MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0a6d5b2b997b79970a7823ef06d4777bbff6713479322d191328c37299c10ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLocker
Vendor detections: 16
| SHA256 hash: | 0a6d5b2b997b79970a7823ef06d4777bbff6713479322d191328c37299c10ebf |
|---|---|
| SHA3-384 hash: | a268c6da07d465de9d2563563e7c4652658e4ed8c41b38c7d7ddfe35cf528fb5c6ff9939097da8964c41a51f2b61d61a |
| SHA1 hash: | 8bd9aea88155e7e2e59486e185f8e1d4f53debb5 |
| MD5 hash: | e02b063ce0953b38763f4ccc5e9ac1f6 |
| humanhash: | bulldog-hydrogen-kitten-india |
| File name: | SecuriteInfo.com.Trojan.MulDrop21.55508.25047.31358 |
| Download: | download sample |
| Signature | RedLocker |
| File size: | 9'703'424 bytes |
| First seen: | 2025-10-03 20:23:14 UTC |
| Last seen: | 2025-10-03 21:37:02 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 196608:7+HQOiYBQR5AmXxBvJvcwKtWl2T5go6HTJJQSEl2lS5+2+xMXVLdnv7c/XA:iqRr7KwseR3QZl2kcYngo |
| TLSH | T1E8A63373A5BC9C54CD4C92B785386D16BA5AA43FE5C34F8CB285BF814584185A03FFAC |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| Reporter |  SecuriteInfoCom |
| Tags: | exe RedLocker |
Intelligence
File Origin
# of uploads :
2
# of downloads :
69
Origin country :
FRVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
redLOCKER.exe
Verdict:
Malicious activity
Analysis date:
2025-09-20 21:55:28 UTC
Tags:
auto-reg auto-drop delphi
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
91.7%
Tags:
dropper sage blic
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Your mouse was active while VM was running
Launching a process
Enabling the 'hidden' option for recently created files
Modifying a system executable file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Launching a tool to kill processes
Forced shutdown of a system process
Creating a file in the mass storage device
Enabling autorun
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet venomrat
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-20T19:08:00Z UTC
Last seen:
2025-10-04T10:14:00Z UTC
Hits:
~10
Malware family:
ModernLoader
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Verdict:
Malicious
Threat:
ByteCode-MSIL.Malware.Heuristic
Threat name:
ByteCode-MSIL.Backdoor.MarteVenomRAT
Status:
Malicious
First seen:
2025-09-20 21:55:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
10/10
Tags:
defense_evasion discovery persistence upx
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Hidden Files and Directories
UPX packed file
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
SH256 hash:
17b9ed33c67e1dc5f0d150b3d3d9321221cfed6f47f6cfa00fb924040f587964
MD5 hash:
6a99ebc9dabf62bd4e69553a63c3c0fa
SHA1 hash:
a1e64d214657d4057ab68b8052b3d065fa05a3c7
SH256 hash:
2d20b3bc803f279e67db9f09ebca29d5fe1669af206292406b57a1a4ae2cdf51
MD5 hash:
d15575a168f0763a8630ed7d2a14a67a
SHA1 hash:
c0181953d48fc9c55468dee3d2dae4daf634cc2b
SH256 hash:
24d3083288ad77a3555c58297dbc58dea3448c3dc59e1c90a38983ea8225d2d7
MD5 hash:
626bddf2a9f220663c9d1ea13213b080
SHA1 hash:
c480ce8ac49fb3a607031601b87469b832085e57
SH256 hash:
a6e8444e5130fad063860de89944509f065a17847c025c316ed4a5ee11963c07
MD5 hash:
7dd3fbc14e49065b154b7810cdcf7969
SHA1 hash:
c0c6860cb5ffa4f830950637e13af685a7449647
SH256 hash:
e65f0ec8a3b0503948df3c6340b51bf8f8c44aa4710434cf2832095faf91a28d
MD5 hash:
e4d8f7755cf78927019b52b7bcb5e1f1
SHA1 hash:
79df97e7a83e2100dfe16a4f5cfbce40303bc96b
SH256 hash:
8e85a25cd2e148a1fc4e7fa45f096213923c6229cd2ebb67af5f7b086a69e05d
MD5 hash:
77ef2dc05eb74f057be0b5f60cf6b925
SHA1 hash:
74821147a7b5ca32ddd07c3f8e457a2b27c893ea
SH256 hash:
54878b5fe226c84f7cbf442d810c2abd4f0e77e9b6bdc14eaeda0c181ba50918
MD5 hash:
3f5f6775af9be0e8414e32600841aba0
SHA1 hash:
8751f6c1972de073b51d70d7161a515670e6c954
SH256 hash:
88067f605653bf03d058213fb40e708d325cc14f62609c7ba7404e6cbd94f9c9
MD5 hash:
177e2fad68f7e0fae44338c5664377a0
SHA1 hash:
bc8a4862fbe1466ae24af0b6a8e18d47de07dda8
SH256 hash:
0325b06100435c54a46f658df393b630e6878ce33ee6d6dae2ff1517c235b5a2
MD5 hash:
2dca158aa6c707d185d95db862144fa9
SHA1 hash:
db2c80bb53040f9d0fcfce906e959e992d572728
SH256 hash:
2cd2e74b3d534e9ae672539bce959bf14378b34c42521f0e6cb54e20c969f649
MD5 hash:
24342b6e63834355621093e87a9c8462
SHA1 hash:
612da10f481322403173ec40f44441ade8be3fd9
SH256 hash:
b2698f5fe4b02b7b01e4687f42b674cb23afaae896d68fcd1dc46e5c1d3185a9
MD5 hash:
e97b043f0d418c22abe0b5e9d48c5a22
SHA1 hash:
d4dfc0539ca654af9288683bb3ddb4d9fbf893bf
SH256 hash:
bbe4e68cfff291ce05a349edda102344a39b46aebf2024e55b80f31ed915871d
MD5 hash:
e7218d61b6fdea13343c773bb05665d8
SHA1 hash:
206b6745bf0c5020c9aa9df1a8ce5c98d87a3ce5
Detections:
win_xorist_auto
SH256 hash:
5a5f78930f4b9224024bc53dca642cdf62c00c8124b55434fd2c3fcf895f1391
MD5 hash:
3330fd6094f2129981f5492af11a168f
SHA1 hash:
4658636b9a281c272c10a99f7b932dd12923b4ab
SH256 hash:
0a6d5b2b997b79970a7823ef06d4777bbff6713479322d191328c37299c10ebf
MD5 hash:
e02b063ce0953b38763f4ccc5e9ac1f6
SHA1 hash:
8bd9aea88155e7e2e59486e185f8e1d4f53debb5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
0.90
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | UPX20030XMarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | UPXv20MarkusLaszloReiser |
|---|---|
| Author: | malware-lu |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.