MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
SHA3-384 hash: 8d195d311fbf36620c71fffbe7de29662936e7ed5f11e815b3eefd82c46fa074f65b664bfc3f078110f4b080de74b141
SHA1 hash: 67bb449007baec692c0acf158f2435d3e2d7800f
MD5 hash: 3b7ec5eaac48ee385d926a78e32f1e88
humanhash: potato-beryllium-two-utah
File name:486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:665'088 bytes
First seen:2025-12-08 14:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:CVaWcqfgY2/kX4/xd1s26j1Ha59Y3DzJbEsm2g/k7EBNY+zEt:sH2RoZO9YOymBm
Threatray 414 similar samples on MalwareBazaar
TLSH T1D3E412195B84D947CC5053790B31E2B56B6C8FEEB422F3068EE6BDEFF821B246944193
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e4c3b9b1-cbe7-44ed-aec4-78cdaa7b57a4/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
Verdict:
Malicious activity
Analysis date:
2025-12-08 15:47:03 UTC
Tags:
stealer ultravnc rmm-tool telegram exfiltration agenttesla ims-api generic
Link:
https://app.any.run/tasks/0e79cac5-9656-4fbf-ab59-ac7b4d6a9a23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43053/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e1f4881313558a2b82e0
Tags:
stealer virus lien word
Verdict:
Malicious
Labled as:
PasswordStealer.Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-10T03:28:00Z UTC
Last seen:
2025-12-09T08:04:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0250c620-8556-4a5d-8266-9dbdb2bce20c
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.19 Win 32 Exe x86
Link:
https://app.malva.re/file/3b7ec5eaac48ee385d926a78e32f1e88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e/
Threat name:
ByteCode-MSIL.Trojan.TelegramRAT
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 06:29:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbxklbbiqnfvksimerqsmpbyg7cj7jv2xyom7tx6rrhvfvwhve7a._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
RedLineStealer
5937ec8f18e55b4cf85388c886992ecf7ada1a3a0ba17688e4fa6ecb2f9f81f6
RedLineStealer
a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
RedLineStealer
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
RedLineStealer
+ 404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251208-rxm84aykdr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8338381689:AAHY9G-ZqfCyXE5FRPzYoHIg4HrDCWBX1u4/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/869c096c-b177-4b73-a606-a3de6742e074
Unpacked files
SH256 hash:
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
MD5 hash:
3b7ec5eaac48ee385d926a78e32f1e88
SHA1 hash:
67bb449007baec692c0acf158f2435d3e2d7800f
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
SH256 hash:
12742947dd3e8e37e4ef665d4b9f8e61ee3f5c4ea76c9dbbdbb4be6b746639e8
MD5 hash:
a028c2c8838413b9e7c980f3495feec6
SHA1 hash:
254c1c8232653afae338fbc12ff55ded2dfaa603
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
904d11312908be1cbdd7a557f25a4239d8195b0c06fc5aa7317e777cf67133e9
MD5 hash:
f8cab3596439222270c86d0ffce1a08e
SHA1 hash:
9715c4ac7117df5cb0de3b56b9f70bd5592c613a
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
SH256 hash:
6a0ee24c9d77280c8eb157b92e008cb71e3ceb5ece68583042edc34eae491ba7
MD5 hash:
6a0462fde722f0f7c66a908b6764f6a2
SHA1 hash:
b2cf065710bc741b756e54adcae32e891a3259dd
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
SH256 hash:
afb20ebed1c94e481f604c00da55157c999379612c5c6588b18e79288f963bc9
MD5 hash:
f730633792fc409a5c956f34d5bbac3a
SHA1 hash:
22aa15e1c527cf41d038f81062df44df8fa1ee89
Detections:
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
d2a02eb5e3ed9721d3fff3b9a335e432b478472a52b92916db86a27c247e49cd
MD5 hash:
339e790cf6f1cbb8697ba4ac8a6be442
SHA1 hash:
c3b50cc903d72a7c1ef06a26d44378a0f798ce75
Detections:
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/76cc08af-0c8d-4b23-b00d-c3f2308657ed/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/486ea5842883/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43053/

Comments