MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 71aaff890e5c76962463e4f1c102819a6f7469e76139b5b49282f5f596d7ea36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 9
| SHA256 hash: | 71aaff890e5c76962463e4f1c102819a6f7469e76139b5b49282f5f596d7ea36 |
|---|---|
| SHA3-384 hash: | cffc873c91c313ddb520e4f085eb4b2e9e2e75c2f953320369d61c16d0897102fd882e64d2e35a71a909bcc3b465b4e0 |
| SHA1 hash: | 2ab3571f7449baadb3d7bfbe99bc7aface8cc42c |
| MD5 hash: | 0c4e32c6adfd5de13ecfaccb462cb5f9 |
| humanhash: | carbon-mike-social-mississippi |
| File name: | 0c4e32c6adfd5de13ecfaccb462cb5f9.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 608'768 bytes |
| First seen: | 2020-12-28 07:49:48 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 2144f9c12885542d4a4f22de64e840e1 (26 x RedLineStealer, 24 x Smoke Loader, 13 x RaccoonStealer) |
| ssdeep | 12288:6OgVxj3MQDEyDjwWt9MwedzSMgqcKbYK7VyEoN3ymxlaFJZJn:0VxDMQDvkzrLcKbYQMbymxlaFJZR |
| Threatray | 290 similar samples on MalwareBazaar |
| TLSH | 90D423B4CC14E1EEC10598716A2DFDE65A41B9170B426320AC0FC89BBB7D4DEB7B2647 |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
538
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c4e32c6adfd5de13ecfaccb462cb5f9.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 07:50:38 UTC
Tags:
evasion loader rat redline
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Yara detected Evader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Zenpack
Status:
Malicious
First seen:
2020-12-28 00:17:11 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 280 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
71aaff890e5c76962463e4f1c102819a6f7469e76139b5b49282f5f596d7ea36
MD5 hash:
0c4e32c6adfd5de13ecfaccb462cb5f9
SHA1 hash:
2ab3571f7449baadb3d7bfbe99bc7aface8cc42c
SH256 hash:
2c4ef6d81c60dc1ca39d0c2955cec4edf88fc4dd943fce54fbdc646db21f04ca
MD5 hash:
a4976053576053ee74754f518311be75
SHA1 hash:
fc54c95a9031d57d9374eae70271f6a3602c2b69
SH256 hash:
ef0d7790fc4caa214f2227116d66438224a7adbed69db07e4dd3b922fcc3708f
MD5 hash:
1623eeb7bdb57ff2bb409cae3c977846
SHA1 hash:
18c1b87cf17ffd1aa1e5a711bfbab473e74806b1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). |
| Rule name: | AutoIT_Script |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies AutoIT script. |
| Rule name: | INDICATOR_SUSPICIOUS_AHK_Downloader |
|---|---|
| Author: | ditekSHen |
| Description: | Detects AutoHotKey binaries acting as second stage droppers |
| Rule name: | MALWARE_AHK_RedLine |
|---|---|
| Author: | ditekshen |
| Description: | RedLine infostealer payload |
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.