MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12bf1c4b6712d15cebf8556b8d659bc928c6ac18efbb081d56811bd48ce3359. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e12bf1c4b6712d15cebf8556b8d659bc928c6ac18efbb081d56811bd48ce3359
SHA3-384 hash: a6bf11acb0350145a02e61a1513dc418c0e41570cf8b7f1337661a49d8af2b50cb807c580a851841da6ee2efcc542c9d
SHA1 hash: cdef097659397d0c9d64b0f1ebce4268a73add14
MD5 hash: 857f507535bd0a28acedda648c2c4633
humanhash: ack-cold-washington-yellow
File name:857f507535bd0a28acedda648c2c4633.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:167'424 bytes
First seen:2020-05-14 06:26:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:rhjhKKJqoD2DyGolPv/YXpaPkOmb9vu5KiicSXT3Aevo:rhlKKJqoDzGolPHYXpGvmb9vTiix
Threatray 70 similar samples on MalwareBazaar
TLSH F4F33A1023E84B1AD3EE4AB9E432461982F3F55A6072EB5E4E9C64DE1F23B40E4517F7
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.10.27149.11250.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 07:04:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ev7drfwoewrltv7qvllrvszxsjiy2wbr353baovnai32sgognmq._file
Verdict:
unknown
Similar samples:
4aebd2918942c4d01076cd9cb47402c5b8c61e14e86a397488d1abc2e444d626
RedLineStealer
642ecc0813761138cff276fdece24e479604dbc7c012a2a168d018330e1905e5
RedLineStealer
6aeb4c6ab2a989f29fba04866ce13866c082cc729c14502fb86b6a617a3d533a
RedLineStealer
7310d9b87d90bb647879dd9a7adc8cb76e0630dca1e15e75abfd0083203e83a2
RedLineStealer
aa0ef170fbdf28b626cafc71c401ce5e5b151efca751e1301ab1d68ddc6af5ad
RedLineStealer
aaaf01da2fe823f7ccf2e9d400a94dba2ae428f0dfa7a8eef712696c3b4b6fba
RedLineStealer
c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61
RedLineStealer
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
RedLineStealer
d1eb54cb3aa9ba1fc585cf676c4a814b11786b962da1b1959768794d281084ab
RedLineStealer
d4bb66bd17508438be397f81e2226dd6e4814fcc09573aefec5039a7ec3b10a8
RedLineStealer
+ 60 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-kptla7csbe/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e12bf1c4b6712d15cebf8556b8d659bc928c6ac18efbb081d56811bd48ce3359

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/337936/
  
Delivery method
Distributed via web download

Comments