31b15
SHA3-384 hash:	2918ddea3f7cb1a82c1d06d6faea0ac4c15255b1c879fde61c626cb969272cb5faa79276c721f802df7fedff21cee922
SHA1 hash:	b522050d6600a0dbedff9454aea62a9361353198
MD5 hash:	89416fcdcd3f91a92fb27b7b94779921
humanhash:	berlin-beryllium-foxtrot-robin
File name:	DHL SHIPPING INSTRUCTIONS.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	915'968 bytes
First seen:	2021-09-29 09:48:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:EEkWE+rsr3l/KHOgiH0DEWDLiqbMi10nY/legpRcueexOYU1HS1yVFmrdTKjXEnA:zk8s3l/Km0Bbn2iYueT1HJ/0JW
Threatray	3 similar samples on MalwareBazaar
TLSH	T1CA159D394D2682F787EEC66CD08C0BCEDEA6A4837B919F1AC495D7D2025B70FE49845C
Reporter	abuse_ch
Tags:	DHL exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL SHIPPING INSTRUCTIONS.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-29 19:52:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5ba1e11d-af8c-4540-822c-835707bc033a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/193085/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d42f5e3a-c961-4e42-bac6-95c7301eb45a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/860779

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f6f4b913fe7cafc611a1ff5ac857ed342a0bc5a83ae5b3cb2485d5beaa31b15/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-29 09:49:07 UTC

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j5xuxej747fpyyi2d722zbl62nbkbpc2qoxfwpfsjbovx2vddmkq._file

Verdict:

malicious

RedLineStealer

a8e79ab98f2b367304c2df704319eea240b7e3ab3d8afba773bb709f2234a6d5

RedLineStealer

f7e23df2027195ee0a30647e149bd79cd77eccb8a1d82cd38cc74b364ba94a05

RedLineStealer

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion

Link:

https://tria.ge/reports/210929-ltc13aeefm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Unpacked files

SH256 hash:

75430288e9e63aa4297a8e25396a8c520f1e0f34743cd182c5170387c881ff4a

MD5 hash:

33aebe714b649c606bde7090f15a3c84

SHA1 hash:

fab947de931b7a5e1a46f026103ece78eb06f1be

Link:

https://www.unpac.me/results/174f743c-5f76-4190-aebd-131c7a6f4670/

SH256 hash:

43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345

MD5 hash:

f62ab5d3528d5a3b9e270ea1f9347868

SHA1 hash:

6a74e87711c615adbd9145f829a33f55b7e42dd6

Link:

https://www.unpac.me/results/174f743c-5f76-4190-aebd-131c7a6f4670/

SH256 hash:

01e8c1405e206b1d725fa4c20e2337a2cb83a6b447bab791ca4b643a7794ec2c

MD5 hash:

cc409ea4e325b8395250b9d4c9c1143f

SHA1 hash:

5642299f254e8d40df646b143b3219e467a7a3a0

Link:

https://www.unpac.me/results/174f743c-5f76-4190-aebd-131c7a6f4670/

SH256 hash:

4f6f4b913fe7cafc611a1ff5ac857ed342a0bc5a83ae5b3cb2485d5beaa31b15

MD5 hash:

89416fcdcd3f91a92fb27b7b94779921

SHA1 hash:

b522050d6600a0dbedff9454aea62a9361353198

Link:

https://www.unpac.me/results/174f743c-5f76-4190-aebd-131c7a6f4670/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f6f4b913fe7cafc611a1ff5ac857ed342a0bc5a83ae5b3cb2485d5beaa31b15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193085/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample