MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37
SHA3-384 hash: 633adfe1cf50389eb8ceed939e7d8882736404ab4e91329c57c5b3fc74a2be34396c386d0d27887de3b40d35ffad1a6f
SHA1 hash: 1bc978c90021c371b496a505973fc5138b8db792
MD5 hash: 7a5d1ec6328ed2f129fbca24b699dd4a
humanhash: tennessee-delta-autumn-one
File name:Order confirmation.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:677'888 bytes
First seen:2021-10-04 09:13:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:+N3Ni+hBr7IUALndXQLP80ecvx0CRjowp05MP+rtOAE2:i3Ni+hBr8UALndQ780NvxdRjoI05MP1
Threatray 10'636 similar samples on MalwareBazaar
TLSH T122E47BCB2CDCA3DAF71D00B8EE79775C116A982898AB7DD2DE42F023113251559B3CAD
File icon (PE):PE icon
dhash icon e2ceaeaeb2968eaa (11 x Formbook, 5 x AgentTesla, 5 x AveMariaRAT)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order confirmation.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 09:17:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5508f57-00da-413d-957d-11e07ebf48d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194490/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/615c0f0598a6280f39324cf8/reports/71c7fa56-06ea-4743-94aa-77a773d616fc/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2a0f22b-5a75-49da-9177-287d49125aaa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863747
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496171 Sample: Order confirmation.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->37 39 13 other signatures 2->39 7 Order confirmation.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\oVEWqdT.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp8A03.tmp, XML 7->25 dropped 27 C:\Users\user\...\Order confirmation.exe.log, ASCII 7->27 dropped 41 Adds a directory exclusion to Windows Defender 7->41 43 Injects a PE file into a foreign processes 7->43 11 Order confirmation.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 medicare-equipment.com 192.185.84.191, 49869, 49870, 587 UNIFIEDLAYER-AS-1US United States 11->29 31 mail.medicare-equipment.com 11->31 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 11:28:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znlbvwvclg4mlwmiddw7binonf43r3fn33jpi5uho4xhsm6jzy3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
43f6ad854267974db380b33b4f8b809b57acd28d9fd4448841decd63686e1f74
RedLineStealer
4bbb3743225efc4821fed4984d9d41c3fbae8e405bd800b96016e2665bf30c9a
RedLineStealer
5bd13d385d28d048cdbec98575a445b4dedbe6224ce72a0e7cefc1fcd6d7cb7c
RedLineStealer
78d92182044f68431c3ce33c37d860fea24db56fe4cab4e51763ede61eee0c9b
RedLineStealer
94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
RedLineStealer
a015aa57b2e361f3b8e160f62783aa8dcc602a6798031bcb5112d77890d0b4fa
RedLineStealer
bf64d85bb26463c2ebb653a49ad44e0e9a456b5bf1c4070b046c5eef43502585
RedLineStealer
c10e72609ceae12c610e6c58a706c5bea0f962951e8366a8f6dee3cc42d0addd
RedLineStealer
d0ecbdd58eb20d1490dff0164d6a7ea8d16e75f4e6faeb1af3ded350386bba0c
RedLineStealer
f5400b800544782acf9e16a80368cef1b36eed0e63fd0200523f3d38c54162e9
RedLineStealer
+ 10'626 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211004-k6rjjsgad7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e2a9583fad2b3b6df36d8078a253586cf4caf58a342cff9b6c6b80b3636fa5b7
MD5 hash:
20f56ed56103d73e599300eee018f3a0
SHA1 hash:
9f71ff7899b5d7f9d91d36a6b1f85e1d276e2ff2
Link:
https://www.unpac.me/results/2e0485c2-5118-4e0b-9369-32110a67631f/
SH256 hash:
92c04287eb988ff5a1d692e5884afcd73dd84cc6846ac13e9b6b352b5946cb5c
MD5 hash:
a9587c664cf07bb5340ddbcc9d2d10cf
SHA1 hash:
92ce89b4a73c9e6a071dbf41baaeb591df3b237f
Link:
https://www.unpac.me/results/2e0485c2-5118-4e0b-9369-32110a67631f/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/2e0485c2-5118-4e0b-9369-32110a67631f/
SH256 hash:
a77dbd1095f50acc8dfd41968bd5be2e5556066c109e4d90d6f3459670ecd695
MD5 hash:
d482aeabbda021a0c3988b9ab9ba248b
SHA1 hash:
14eb1f22298f9a95883dada2460da3b0792f325c
Link:
https://www.unpac.me/results/2e0485c2-5118-4e0b-9369-32110a67631f/
SH256 hash:
cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37
MD5 hash:
7a5d1ec6328ed2f129fbca24b699dd4a
SHA1 hash:
1bc978c90021c371b496a505973fc5138b8db792
Link:
https://www.unpac.me/results/2e0485c2-5118-4e0b-9369-32110a67631f/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cb561adaa259/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe cb561adaa259b8c5d98818edf0a1ae6979b8ecadded2f47687772e7933c9ce37

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194490/

Comments