MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd
SHA3-384 hash:	a0c03ba4c7e1356b085f179683e82fa684c400568a166a9bf8b43b58cdae51ea2c8e7c14477e3d569d981a903fa0a9fc
SHA1 hash:	facbc6e4243790ce4093b2e1d133e6b9282fb94d
MD5 hash:	62b4f49ec70ae024543c9bbdbb343af2
humanhash:	charlie-west-jersey-blossom
File name:	rM_VGLRYNWSTN__.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'219'072 bytes
First seen:	2025-08-29 00:00:13 UTC
Last seen:	2025-09-01 12:41:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1895460fffad9475fda0c84755ecfee1 (306 x Formbook, 52 x AgentTesla, 36 x SnakeKeylogger)
ssdeep	24576:x5EmXFtKaL4/oFe5T9yyXYfP1ijXdawFvFv9rFK4QZMqXF:xPVt/LZeJbInQRaw/v9pK4QN
TLSH	T1A145BF027381D062FFAB92334F5AF6115BBC79260123A62F13981DB9BD705B1563E7A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	FXOLabs
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

rM_VGLRYNWSTN__.exe

Verdict:

Malicious activity

Analysis date:

2025-08-29 00:02:02 UTC

Tags:

stealer ultravnc rmm-tool exfiltration smtp agenttesla netreactor

Link:

https://app.any.run/tasks/bdac9dec-94b8-4616-ae24-f5ecddfb49f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/24072/

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b0edc03e988eb6ab82e82d

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit cmd compiled-script fingerprint fingerprint keylogger lolbin microsoft_visual_cc mpcmdrun packed schtasks squirrel threat

Link:

https://www.filescan.io/uploads/68b0edb71c81c34281d75573/reports/7f9fc24a-969d-415c-9204-a21cb7911197/overview

Verdict:

Malicious

Labled as:

Trojan.BAT.Agent.gen

Link:

https://www.hybrid-analysis.com/sample/2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5d4b9178-2183-44db-bf41-521ac10c8ddf

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-08-29 00:00:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=evjakc2ezic5poruzubvzuwu5djvsnsd2l63ccdswuaahdt777oq._file

Verdict:

malicious

Label(s):

agenttesla

unc_loader_001

Similar samples:

error

RedLineStealer

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250829-aappzadn8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6dafc850-dd34-49c2-a86f-830e8ed4105c

Unpacked files

SH256 hash:

2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd

MD5 hash:

62b4f49ec70ae024543c9bbdbb343af2

SHA1 hash:

facbc6e4243790ce4093b2e1d133e6b9282fb94d

Link:

https://www.unpac.me/results/6611c312-a82d-4ab2-be4b-a92854666b07/

SH256 hash:

42ae765ab4b8f78c56d2dc2f36ba07bc980f08d253ce8cde661ec3d926d6a0d9

MD5 hash:

3f1d809a50eb40055ea432c8ca011a62

SHA1 hash:

10837dfe31b18bd10107c00999a1b3155fd4aacb

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/6611c312-a82d-4ab2-be4b-a92854666b07/

SH256 hash:

2c489990cf6bf321cc7e1ce629bfd33f581c52ffd08395e34edca1b7ebaab468

MD5 hash:

f9afa48ae7a4d905b83bdbf3dab86516

SHA1 hash:

2faacd0b7668abf378c3a401465d51120520549e

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/6611c312-a82d-4ab2-be4b-a92854666b07/

SH256 hash:

2ecac86788a3a2a1ec59eff2f94c0ce15cf3ad308902cf4b24c3b32f057800c7

MD5 hash:

ae29c85b2d63164afaabb4267d2697b9

SHA1 hash:

d5948ee570a1e74399a00d34760c182de38ba3cb

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/6611c312-a82d-4ab2-be4b-a92854666b07/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2552050b44ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe 2552050b44ca05d7ba34cd035cd2d4e8d3593643d2fdb10872b500038e7fffdd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/24072/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample