MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
SHA3-384 hash: 29d382e33b5c1a93625f4e8ba9e04e6b542fcddf7da7c4af1e37e476364704239a69a593ebe9e101b386acc819f0aea5
SHA1 hash: 046a67f71372119d1b6cf85e0ae1539d10f64ebb
MD5 hash: fa21969e11539bb863a3dcb3dd987dbc
humanhash: white-summer-west-virginia
File name:fa21969e11539bb863a3dcb3dd987dbc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:452'608 bytes
First seen:2021-03-29 07:58:41 UTC
Last seen:2021-03-29 08:43:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 913f22d493f938d4ad754ef3464de5b9 (1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:9iSfx5LFcse1noXDL4XGySMseMidOt5QH:9VG1l8Ms5pv
Threatray 158 similar samples on MalwareBazaar
TLSH 1CA40100B6F2C033E5568DB54438D3654A76FCA25B346ACB7BE47B2AAE313D14B76342
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa21969e11539bb863a3dcb3dd987dbc.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 08:03:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d9c2d73-0a72-4916-bd8c-d33b59de44cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127511/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.4560.167.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656602
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-29 07:59:07 UTC
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpysuntl7imsus4jtw2hrasprbzibjfvieflxyn55jooqijq7h5q._file
Verdict:
malicious
Similar samples:
3aeac75dedb84f873b1982843de3adcf11d956f1645eb7a91625de0dd67f1f8a
RedLineStealer
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
RedLineStealer
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
RedLineStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RedLineStealer
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
RedLineStealer
abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
RedLineStealer
b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
RedLineStealer
c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170
RedLineStealer
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
RedLineStealer
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
RedLineStealer
+ 148 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210329-enf1mm3bf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
15961db064ea3016a241102d3436d6b3fcdaa6420eccd89b127ed93ca94a387e
MD5 hash:
31c55efc0f92945caa8f28304a7eee2c
SHA1 hash:
ded7cc31c86f3bb3495aebe4069cd3f2547cf60c
Link:
https://www.unpac.me/results/088332cc-792d-42b7-9480-f80a394fc921/
SH256 hash:
ad0c1b49bed1db0c7115c9711116bd8779c5967ae66a72512bc8ba8bd08e3e1a
MD5 hash:
79e311262ed12914eb563b8f65390936
SHA1 hash:
5838643357083d408d5bb98ec72f339af71563c9
Link:
https://www.unpac.me/results/088332cc-792d-42b7-9480-f80a394fc921/
SH256 hash:
9a63726d59863eac2876dc4dc4b82bbbcc4d112291f60a0d7530665a645dbc4f
MD5 hash:
41066eb3e7ab60b5e094f6dccf7d4304
SHA1 hash:
085129b6ab690289f110032b9404b121d41ce4ff
Link:
https://www.unpac.me/results/088332cc-792d-42b7-9480-f80a394fc921/
SH256 hash:
bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
MD5 hash:
fa21969e11539bb863a3dcb3dd987dbc
SHA1 hash:
046a67f71372119d1b6cf85e0ae1539d10f64ebb
Link:
https://www.unpac.me/results/088332cc-792d-42b7-9480-f80a394fc921/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1075484/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127511/

Comments