MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d6a1f154c6ae1d70ede87fb06b8588807f50b33315fe4dbfbef9126b18f3bc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	6d6a1f154c6ae1d70ede87fb06b8588807f50b33315fe4dbfbef9126b18f3bc2
SHA3-384 hash:	41047ea8195e1c607269c65678b6fd0bb8a84135a64069e84505a3fc8aba578b79677002c710e554e864ac2001e49fb5
SHA1 hash:	a660be215df39546ed53dda7f836a0f2a522d8de
MD5 hash:	591477fe516fc900c9d23bb75c3337c2
humanhash:	butter-seven-nine-indigo
File name:	30307_230710_odeme talimat_453747683648987643456.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'013'824 bytes
First seen:	2023-07-10 12:17:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:b5k70TrcBhfEkPAaSqTDrpIXFgVOFazJuNlbk6/ZaCTTNAT:NkQTAYaXDNG+MFaIy6/ZpvNy
TLSH	T1132522203590C1B2D4732A708AC686656E7A30B747B9D5D7BBDC0BAA5F023D5A3361CE
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe geo RedLineStealer TUR

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

30307_230710_odeme talimat_453747683648987643456.exe

Verdict:

Malicious activity

Analysis date:

2023-07-10 12:32:14 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/9d543fa4-1de6-47bb-9e4d-63ca98c17718

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/413570/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/64abf6fbdbb9e835463f712d/reports/3717184b-7521-4a9e-994e-ec439f285cbd/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6d6a1f154c6ae1d70ede87fb06b8588807f50b33315fe4dbfbef9126b18f3bc2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/78403062-1572-414e-9329-8ac21a9b4627

Result

Threat name:

AgentTesla, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1269745

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6d6a1f154c6ae1d70ede87fb06b8588807f50b33315fe4dbfbef9126b18f3bc2/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-10 12:18:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvvb6fkmnlq5odw6q75qnocyrad7kcztgfp6jw7356isnmmphpba._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230710-pgldfsab63/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

f83ac7a1cd8e475cd460f21f626d087994bfcb5d1057e960f48563ba022e26a6

MD5 hash:

dc0bd585aabdc29ba1a63119965f5485

SHA1 hash:

cbde752aa1729e62fea158ed90937e14c7e80a81

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

6c0752aed4e1782f1dca180c2817b1b752bbf9b5bd1073f49a00f961c627dd9f

MD5 hash:

8bf0d3b7b8e4a4e027908f531577cd20

SHA1 hash:

aa8bb468cc568feedbf9f564e048f2a3c8859eb4

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

98406a9e009b41d6eff6a1b650e6be1f83f7dd6c9537893e858217ab5503914f

MD5 hash:

092e2728e7d53b330b0cab03608f7180

SHA1 hash:

727637d849683f9c2046315133770e98cc0aaed7

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

12ad856f0aff92bf975e79c627f0499c817cfb3fdbdf707314385e0164c4bbd3

MD5 hash:

7e7ae6ecc4cd91dbd6007ecfe420c0da

SHA1 hash:

25ca71be9de5a0902d29d6ccdbc11293696540c9

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

f83ac7a1cd8e475cd460f21f626d087994bfcb5d1057e960f48563ba022e26a6

MD5 hash:

dc0bd585aabdc29ba1a63119965f5485

SHA1 hash:

cbde752aa1729e62fea158ed90937e14c7e80a81

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

f83ac7a1cd8e475cd460f21f626d087994bfcb5d1057e960f48563ba022e26a6

MD5 hash:

dc0bd585aabdc29ba1a63119965f5485

SHA1 hash:

cbde752aa1729e62fea158ed90937e14c7e80a81

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

6c0752aed4e1782f1dca180c2817b1b752bbf9b5bd1073f49a00f961c627dd9f

MD5 hash:

8bf0d3b7b8e4a4e027908f531577cd20

SHA1 hash:

aa8bb468cc568feedbf9f564e048f2a3c8859eb4

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

6c0752aed4e1782f1dca180c2817b1b752bbf9b5bd1073f49a00f961c627dd9f

MD5 hash:

8bf0d3b7b8e4a4e027908f531577cd20

SHA1 hash:

aa8bb468cc568feedbf9f564e048f2a3c8859eb4

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

98406a9e009b41d6eff6a1b650e6be1f83f7dd6c9537893e858217ab5503914f

MD5 hash:

092e2728e7d53b330b0cab03608f7180

SHA1 hash:

727637d849683f9c2046315133770e98cc0aaed7

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

98406a9e009b41d6eff6a1b650e6be1f83f7dd6c9537893e858217ab5503914f

MD5 hash:

092e2728e7d53b330b0cab03608f7180

SHA1 hash:

727637d849683f9c2046315133770e98cc0aaed7

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

12ad856f0aff92bf975e79c627f0499c817cfb3fdbdf707314385e0164c4bbd3

MD5 hash:

7e7ae6ecc4cd91dbd6007ecfe420c0da

SHA1 hash:

25ca71be9de5a0902d29d6ccdbc11293696540c9

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

12ad856f0aff92bf975e79c627f0499c817cfb3fdbdf707314385e0164c4bbd3

MD5 hash:

7e7ae6ecc4cd91dbd6007ecfe420c0da

SHA1 hash:

25ca71be9de5a0902d29d6ccdbc11293696540c9

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

f83ac7a1cd8e475cd460f21f626d087994bfcb5d1057e960f48563ba022e26a6

MD5 hash:

dc0bd585aabdc29ba1a63119965f5485

SHA1 hash:

cbde752aa1729e62fea158ed90937e14c7e80a81

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

6c0752aed4e1782f1dca180c2817b1b752bbf9b5bd1073f49a00f961c627dd9f

MD5 hash:

8bf0d3b7b8e4a4e027908f531577cd20

SHA1 hash:

aa8bb468cc568feedbf9f564e048f2a3c8859eb4

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

98406a9e009b41d6eff6a1b650e6be1f83f7dd6c9537893e858217ab5503914f

MD5 hash:

092e2728e7d53b330b0cab03608f7180

SHA1 hash:

727637d849683f9c2046315133770e98cc0aaed7

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

12ad856f0aff92bf975e79c627f0499c817cfb3fdbdf707314385e0164c4bbd3

MD5 hash:

7e7ae6ecc4cd91dbd6007ecfe420c0da

SHA1 hash:

25ca71be9de5a0902d29d6ccdbc11293696540c9

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

SH256 hash:

6d6a1f154c6ae1d70ede87fb06b8588807f50b33315fe4dbfbef9126b18f3bc2

MD5 hash:

591477fe516fc900c9d23bb75c3337c2

SHA1 hash:

a660be215df39546ed53dda7f836a0f2a522d8de

Link:

https://www.unpac.me/results/61a067a3-93be-4aff-8276-18fed2a4f4be/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6d6a1f154c6a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV4 Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/413570/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample