MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72
SHA3-384 hash: dd040f447a49708bbeb8c0fbf1525310c0ef60721df70b9988ae104f676401d8e99591515acbd837deb1c5a59307ded1
SHA1 hash: fc33fdde5cc693999b44bf211fbcaa7e2c6c8bfd
MD5 hash: 1de5d69e310aa3c8d0efb610316f82b7
humanhash: item-river-jig-autumn
File name:1de5d69e310aa3c8d0efb610316f82b7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'760'768 bytes
First seen:2021-08-02 06:01:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:C04EOOlb8530n03+EWvm1o+psQpi4oVvO7zw/Uz5Z:ClCbK00uEG+OQpiMaUz
Threatray 256 similar samples on MalwareBazaar
TLSH T17585E02F37E1A769D1140B77C8034488B7F89A177163E3AF60D54AF48E00B5ADF2E59A
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
553
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1de5d69e310aa3c8d0efb610316f82b7.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-02 06:03:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/821b3712-5d64-4f24-85d9-45d490df2c28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175694/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37333994.6398.32059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Replacing executable files
Deleting a recently created file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Sending a UDP request
Moving a recently created file
Enabling autorun by creating a file
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9eed993c-d809-4dcd-8145-8f4513cc04ab
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/825274
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 06:02:04 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0ecfbf08398e1d0470c2f4d40a490808bd1b177cb60d674c5459d85f242952ab
RedLineStealer
6b412461abeb39dca374d4f56db6ecd27f7bc074c494c1553162b6ff8d10cdc1
RedLineStealer
a677db1e19ef0ff96a19fb973e8505296ca98d69c2eb7f97c18f097b6786f9b7
RedLineStealer
b23fac3382a51f1910438bce97a602ced4b5509fe28f323cde76a60914d83c8d
RedLineStealer
c47a4294b97b5b05ac78f01950d4cf964faf03adf9f0b495c157d09c6f3cf564
RedLineStealer
dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
RedLineStealer
ecc34691e3df1c4c6fc2588efc33007d8c91ef155590280a9f022797ce571014
RedLineStealer
fd51e52869bd1108cdb034a1afe26267a273eba7b06eba90b866cdb5eab44863
RedLineStealer
fe0a5fde4fbbddd79d2938af2373c69a8219ea73831be712f1bca86150a30461
RedLineStealer
+ 246 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet
Link:
https://tria.ge/reports/210802-md2f1l521x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unpacked files
SH256 hash:
888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72
MD5 hash:
1de5d69e310aa3c8d0efb610316f82b7
SHA1 hash:
fc33fdde5cc693999b44bf211fbcaa7e2c6c8bfd
Link:
https://www.unpac.me/results/2e745a86-a01d-4fdb-ab1b-a98001776243/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 888126d0069e6c631531e8f52a5a50a04dc3691b3d3a70e17028e807b2225b72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393781/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175694/

Comments