MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
SHA3-384 hash: cdc05efa83ece6d9e726332d7f49beaea3186275bb3a10204483396e03689be1422b5b2a584b837c0d6a29999743c1a6
SHA1 hash: 6e231ed10e8748a693ecda48dd4e4fbe75ec1f00
MD5 hash: 94c3025d79b61cd59928892d80045443
humanhash: blue-enemy-blossom-arkansas
File name:Balance Payment.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:923'200 bytes
First seen:2023-07-10 06:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:Bk70TrcKTnxR8aCfH6eMLDkzsWr6j3fbIVE4MeWbMZX:BkQTAmnxRaaPDwIjIhWAR
Threatray 10 similar samples on MalwareBazaar
TLSH T1ED15126272C0D4B3C9A6183186E9CB762E793112579A80CB7BDD677A2F027C172362CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Balance Payment.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-10 06:27:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5eb1443-0b58-4a58-816f-4d8dde61bc90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/413380/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin masquerade overlay packed
Link:
https://www.filescan.io/uploads/64aba47a879586917b23a824/reports/e5fceddd-ee4a-4b39-9d33-559257576dab/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/982d7431-0753-42ce-9713-437dc95b2310
Result
Threat name:
AgentTesla, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270379
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 11:29:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrofyxsdbdzex44kgnqusyot57ms5zistaavrvxy3lz7jgbux47q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05207dd36f4c190728bb232953e7282871243167b39e416985a4539d48103a5d
RedLineStealer
0d147d070c8149fccdde09ba5398a6600e9a6aad9943ac01f55948ccfa74a17d
RedLineStealer
750361a8039bd9876939ca3ee37312821f8cd019eabe123ef884b30433757677
RedLineStealer
84ebd97fd1765dc6341db835a8dc4cff8edefd8f263f87e7b1c89b9d60167447
RedLineStealer
9e375d13756195da6c9c580e435042ff8105ef2c2e83b0270d98f3fc387e6ce8
RedLineStealer
cfda7c13e3c8ef2f8a3665c52f7c88b6ad977b970bd29e9b0dde3218700f25b6
RedLineStealer
d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80
RedLineStealer
e85d71d6d42b44112aa26403f13e61c7034764d1e6f790afec6e661fae697f4e
RedLineStealer
ec9b16f63e7f1334124c7ecd51e4777a5b3de1f9985736ed197a75dafed18025
RedLineStealer
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230710-g663fshh2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
4c8df4600f15c44313d1a86c822a5ddc866ff9552cffceea182179d0e2211b96
MD5 hash:
91a376f708981a4ca04145ac0da64cb8
SHA1 hash:
ce3f94030f465ddbf48be890587b5a623e0166d8
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
d3d4ce8e4c18482e9b80aff457ea9583f435d7ae565a26ceaf35e4ced9bf1121
MD5 hash:
1b5ebed97aebdeaa6377dec66b7f9859
SHA1 hash:
7db236b9caf794c75b857141c115bc21d85d2a62
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f
MD5 hash:
7cc5c7a43fff3cbd3974b0ee63f3a9f4
SHA1 hash:
5c36c7251d43bde36253bba6c9908c2725cb7d60
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
6dde51d73a6f5d53e7854c53687f1bc090e66287fdeb8ab90e295da4f4342dc1
MD5 hash:
cea5490ea9b927be65ab849c082b6a96
SHA1 hash:
25d6b2bb5a041c7bb99fb088c2b0a5dd6eebed1d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
Parent samples :
b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
48c41a8c7e5ae6578f837e56ddf3773ddc9c6e07bbcd1df7dd39326048725e98
SH256 hash:
4c8df4600f15c44313d1a86c822a5ddc866ff9552cffceea182179d0e2211b96
MD5 hash:
91a376f708981a4ca04145ac0da64cb8
SHA1 hash:
ce3f94030f465ddbf48be890587b5a623e0166d8
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
d3d4ce8e4c18482e9b80aff457ea9583f435d7ae565a26ceaf35e4ced9bf1121
MD5 hash:
1b5ebed97aebdeaa6377dec66b7f9859
SHA1 hash:
7db236b9caf794c75b857141c115bc21d85d2a62
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f
MD5 hash:
7cc5c7a43fff3cbd3974b0ee63f3a9f4
SHA1 hash:
5c36c7251d43bde36253bba6c9908c2725cb7d60
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
6dde51d73a6f5d53e7854c53687f1bc090e66287fdeb8ab90e295da4f4342dc1
MD5 hash:
cea5490ea9b927be65ab849c082b6a96
SHA1 hash:
25d6b2bb5a041c7bb99fb088c2b0a5dd6eebed1d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
Parent samples :
b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
48c41a8c7e5ae6578f837e56ddf3773ddc9c6e07bbcd1df7dd39326048725e98
SH256 hash:
4c8df4600f15c44313d1a86c822a5ddc866ff9552cffceea182179d0e2211b96
MD5 hash:
91a376f708981a4ca04145ac0da64cb8
SHA1 hash:
ce3f94030f465ddbf48be890587b5a623e0166d8
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
d3d4ce8e4c18482e9b80aff457ea9583f435d7ae565a26ceaf35e4ced9bf1121
MD5 hash:
1b5ebed97aebdeaa6377dec66b7f9859
SHA1 hash:
7db236b9caf794c75b857141c115bc21d85d2a62
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f
MD5 hash:
7cc5c7a43fff3cbd3974b0ee63f3a9f4
SHA1 hash:
5c36c7251d43bde36253bba6c9908c2725cb7d60
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
6dde51d73a6f5d53e7854c53687f1bc090e66287fdeb8ab90e295da4f4342dc1
MD5 hash:
cea5490ea9b927be65ab849c082b6a96
SHA1 hash:
25d6b2bb5a041c7bb99fb088c2b0a5dd6eebed1d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
Parent samples :
b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
48c41a8c7e5ae6578f837e56ddf3773ddc9c6e07bbcd1df7dd39326048725e98
SH256 hash:
4c8df4600f15c44313d1a86c822a5ddc866ff9552cffceea182179d0e2211b96
MD5 hash:
91a376f708981a4ca04145ac0da64cb8
SHA1 hash:
ce3f94030f465ddbf48be890587b5a623e0166d8
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
d3d4ce8e4c18482e9b80aff457ea9583f435d7ae565a26ceaf35e4ced9bf1121
MD5 hash:
1b5ebed97aebdeaa6377dec66b7f9859
SHA1 hash:
7db236b9caf794c75b857141c115bc21d85d2a62
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f
MD5 hash:
7cc5c7a43fff3cbd3974b0ee63f3a9f4
SHA1 hash:
5c36c7251d43bde36253bba6c9908c2725cb7d60
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
SH256 hash:
6dde51d73a6f5d53e7854c53687f1bc090e66287fdeb8ab90e295da4f4342dc1
MD5 hash:
cea5490ea9b927be65ab849c082b6a96
SHA1 hash:
25d6b2bb5a041c7bb99fb088c2b0a5dd6eebed1d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
Parent samples :
b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
48c41a8c7e5ae6578f837e56ddf3773ddc9c6e07bbcd1df7dd39326048725e98
SH256 hash:
b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f
MD5 hash:
94c3025d79b61cd59928892d80045443
SHA1 hash:
6e231ed10e8748a693ecda48dd4e4fbe75ec1f00
Link:
https://www.unpac.me/results/ba122279-68f4-409f-8ac8-36f2a4ca92dc/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b45c5c5e4308/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413380/

Comments