MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0e91f423775ca9ba80077774a4de1a212e890d285bdb587b003d57ba0f68b1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	f0e91f423775ca9ba80077774a4de1a212e890d285bdb587b003d57ba0f68b1c
SHA3-384 hash:	7751e9deb8e983ce71e30caaa3e8f1aee25bdac871afdad69580538317dd88c6d53120341d6f46eb524443a3456bbf89
SHA1 hash:	4e6a9da8f06687d500c8397264904cc546fdf5c0
MD5 hash:	65362ff767e847a4e7ecb76ac4c610b4
humanhash:	grey-vermont-potato-tennis
File name:	SecuriteInfo.com.Trojan.GenericKD.43157744.13239.16412
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'460'528 bytes
First seen:	2020-05-15 18:33:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:tBnCKJPq1LLAG8opqQeUmJefTZp1RqE8wqvQt9aoa0raoAoihauskeNYET+i8:i3LLAG8oMQeUmATZpj/OoUovioZYEI
Threatray	44 similar samples on MalwareBazaar
TLSH	CBB523837382A6BADD984438C05698115F017DB542D126233DF6F26F1CBE8DB6CFADA4
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Code Signing Certificate

Organisation:	Loong IT Company
Issuer:	Loong IT Company
Algorithm:	sha1WithRSAEncryption
Valid from:	May 10 03:02:24 2020 GMT
Valid to:	May 11 03:02:24 2030 GMT
Serial number:	4CD73E8BFE20A39545648B3EB604DFD9
Thumbprint Algorithm:	SHA256
Thumbprint:	F92C415E7C2E99F64B54B0BCFFD63C6DE3B9FDE3A6066F15C49FC0B6371BB1A3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43157744.13239.16412.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Reline

Status:

Malicious

First seen:

2020-05-12 06:42:00 UTC

File Type:

PE (Exe)

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

1571b2ee13c7552f19b2fffc1c3f7dc63dffa8652d0cfa32136852629763018d

389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf

4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93

6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b

831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc

99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab

a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b

b833d79953fe177a48a5832ce2606c41d00f0d5b9bd31ceb25d3055a3850c2f7

c158b8ed8c9a0221bfeb3dea8d026d5bb9bade9ecfd19191ada59c51c8eb4089

f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770

+ 34 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline evasion infostealer trojan

Link:

https://tria.ge/reports/201109-9h61rt4p3s/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe f0e91f423775ca9ba80077774a4de1a212e890d285bdb587b003d57ba0f68b1c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/363239/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample