MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
SHA3-384 hash: 5533b31fe29ed18bb3a54e1b816c3aa0538a4192f8be2a036c603a5f163d9a940c3df33e440cee3ac962f69e63e4e29a
SHA1 hash: 3f9c86da575df2ab8519dff1ab5311e0f75398c5
MD5 hash: b6c883e2c234b8e5a103bb58940873d1
humanhash: fish-comet-ohio-green
File name:FedEx_Awb 776779019611.gz.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:666'624 bytes
First seen:2025-11-10 12:17:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:MeRPAqNHvvmlSW2zVJt4oBdzsHPjcniuXqUAoKQeKEsIQD6QC:M+PNHnmsW2zDdzKjcf0oGN4D6QC
Threatray 403 similar samples on MalwareBazaar
TLSH T105E412503A9DCA1BD0B6B3F20972E33413F65E9EA021D7535EE9EEEB74197021844B17
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4.exe
Verdict:
Malicious activity
Analysis date:
2025-11-10 12:17:53 UTC
Tags:
ultravnc rmm-tool stealer telegram exfiltration agenttesla ims-api generic
Link:
https://app.any.run/tasks/c4a5abe2-5ff9-48aa-9fed-7fa501901790

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36698/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6911d7cae2c9ded75d790224
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Changing a file
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-06T22:02:00Z UTC
Last seen:
2025-11-12T10:09:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan-PSW.Agensla.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.a Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.g Trojan-PSW.MSIL.Agensla.d Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan-PSW.TeleBot.TCP.C&C Trojan-PSW.TeleBot.HTTP.C&C Trojan-PSW.MSIL.Agensla.i Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agensla.sb HEUR:Trojan-PSW.MSIL.Agensla.gen
Link:
https://opentip.kaspersky.com/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36e8df53-a9ec-4706-ac66-871f9bc5e1fb
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1811294
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86
Link:
https://app.malva.re/file/b6c883e2c234b8e5a103bb58940873d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-11-07 02:13:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=egecrqq3krmrh2csooe44nj5vw3g4rr4tyxczhey2y3rko6ynw2a._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
RedLineStealer
5937ec8f18e55b4cf85388c886992ecf7ada1a3a0ba17688e4fa6ecb2f9f81f6
RedLineStealer
a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
RedLineStealer
error
RedLineStealer
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
RedLineStealer
+ 393 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251110-pf446sbs9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f9a7b35-cdd7-42c3-9fb8-3539c4f2e0d7
Unpacked files
SH256 hash:
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
MD5 hash:
b6c883e2c234b8e5a103bb58940873d1
SHA1 hash:
3f9c86da575df2ab8519dff1ab5311e0f75398c5
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
SH256 hash:
12742947dd3e8e37e4ef665d4b9f8e61ee3f5c4ea76c9dbbdbb4be6b746639e8
MD5 hash:
a028c2c8838413b9e7c980f3495feec6
SHA1 hash:
254c1c8232653afae338fbc12ff55ded2dfaa603
Detections:
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
SH256 hash:
c355d2d93e4d057c9d62f1055af96f3c0b084833e423c49a3a2eb8934c3c6a2b
MD5 hash:
7bbb934bb9c466f3fadbc30f8a09da68
SHA1 hash:
6ddb3e7df4483be55cc4529307881c076782b484
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
SH256 hash:
bc2927f389e140b629c71d7cf20bec7897660d55a4ede2bee416bc7a3e90646f
MD5 hash:
52dc0590d461e02f5148961b29ac16e5
SHA1 hash:
951a795bbf23f6750db87dc657eb724e51e70f58
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
Parent samples :
ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6
5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
86bab321000ab08a9bc5c2eb689c46f779fe62763a0a3fb44b3b79dc958b203d
2675cf7ad014da2525a0fd9ac10362a6b5f8ce33375d0225d299ed2342e196e0
d41a54ee9f6f0de81009d98955fdd03cc7458ef3089bd4d21f8a1fc167f72928
8565683618c7ee771b85070d5694bc041ec25aa7086ce04a44135a81493e3970
d7911c750b95eda25760d99dbc911f231f831492be7f55ee2620c25e85d01dee
4dd4dc6e537cd6431e9f5b84a99a81349e2aa2816dc2c95db9590ee958acd05d
9d020d9aa66b2f0f5ed13065b7d9a8413e8834fc77d78572f4e280965758ae42
45f1f0c4c76cee479f0bb2966f4d9c157e344f9749cdfeb5e4b396aa3285c18d
b2b9e06249eca4b3378f0fcc6b2dbf3fe279f8d2e803f053a406c1de4145623d
6c09b777df1a95bac8b74f67909ea7a24dd048d58847003546ccef328f72aff6
ef2ef9c4bbc252a65d09f98c7dfe0c89a004bf4df3ccc3dcf65230cfcadf580f
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
628a3c3cbfd3a17bb69a617224e33d239729ced5665091578bf96cde788155c3
d96541e0ccbe6b139e9cc92a198fbe5e759e37369ad0fa0233828afefe8cdd34
SH256 hash:
afb20ebed1c94e481f604c00da55157c999379612c5c6588b18e79288f963bc9
MD5 hash:
f730633792fc409a5c956f34d5bbac3a
SHA1 hash:
22aa15e1c527cf41d038f81062df44df8fa1ee89
Detections:
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
SH256 hash:
d2a02eb5e3ed9721d3fff3b9a335e432b478472a52b92916db86a27c247e49cd
MD5 hash:
339e790cf6f1cbb8697ba4ac8a6be442
SHA1 hash:
c3b50cc903d72a7c1ef06a26d44378a0f798ce75
Detections:
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/8b05f5a5-c20f-4cba-a741-165f56bea268/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

gz cbd2c2adf77512ba1883a9ac2e277da600ccba3ff470124e6556a836c50368a0

RedLineStealer

Executable exe 218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cbd2c2adf77512ba1883a9ac2e277da600ccba3ff470124e6556a836c50368a0
Cape
Cape
https://www.capesandbox.com/analysis/36698/
  
Dropped by
MD5 5cab4dbbf19160139c9d9f338e067491

Comments