MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
SHA3-384 hash: bdfe223733d95aa6c42cdb75eb296e830314d77da28d20c8c688313de9b38b44a7ed0521c6682068fc44b3162ce48aaf
SHA1 hash: b5ac19e582a021453306abcd8c133cd2f27151ec
MD5 hash: c153ad3dc37306a24b8264576d2b5c0a
humanhash: skylark-florida-jig-zulu
File name:NEW ORDER .pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:921'600 bytes
First seen:2025-08-28 09:36:03 UTC
Last seen:2025-08-29 14:33:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:jaW5qHSt+pOte1IcR2zOQ/f18RFTF2vNx/J:CUiOgZKOv1F2vzx
Threatray 1 similar samples on MalwareBazaar
TLSH T16C1512982247C413D1D717744CD7F3B563BC0E8AA401E61BAADBAEFB792A3443B496D0
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
NEW ORDER .pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-08-28 09:38:23 UTC
Tags:
stealer ultravnc rmm-tool evasion auto-sch-xml netreactor phishing massbass exfiltration smtp agenttesla
Link:
https://app.any.run/tasks/b18fd78c-09b3-47fb-9fe0-fe18de8539bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24008/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b02327eb163e0ec182f817
Tags:
underscore lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed phishing reconnaissance redline redline regsvcs rezer0 roboski schtasks stego vbc
Link:
https://www.filescan.io/uploads/68b0232c1c81c34281d67ba2/reports/9d23bcd2-5a24-4df4-a500-9c9fa0fc0e0f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-27T23:38:00Z UTC
Last seen:
2025-08-27T23:38:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85f5b26f-c2b6-4256-b693-0920fe4ec2da
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1766883
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1766883 Sample: NEW ORDER .pdf.exe Startdate: 28/08/2025 Architecture: WINDOWS Score: 100 47 mail.nasserbutiadvocates.ae 2->47 49 ip-api.com 2->49 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 17 other signatures 2->75 8 FLWSdPdaRSRoD.exe 5 2->8         started        11 NEW ORDER .pdf.exe 7 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 77 Antivirus detection for dropped file 8->77 79 Multi AV Scanner detection for dropped file 8->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->81 85 3 other signatures 8->85 17 FLWSdPdaRSRoD.exe 8->17         started        20 schtasks.exe 8->20         started        39 C:\Users\user\AppData\...\FLWSdPdaRSRoD.exe, PE32 11->39 dropped 41 C:\...\FLWSdPdaRSRoD.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmpD9B7.tmp, XML 11->43 dropped 45 C:\Users\user\...45EW ORDER .pdf.exe.log, ASCII 11->45 dropped 83 Adds a directory exclusion to Windows Defender 11->83 22 NEW ORDER .pdf.exe 15 2 11->22         started        25 powershell.exe 23 11->25         started        27 schtasks.exe 1 11->27         started        29 NEW ORDER .pdf.exe 11->29         started        55 127.0.0.1 unknown unknown 14->55 file6 signatures7 process8 dnsIp9 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->57 59 Tries to steal Mail credentials (via file / registry access) 17->59 61 Tries to harvest and steal ftp login credentials 17->61 63 Tries to harvest and steal browser information (history, passwords, etc) 17->63 31 conhost.exe 20->31         started        51 mail.nasserbutiadvocates.ae 50.116.92.45, 49717, 49719, 587 UNIFIEDLAYER-AS-1US United States 22->51 53 ip-api.com 208.95.112.1, 49714, 49718, 80 TUT-ASUS United States 22->53 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->65 67 Loading BitLocker PowerShell Module 25->67 33 conhost.exe 25->33         started        35 WmiPrvSE.exe 25->35         started        37 conhost.exe 27->37         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-28 04:42:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lr4qxk2scd77fo4ka5mcx6btyrstpfor2vf46lpzsj2oqxn5p2la._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
RedLineStealer
error
RedLineStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250828-llbg9szsht/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c9830145-16da-4893-b2e4-6c9acfc1b33c
Unpacked files
SH256 hash:
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
MD5 hash:
c153ad3dc37306a24b8264576d2b5c0a
SHA1 hash:
b5ac19e582a021453306abcd8c133cd2f27151ec
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
SH256 hash:
a280d28c6197cb1b3785ed2b5c6bc19ff55966229da64c48257d3c9c734d1bd4
MD5 hash:
98f2ecc980f6730ae3590eba29628a9c
SHA1 hash:
3397e62dcd55f2537e2a64f8ee1baec88502fc7a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
Parent samples :
f179047bce749b1e5558cc83fefe1364c9e7a8b3bdded23e80c3c7bd3b79235c
8dcb4d425919ced69671cb2f6aa8e304f34a4dfa2c0c2ec7161bd19dd0ae5b09
2e776ede29053c0e90a6ce90cf97eefc9a5c8bb31c53e50b50c484d79add9301
992566058d79274af50ccdb71fce3d8c9672d855d19d5b809632d20020780657
fb0e6001dc8c00fd0768162baf0af2786ad2ba8da5f0d6a470cbfdf8bf5238e6
7a29f40dd40b565108145331b7ead5d6a17b46a88dfc4c58c013462683f8c75a
1102be281ceadcc5966ddd8ed9fb1fe436d920bbfcd376dd9ba252ab03d84c7b
f45a08004e83115a292abe23532991b07eb50bd08a19217ef4fa09420a6dad10
44f1a67e4a326b1f751b8e0671a46ff65acd9c8e9c515c764c41c87c3bf9cca8
04eca2d8e55732a9c4d49d7fc90bd2e9996903df22bb76e77797b08252c517a8
13824be7378d454cf0da9481048b1ad869e2bdbe05340a34792674debef6916a
eb93a2c587001ccf2607575c3639b8229d112347d870dfdeec97876f7e0ad8e1
0bd1c5cb9f1a1f2dd30a3fc2188b542364a4cd051c48a1c3ce816bb4ea75c512
e59670071cfffff991781690eb247ba893808bc8a6710e6f1097b53c3e1d121d
493b6a86546ac79b7647bd6f3c3523dd910e6a56e427c45197e957e268df8df2
7d94bdbacd3f8d708adf1709753d2370493ba125a9265a2c97ac36011faa1a44
7e2f600443bbc2848ee277e188f5b7095d6c203d8e023a84224ba8dbb3532234
fb51ffcffd134849ebc6114eacc45a0bd9f2430188fd33064217df5b4cd41508
f569cdb6756554284367297ac45ab98bc87c32a9b0e05a7d6d4001c390dbf102
6f7ec2c8d3c0ef2d5d4e5ea824c0af4264cd08aa0580f04499df5e4b69bc8066
a75d855242b6c93a5788d28047a6b3874dc3c5420dd60e0edee177cf37c66f0c
cb2391d06743d76e0f5494daf21a381c57a6f7f824796697edb50a4424f3fcfc
842dc19cf33d84748f6d47ed991f212b19c04e614b1fdec55afa8e7a428e612c
3d488c7e2ce30c599303d4fc4bdc43692f80cc7e5e6feb1993197d97503f7dc3
9100b0b6f9841dac7febdc66401cf61fccd63f126fa6769945c5505575f00cd9
a2d1da157ce873841a4b6aec36638f2b0b9349730b67af3b2e866607587cbe4c
bd58b37d8db7fcdb3da5c5633598df6d0908863b5050b6aec25b67c566a6137e
946a35262c7946b1314dfdda75f9f95f08bc35253b3cd070ee8561d8a4d27831
82fb3f98f9a5a3c050c3027605199400a80c204611173131096006bb8ff7204d
1c7ed36148366d23b3e54066575bc2ffc1d33bf164e0dcb0b81cc9052ac18069
bc16ea0319477e9b3f88c99b56dc71baf4f7f21d69274f391362f37fb763cf19
102a8536a3b1ba08ac040c2a231ed67aaf22fdf12db43c7ba063a82a30e60030
12c5ca2e49197d68123a414657dd0cfba63ccfd3e388e9f23f9a646b5f36660f
25ea77d8e6b16dd4ddaaf05665d430a0c32fec89901de0596f537a3aeed7e8bd
75a4146af3520c8bb236cfe21ef507eec5f8a082ab20f4dfad55765b6fc04049
95ccc5f493bebfa0e6e8d8239958b7a05bf4921d9822c80ef2173625cab5210a
67f8ffb1f4fc84db43469e598a686406d32dae656ea8939f57d04f5d354666a8
48683dcd70ee544c499f8f810d9e999596277f2033c05596a809e5237c376176
d674ac095490af3430ec4ec50b1be905b1e7f690117da522c447332d78d25bb9
2975357d5c30a76123dc34b14bdb66cbfe1b6413ce16b0f0a95ed4ef2bb6944f
a7bdab2286bade8325d6379938c78a841434f18092089d9487a80a89496548ad
7d1c422b2743f416f59d03c602919838f52503ca8009033bf869f5dcec9278b2
6c0a5cce7cc821d81636aca89eeb21950f7006aa8edf26e67087f86813a1d66a
35789622f4b1e9cb6638acba0fa26ca51e517f34bbac5dc876e3587392dcb6bb
048dee7acb2d6fd7e7e24e4f3d3b825b8277c704c6c71fec66acaa3bff770cfb
fa979f3180a7bd67615f665bb629c70209c5680e2163750362bc94fc1bfd9e73
259ad0de4cc1f77279c2efb6c3d3f5fcf7655013c8f116d25a18c697faab5f45
24e06184fc1bf5b257407c973ab141ea9b4b4ae88e8bf2ba2231f20539491b0f
4e59c60c8ce4d441d9c5dc4fa1b4e510aaec47ce44a0b862ec00cd739a9b8e14
4c9768aebe51831c5f0403e5b4757dede1c53b6395cea328920267b23eaa6280
3ed8b3080fa1952404c1940f5013c4f5f45307e186f55518bcafdc36c3604335
cf473160304d369b5b254d3b32299767da9d51b1e9e8c726d65c08ed1f2a136b
a639bef963ed0809c13a259cd4335a5eefa11f7a9a932bfb403de793ab67efad
4824c73de2a144d3e4fbca50cb9fe2a81dda794258c6c9de45caf3572d17e145
ed68e937c49334eb99ff5ca7bb6b7c45645c3335c11f344f460378a5991323a5
026f6b81acb81bef3b445c2f1adcd6d6f747942ea61c28be6cc007cb3fa297ce
7460ba04d926e4f139afab3079f51b4b5f4ee6cc4963a20e21e0dd0c0873f2ab
e83387eaf804e1f901c10a215a2323211f36a4697eed30486e7018f62bf710c3
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
e5858931d0359e9ca3d4c877c84229dece01066ebfabc238093df4ce539dc873
302d72d36d36919ed43d1bd9027eaf3e4b5765f2ce21c513e2b5c78dc392207f
52bd274cd1b0ada7597a4d72e78190d7b5574f0819204b4a3c0ac488256533ed
849402cd1e4eb903a5fa5916c2942a9515191522d555bb367d3cfe733761997b
bd231e1e461b363b43a36d85b6afc39ec93ca892feaad685f6e373ea40ba39f5
