MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
SHA3-384 hash: ee7cf91413e137564f315fbb77cded0484ffd410b6f296256eb28b92332df4bb9f652170ab0741fb756cf5663c31769f
SHA1 hash: 6806de719ddec92564e9158cd4157161f66a1960
MD5 hash: ab675231315bfdacdcf336517c9738b5
humanhash: island-wolfram-earth-seven
File name:4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:675'840 bytes
First seen:2025-12-08 14:46:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Y1M0+ueV0Q4kmojoiJt3NxTUYAA003Q0hQyFzW7M8RIf/1P1ss:QHfkmoj3/ToP0QsY7vITs
Threatray 414 similar samples on MalwareBazaar
TLSH T17BE40294326DEB12D1AB6BF40C61E07453B55FA97426C3178EE73DDBF02AB404982B93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/cba81f83-2ec3-4840-aa2c-9579337406b9/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
Verdict:
Malicious activity
Analysis date:
2025-12-08 18:00:39 UTC
Tags:
stealer ultravnc rmm-tool telegram exfiltration agenttesla ims-api generic
Link:
https://app.any.run/tasks/3389f697-237d-4e2e-ad9b-5ba61ee9389d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43164/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e51c881313558a2b86ea
Tags:
virus lien
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-12T04:11:00Z UTC
Last seen:
2025-12-07T23:12:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a93c8751-aaf2-4995-9ced-b143739932f3
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.29 Win 32 Exe x86
Link:
https://app.malva.re/file/ab675231315bfdacdcf336517c9738b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-11-12 07:22:50 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl25wyio3lghuaujsc7qzbfaoxiynmhxqdkreya3gu5oxmgk7k6q._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
RedLineStealer
5937ec8f18e55b4cf85388c886992ecf7ada1a3a0ba17688e4fa6ecb2f9f81f6
RedLineStealer
a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
RedLineStealer
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
RedLineStealer
+ 404 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251208-r5zxvswrbw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8338381689:AAHY9G-ZqfCyXE5FRPzYoHIg4HrDCWBX1u4/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d88405d8-a8a3-4ffc-be13-5d3770b9138c
Unpacked files
SH256 hash:
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
MD5 hash:
ab675231315bfdacdcf336517c9738b5
SHA1 hash:
6806de719ddec92564e9158cd4157161f66a1960
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
SH256 hash:
cbee4370e9d97d17ba2cf3c7f414d4d9ae43fd06fce02c518e399a22f6c4cdbf
MD5 hash:
83ff8aad9d357ca67be7cbe3d3334b34
SHA1 hash:
18e2b26d98c34976205dfcd05dc3211913bc345b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
SH256 hash:
12742947dd3e8e37e4ef665d4b9f8e61ee3f5c4ea76c9dbbdbb4be6b746639e8
MD5 hash:
a028c2c8838413b9e7c980f3495feec6
SHA1 hash:
254c1c8232653afae338fbc12ff55ded2dfaa603
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
23c93f2984cc7f0c5702d9f741a6c6c40a1d34fb5d8f2ca082b8700a0ecd9aae
MD5 hash:
3b6b7219acadf0f88240ce3ace4333ba
SHA1 hash:
26e1cd92e68087dca156c22410894cc54270c4a3
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
SH256 hash:
afb20ebed1c94e481f604c00da55157c999379612c5c6588b18e79288f963bc9
MD5 hash:
f730633792fc409a5c956f34d5bbac3a
SHA1 hash:
22aa15e1c527cf41d038f81062df44df8fa1ee89
Detections:
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
d2a02eb5e3ed9721d3fff3b9a335e432b478472a52b92916db86a27c247e49cd
MD5 hash:
339e790cf6f1cbb8697ba4ac8a6be442
SHA1 hash:
c3b50cc903d72a7c1ef06a26d44378a0f798ce75
Detections:
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/e70d3643-3d53-44eb-ad91-09f9191e476a/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4af5db610eda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43164/

Comments