MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea
SHA3-384 hash: fa9d550e0c346aae8ae82d4b33d9a6bd6405338e8aa524c4b8406cbc13071dd8e5efa0bebf13af1990af00e82d5adabe
SHA1 hash: 74a554dfd5273495672b745e8bed72b5181032a4
MD5 hash: e32a2434c79b0bc4cdc1e0e8ed178eb0
humanhash: grey-sodium-louisiana-ten
File name:L0gEDp8CctBvARJ.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:971'776 bytes
First seen:2021-10-04 13:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:pA6dFuSHKUshwhnpDDSqafHR4z+FoUMKt:TdFuSqUisDOlPR06oP
Threatray 10'711 similar samples on MalwareBazaar
TLSH T16625BE201254C159EDBBEB3C943196208B3EBDF7643DD54E5CC2B89B2E7334284EAA57
File icon (PE):PE icon
dhash icon 1f185b7767535b47 (14 x AgentTesla, 5 x Formbook, 1 x RedLineStealer)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194633/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/615c0fdcb95458900cdc605f/reports/d4e7a41b-feed-406d-8bf5-d71bfe1e5b8f/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cb3fc19-d0ea-4541-b618-4e0bb4b08ebb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864076
Signature
.NET source code contains potential unpacker
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496503 Sample: L0gEDp8CctBvARJ.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->33 35 5 other signatures 2->35 7 L0gEDp8CctBvARJ.exe 3 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\bgtHZk.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp8E48.tmp, XML 7->21 dropped 23 C:\Users\user\...\L0gEDp8CctBvARJ.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 L0gEDp8CctBvARJ.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 medicare-equipment.com 192.185.84.191, 49818, 587 UNIFIEDLAYER-AS-1US United States 11->25 27 mail.medicare-equipment.com 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 01:40:58 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbpckguf3ses44comgd7ivrtqqwcgdjobc3shtpqzyb2y26kadva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce0a82bef3a8852e9cd21fa303880fe34243a8bf8940384a8303da6b4677a2c
RedLineStealer
50e9dfae83442184dd88345e7d70c15a5dca42bd827855e49ec03c4e0e072c2f
RedLineStealer
64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6
RedLineStealer
6cda0c998a3484125f71a4c086e2652a72c977d90ff4e187a5dae1d62239f31e
RedLineStealer
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
RedLineStealer
7cd6d59439d525ccf002e777f2118121cd494a5a6d5de8710298344beaeb6c72
RedLineStealer
865c3d355eaf051241f621f24a13dda3e8500d28a7c3c8eaa779df1b90da1ccc
RedLineStealer
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
RedLineStealer
de80a1b1bc2f591fa7c7bb8cebbf8532543ee7dbb754dde9a2e698ead4b20b4b
RedLineStealer
+ 10'701 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211004-qex5xagch5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c51f275bdf6fe97f9f59047c436954dd7d284e4cda49c5cb440ce9cbe5b7402f
MD5 hash:
092a720ea11bac6f32c04123c9a5f1c8
SHA1 hash:
fa7459b35d1a85b0f9ec30a88f014549dad44a5c
Link:
https://www.unpac.me/results/afa32746-b584-43c8-ba7b-18c0f8e3bc70/
SH256 hash:
91accbb4fe8e7544fce6faaeb6327f76479c78a5276e4287c43e034cf2f69bfc
MD5 hash:
bbf2aed24f4d46b7e89a3d0752d82712
SHA1 hash:
f223f217030cc36c85fc4e1e66b046a6fdcd117b
Link:
https://www.unpac.me/results/afa32746-b584-43c8-ba7b-18c0f8e3bc70/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/afa32746-b584-43c8-ba7b-18c0f8e3bc70/
SH256 hash:
f1b38d09dbd8120231d30ea3eeb3f86b309d72dfa7e29e503951b3d8e454888f
MD5 hash:
280e6f6a226866a7ea0849ccc286cb5b
SHA1 hash:
5a46878b1114de83f74def9c3b0233eb8b4164e8
Link:
https://www.unpac.me/results/afa32746-b584-43c8-ba7b-18c0f8e3bc70/
SH256 hash:
c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea
MD5 hash:
e32a2434c79b0bc4cdc1e0e8ed178eb0
SHA1 hash:
74a554dfd5273495672b745e8bed72b5181032a4
Link:
https://www.unpac.me/results/afa32746-b584-43c8-ba7b-18c0f8e3bc70/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c85e251a85dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe c85e251a85dc892e704e6187f45633842c230d2e08b723cdf0ce03ac6bca00ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194633/

Comments