2f202930f8eeacaa4c09b516511f28c60294351aa61e499af19112d7f17f7794
0602d4287c73ec32f73636d2b3636867a484ac664fdf0ebd4560bcc282640eb0
605731e94d81ccd5f10b32a0d95f6cfc0a49723fed2a1f83b685c667c9bbab77
255f2855810e99bf8b6f1ff7cd5b5920737ee19210d53e01f5de4302d75b3ade
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc4eec67af1c944dec3427e604e4e098cce364ed1138469d51b264687ade358f
fe7823ad1c068983e2dbe14c0e39c1231a96731d1eb142e8ba7e2fcdcb2b909a
d1e54c22764dbc9a243d2c71d2ba5984d2930a4f5964605dc62245c147263b3a
6dd876657514ae7388426ab3bc2523b4322f581dbde93691d9e388085fdd0ec9
5011b5f7f22afc5a07551fe3bb74078558222f7d8ab643ce10e9e84ce0721dfd
4b7f0e5643becb7682232952d7dec1e9c8b52ddcba5dadf9a42a832638f644fd
53110ae1884fe96541beaf414465711166bf8860261d70bae9d4aa740e6b195d
240813e71ac58f771ec0c63af47acc02ba25d77f32326b121d876ffb751b9e63
853e05e2643a66918b028e434a49610a4588c91144b7969cfc40dc2fb55aa897
cd8484bc36f1b71b38d2484a693b04cd58f979dd3ce9ae5cac5722e28b45500f
c5632d6ab65d267d13aacabbb8c23b65d1745a9aebbc64955a157efd1e2ea352
e2d9c7fe499e4021e120a566d0ac0420a79d02ae4eead559390d053c7da0311f
94108630d716276356f19d0234acadd67b10b6aff76cd124a19850f37b2e121d
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
b020144dfab196ac6ddaa6442884f16734746cf346b859cee50660fbb938271f
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
739cb53f9ab48a779c7f0a9aa7829202f2b397e91918a5689b93877b40eba61d
6307f6dcb83c11e69ad410e3d95d49834657fe2124f19c3c4e840d618bb53067
d1f7d720167c082a602177134934c8669fa9fa3110e50a2f03a336a78357abcd
27ca89e42083ae8b80f5ebbf9fd9882630af96303f262b7437aab1b2fb8d256a
8b46306d3f70de4144c7e987d4e488969d3b4521fb9cd64d3722a2de53024bc7
26f160d2d097219dd2b6ffa650dfe0d67b854a53fe5bc23e44aff7c0d7559c37
72e6257648e70a1400c5458cdf405c74cce4079226453e864f018c00147b9624
eb1594e3ef330befff15be4cf913f287c866af3c8a08528bcfc317ec79c7bca3
d6d543741f22a6a4ccc7c66a73ddacbe7918818dd0717f004c3216e180e4da99
bd3cc153f4b3087bd7b7ae80996644097955b6ab7277e2a83165bda8554b8a91
47979229e85fb2c50554534d795075be54dcde94ff32040d3adfe5a6b7475384
f5bb2c09472d5b68f7b1bfae1eadfa4391d4524031497161a2483869300ee70e
1b114b61f4a2313dc924eb4ff2cf26fd0c66b0a4127901d5be4531f1a201928e
5868c11dade3d2e362682b1c5922e58c2adf30297d4c35a9fbb446401510704e
28e56de6f4c2baa3bb15a0887ed66f1e2360d7a4261362a26d91b405ab25df3a
55d8ae2d11aeb76c2214d735c46917541ac04febc6b2f8ac998d1173b838b5ce
2c7e7bf4cd14456572dd850552354b46e89d511300f5dce48561a4f347f8d4b2
819524e650df7f7050d41834f4a30b370e50d99add64ace080c2b57df5ba1997
113138bc20beb3622e945f91d907f7ba942f49a5debf19bd6bed394fdb053533
70edef5a9165f8776f6bde6c60108c0bbcc33e7d10e07d16024bfedf70ec008b
bd1c7fec482e5cae6c29f196953329ee39b3481542738f0b1395392fb9c3ee52
805e59d142a1b2539d79732417912388b5ceb70cedee8f736d755705c9ae977a
0ef28af627a20a5be581f8dc7bff948415a909ad482ed18fdc4554902d20091f
5a30c4e68c8a9e2fa23d7176efd9f712624fb375d443c25b8829dd307e8b030d
