MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db
SHA3-384 hash:	59a966a135acf50eb5202dcb2ffd8bb0c1599fa1bebc9e4d1d1dcf88d87d60e5caace55199b40c0996839a437d67a681
SHA1 hash:	1518515d12abeb94bfe07b5b90018ee869720189
MD5 hash:	bdaff2143b7a7ccbeac9bface4393d13
humanhash:	stream-stairway-mars-undress
File name:	bdaff2143b7a7ccbeac9bface4393d13.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	25'600 bytes
First seen:	2020-11-01 07:11:06 UTC
Last seen:	2020-11-01 08:48:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	384:7+vIY/O4Bng4dhOTlgZ0iSyko8sY6/6WGZ+/HUZT+WtFLNio:6wY/O4BnR6uZ0iSyesSXZ+/IT+EL/
Threatray	132 similar samples on MalwareBazaar
TLSH	89B23A20B3F48339E8960F7F56B8E6415171F2516003EB9F9D9860956F33B8366227EB
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

2

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/81600/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.58261.9840.2933.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Connection attempt

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/517634

Signature

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2020-10-31 15:16:28 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

unknown

Similar samples:

11556dc2b13d8c9749a60986519048ff3b8bccb5484efd63d0eb07efad71ccdc

46e65e913d85a2d8fa041c2d75b57f8d1790bdfdb38a9d57eb08ced2f6d1416f

5b4cbc85472de1347063a0fdacda8089e916ec37d4e079145a5d81bc3a57c0c5

a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3

aa2e16cedcf7cec09f23a7737adff8068bf5fe0b8f22027ef83add526761a12a

b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04

bd343b1b5db4f37db72ebf4abba33431c9e28fbb845e847ee1184270c8807204

d1ff8fc9653175919374088eade3f15aaf022129f0e3d23669717416b7161c72

e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d

f8724be2161dfc04188b5203d9194c530a528cddbc380825258a0adb287e468a

+ 122 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201101-6y86gr5p7n/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db

MD5 hash:

bdaff2143b7a7ccbeac9bface4393d13

SHA1 hash:

1518515d12abeb94bfe07b5b90018ee869720189

Link:

https://www.unpac.me/results/af4aa41f-023e-466d-a1b0-63460aff7436/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe d38ed95f4f670f295e3b5a2c5d694bbf3ffb28e56f99abd0ef32d5e80d20f0db

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/81600/

URLhaus

https://urlhaus.abuse.ch/url/759003/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample