MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60
SHA3-384 hash:	62826ba079f76e156ed354bed5428b6cf0f2cf5ebb6592d6955b1b9b1b7c1dd3ec1b89eda389b2dbaf3a8ad6d83d63f4
SHA1 hash:	82ef6eddf86430804dab798088f76e513b1ca764
MD5 hash:	5575cb5ed7c1c6db52b169517871d268
humanhash:	spaghetti-virginia-crazy-cat
File name:	Sinkro Request Quote _2307180_PER 1000 Pieces …scanneed 00101.Xlsx.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	250'880 bytes
First seen:	2023-07-20 13:07:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	6144:qDKW1Lgbdl0TBBvjc/S3/PhMPYZP1kPk4+h9:Mh1Lk70TnvjcKMPG
Threatray	8 similar samples on MalwareBazaar
TLSH	T19734CF207190C1B3C4BB113085E6CB395E793476477692DBB7DD2BBA9E213D1A3362CA
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	James_inthe_box
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Sinkro Request Quote _2307180_PER 1000 Pieces …scanneed 00101.Xlsx.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 13:08:35 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/2420e751-25eb-40d4-9b25-2de89b4f52ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/426128/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8c6cc788-883a-4367-abcb-36752d060e97

Result

Threat name:

AgentTesla, RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1276803

Signature

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Uses an obfuscated file name to hide its real file extension (double extension)

Uses an obfuscated file name to hide its real file extension (RTLO)

Yara detected AgentTesla

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-07-19 10:02:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llivbzdst4xs2i3hc45njjvqlpaggg7ei5yzjuzqig3dqtuynjqa._file

Verdict:

malicious

Label(s):

agenttesla

RedLineStealer

53224dc914e12b6a02b83e05380d13298bc3720f93eea15ee6205dc51aa2a948

RedLineStealer

685c0426486e575b97363649b440198dda823627b0067ab5e07a39aa830863f7

RedLineStealer

7a866c4ebda9c535d197ee8768fa8eafd71a54cee7f13556399aa8baaa059974

RedLineStealer

84ebd97fd1765dc6341db835a8dc4cff8edefd8f263f87e7b1c89b9d60167447

RedLineStealer

b3d5a8673c8f0c5b36f92ad6102af3259457c4f0a72f45e11c1841ae26e37845

RedLineStealer

ba7f9aa187f2834a0e730911db8e70b035a93c5bfd1d98306a1b8841ee63d9a8

RedLineStealer

f3e85ff8e9a2bc8f6b0f0e75c32e1bb79524da94bbb4da00fcf0f86d477c8da9

RedLineStealer

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230720-qc7xbsgf89/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

b300ca751c7afe47e34853135be15dfa2b7513137b820399a01568fe27e27d5e

MD5 hash:

f97dc301ee15859ac683a78d50bc0c95

SHA1 hash:

eb53cbca1d2ff3b89fcaa80e4a205979e347b2a7

Link:

https://www.unpac.me/results/ca2ff070-c9fa-48cc-80b6-035181c1b33e/

SH256 hash:

58181e407d63a5b24701464046eae348d7c028574c9c555ab5a1618a0fe916a0

MD5 hash:

5edd6b3652fc24cc385f2b6e68437fd0

SHA1 hash:

2a12c8545b96a338bc34421bc82c07ae4dedb32c

Link:

https://www.unpac.me/results/ca2ff070-c9fa-48cc-80b6-035181c1b33e/

SH256 hash:

5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60

MD5 hash:

5575cb5ed7c1c6db52b169517871d268

SHA1 hash:

82ef6eddf86430804dab798088f76e513b1ca764

Link:

https://www.unpac.me/results/ca2ff070-c9fa-48cc-80b6-035181c1b33e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ad150e4729f2f2d2367173ad4a6b05bc0631be4477194d33041b6384e986a60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/426128/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample