MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b
SHA3-384 hash:	2bcd7683a69ababa1d1ed2f8df41702a856be5be4e8edc643c83160e10762514d90aa82a897ea78ab08258da0b51988f
SHA1 hash:	f1b3b0c7713bcf804dd65ef737195614145ec821
MD5 hash:	fbcbdc4df022fe61e22b2e3793f936d6
humanhash:	moon-delta-lamp-bulldog
File name:	fbcbdc4df022fe61e22b2e3793f936d6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	25'088 bytes
First seen:	2020-11-01 06:46:43 UTC
Last seen:	2020-11-01 08:47:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	384:QN9DbRP1mmoXy+hvRK0zydkL0XrmMlqDicedDDwN2EtbNiu:QnDbRP1mfnhvRK0zy0Cwic2xmN
Threatray	131 similar samples on MalwareBazaar
TLSH	73B21C2173E8833AD1FB0B3F69B6C24011B4FA553802D7AFB9C451A66E137455E217E7
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

2

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/81576/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.58261.14639.28281.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Connection attempt

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/517586

Signature

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-31 07:54:56 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

unknown

Similar samples:

11556dc2b13d8c9749a60986519048ff3b8bccb5484efd63d0eb07efad71ccdc

46e65e913d85a2d8fa041c2d75b57f8d1790bdfdb38a9d57eb08ced2f6d1416f

5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5

a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3

aa2e16cedcf7cec09f23a7737adff8068bf5fe0b8f22027ef83add526761a12a

b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04

bd343b1b5db4f37db72ebf4abba33431c9e28fbb845e847ee1184270c8807204

d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72

e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d

f8724be2161dfc04188b5203d9194c530a528cddbc380825258a0adb287e468a

+ 121 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201101-kfhlewegh6/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b

MD5 hash:

fbcbdc4df022fe61e22b2e3793f936d6

SHA1 hash:

f1b3b0c7713bcf804dd65ef737195614145ec821

Link:

https://www.unpac.me/results/417244ab-c7cf-4ebf-b814-473f0c379305/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5515062c13a830721908555c82f8d1812fb6294e0c20e94d3631a9e77952e29b

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/81576/

URLhaus

https://urlhaus.abuse.ch/url/759003/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample