MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd
SHA3-384 hash:	c7b3cbcc99f188f63a44ec8b92cc7f2ce9b96252381bb93ebc0ad783c7307a5b561700a479da2f028ed57affd96c1255
SHA1 hash:	9ed3eba21e10ed90e8274637d1f107147ad3e1d1
MD5 hash:	069d92db455f752a961882db9ed2871a
humanhash:	double-carpet-uranus-zulu
File name:	jshp1.bin
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	546'456 bytes
First seen:	2020-07-10 11:08:48 UTC
Last seen:	2020-07-10 12:10:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:vLDEwewvy+E7gYRoUA6fCHDBZregWhkp+ARJUGqi:Mwbq+tUw1ZrTlpRChi
Threatray	172 similar samples on MalwareBazaar
TLSH	FFC4D0B439206BEEF0358B70D426AC3467703C3BD616C60AA8D3BA875675352961FB1F
Reporter	JAMESWT_WT
Tags:	RedLineStealer

Code Signing Certificate

Organisation:	GoPro finance Groops
Issuer:	GoPro finance Groops
Algorithm:	sha1WithRSAEncryption
Valid from:	Jul 8 16:43:48 2020 GMT
Valid to:	Jul 9 16:43:48 2030 GMT
Serial number:	35530840A503EDB84A66ED7F0B92DE66
Thumbprint Algorithm:	SHA256
Thumbprint:	AE7ADD19DBBEFF5AD8D8B21BAE0F41C1C0BE3F9A7210A18777EE0C1C7A2120D6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24365/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.380.16741.3656.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Connection attempt

Running batch commands

Using the Windows Management Instrumentation requests

Searching for the window

Forced system process termination

Launching a tool to kill processes

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-10 09:30:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

24

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5zjtbufadtiajgkmk6mkhqgatmlawvqontnt6jijxgxsimnavd6q._file

Verdict:

suspicious

Similar samples:

3690d387e841f98e0a92a700196961b11b717b0f543e601d7e0f6c848cc77bbf

3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd

692dc7ac48dfa381cd7f860236876e3621af2e1dc984b8f14cad498e412e88d8

8a6b671ef4fc65efa1bd306da35f4bf2a18814d1ecf0f868ff2f27177fb37809

cfac75f3ee6ba6f7816e73908f679a7c185b12044580c1f6b0cbf41dfe74b0f7

d0e642197915ade19fb4c2df299063e49ed7f650e4b3b6ee90d4f0d626b900c3

dbbc9e640af23658de56eba2f5ec2152de38fa35f11343f0d2216b8b5d7967a8

e8406edde4743eec38d88fd58f2c79b11d09d76bcd57b757cdf5844ea5bd55e7

ed1a371e8918f6f1dde9fad1e3edb2c984ea3704217e2bca5b2489b61d1bc56e

f208226c60c95ee10f879f0f38ad9bf85a30fa411d6d20893e9ddaea5a0daf20

+ 162 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200710-sj8jhtz8aa/

Behaviour

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ee5330d0a01cd004994c5798a3c0c09b160b560e6cdb3f2509b9af2431a0a8fd

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/24365/

URLhaus

https://urlhaus.abuse.ch/url/407605/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample