MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 8
| SHA256 hash: | 6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d |
|---|---|
| SHA3-384 hash: | d43df9ac14aa6b72efd1d03cdab4832d400aa41f18ccc305e933fa2357b355816892ecdb05ee5835ea0fc8b68f92bf43 |
| SHA1 hash: | a0cb4240c9c9f789e588565cce4900f1486b10c9 |
| MD5 hash: | 5fc941cada98dda764b01273ed8c1cb7 |
| humanhash: | july-red-high-kitten |
| File name: | 6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d |
| Download: | download sample |
| File size: | 785'392 bytes |
| First seen: | 2020-11-30 11:29:55 UTC |
| Last seen: | 2020-11-30 13:46:59 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger) |
| ssdeep | 6144:njRd6qwYPtgOoHGLkgsckgmOu7dEodMtiHACH+7z5I7B0yNaDKjdOgUEAcfEiEHY:jRdVzPgyTpAGOTbHUK7B05Idk2E/HtN |
| Threatray | 32 similar samples on MalwareBazaar |
| TLSH | BFF4081F15D34498C8947970A3A8D2FA73B15EEB290497AE14C60FF7FE116CF3A0925A |
| Reporter |  JAMESWT_WT |
Code Signing Certificate
| Organisation: | Symantec Time Stamping Services CA - G2 |
|---|---|
| Issuer: | Thawte Timestamping CA |
| Algorithm: | sha1WithRSAEncryption |
| Valid from: | Dec 21 00:00:00 2012 GMT |
| Valid to: | Dec 30 23:59:59 2020 GMT |
| Serial number: | 7E93EBFB7CC64E59EA4B9A77D406FC3B |
| Intelligence: | 85 malware samples on MalwareBazaar are signed with this code signing certificate |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95 |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Malrep
Status:
Malicious
First seen:
2020-09-25 09:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 28 (78.57%)
Threat level:
5/5
Verdict:
suspicious
Similar samples:
+ 22 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
418f95a74d0d6740e56583ae0ed241080bd4ea0feba79e4360373da9d052cb19
MD5 hash:
3c82957d6a3668cb9f2e1637ad7f6d41
SHA1 hash:
d07245c87fd6e57a722121a03cb441d04fb2a10a
SH256 hash:
cbaf42ee45df7fc1ad254d86cf7735a6cee0560ad8235735cd75589c7bd8d9c8
MD5 hash:
fc02c34cbfbe0eac6cd0e5757a21bff3
SHA1 hash:
79dafcadadd6a7302d9f746cfa8eca8fcbfca828
SH256 hash:
51e22a152aba261b45104d9a94d588d1a3817e3bf872891b5c3a2f29b5199dff
MD5 hash:
e84cc74f9ea9ce36f16d3915ff7ab1ab
SHA1 hash:
4b33f3a47ac290aab882fe29a54c1d8925b9636b
SH256 hash:
f9da2cc2cf7686f9609175501cd8494505333c956ec3ec8c5d9ec38ae5d16c20
MD5 hash:
de789d60ea9edd8de80ec2161ce39fc0
SHA1 hash:
112af52f0c04e693e0e3bc5b04f015a611f65bf2
Detections:
win_redline_stealer_g0
SH256 hash:
511df1cff818216a8fc02ee687499ac958437f6e9c78f30c40a58ad69631141c
MD5 hash:
acebb89c7e045f2d954f6922eaee551e
SHA1 hash:
0db19199d24398f69220d0392daf3da3681a6a46
SH256 hash:
6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d
MD5 hash:
5fc941cada98dda764b01273ed8c1cb7
SHA1 hash:
a0cb4240c9c9f789e588565cce4900f1486b10c9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.