68ef29d9bd6e88b4fda357fa69b156376a0a611d287e909285bebbc0d6afc059
49da12598beb3901e854a2c105e7e31d820db9b1f8becf581043fe4c30b1d589
4df0ed007f7b8dbb52f37facd1bef7638fc216804045167f2af37b32c68a2d71
cad1738a30123d36693ddb0531b3b0ac14d8f9eb577609b25905ab28c4e9a3eb
459e3408113537088a5825a91741e4a1de346bdef172710437725554ee90b04c
d41022d91ed5c237cbcb1cfaef080005bf5dae114f06418c873596c6c0149a11
911d8e4c53b4226bb2e1ef12bd7aaf32e88f4f025cf630ad6b02b39261b9dd84
deb7e1610fc03728b90b589440b5d042dc4a38c6a55920211602355f44715e2e
d52658fad02bdbdd90eed0d9029e15b6359efe630f786e3ab5875e2a7f3d5056
f0511e0567f253276f92a19579e7f0e133a28e6ccc5f2b626a623b5e80073b81
08b026f7abf7574f2c01bdfb97e78b406200a874f2638298c489155b84fcb1b2
bfd5c1ddd57dd2cf89518b5524ed3319502860bd876eba635985307d8042a0d1
dd2973ad690eefefe9ac0ca783447c62aa7ccfa814fa57fa00e1ae9ae51d0171
087d88e3175f91f7e9faa287f4c891b367677f61bccfbaf8b75b7e5825e84aab
70ffcccdedd4cbfce9d10e4bf42f9917f33c055ba2078b76976827f3d604ccfb
b3117e84343f3296038c1f2bc91ae2ce0a1eef33855b535dbc0a6110c541bb6d
0973bc15da79ab1527648f46d39016824140c56a2b4204eac047bdeb10bb7960
4f8eb431e07cc4c69fc41ea1e564f99651dc65931073429de3e532a904fb0ce5
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
9cc0ec6a21bd5a6623933e5d35f40cf3d5f3bc9465c0e848b6b39fe8fe1c7038
09197780e4de9aa1abaa44d580b3102138c6d3a03ab46b518f88f8c40dc882df
5e83e874c9e9531fff2a59c1d5c5c559901a6d37bcaaebafdbb915392d1cfb30
413f7d00e03f5dd9362c7d2c8e5ee71de5379343db934bc87a4dd15e251b488c
3f1e1bc2b3ac94cbb03ff9942c8753b0a6ea0ce3e6b682727fb013ee873c3d04
928f36967f7a7af841021d4833479ec18178d48d9c418e772d0b3d32da7a2e6d
e1d174ef5c3d4baad0d5a9a9a6dc782fb666bdc311d4b8fb60d31440e6a34153
c387e0b0e9f50043143b28faf9c15058689c2b3e7f9fb533e3b2f2be3ad95a0b
56ed50dd056f2f5af93e66ae83d490de9b7b9b9fdd490c309b83c31778948184
dcb691b089fa29be68bf87b37c40b0ce085b8c406eb78ce8e80ec80bf524f1e3
f8591a5b43f62cdd88b1e86812b7360ba8e9b41b2780f8df5f276fd4298f4db8
a5dd168a825506e616ba3601e4511e6348f52b7b3168dbc8d3d199fe7a3b84f1
fe805a9919d5721043c3395e167a1c5f0693feff210825d1fe99a240a2bb16dc
2377f0192b7d29a70788442123094080803af5eef2e618c73ce8604f0222a478
c2f71c006d57414ecfcc0a9718779ae6f19c63ff7ef6738c4a5aa7c38e28d77e
fd85a4e75158f628b44a723f2bffc2d6bae956051fc2495256011b9d552d9164
1f116fc881ebc63e82da31c51e4748961f138b2b8f83f948c6605282135ea6e7
1849180107c4fddc3104670d0c3d0249322b49b3439d7681f6b40922806194ed
9a81ff86c16b576d976858cce824e978c380b97087b756fdaedb5736b891d9fb
84a03d4c69389af18a55a569813bd9d02f6c2cee34eea0efb7fe267662bf706e
f67354f208b9b7ea9e45262b27221c5862c73503d92139051a88c0479fc04cda
1d8615b69ab6173b6c115d5cb234f5353744aa3603d3ea6e952e5da508e14b78
75e54e1163e476f84f0659124fe3d3c436ca2d1c84e7b17adf3b69366e20b18a
944c94577ed913dad804faa6e0a51c10ec26780e63b8852c92c64f23919a4848
8056b9e6cd1a8bb5230232b23b08ad23a47b543c8c6cb116e711ba703850c027
31067e4964e4e4c454217fd32a1e68221ae3f470be4faf28a85e48eaccf39162
a29e9b8e67c16a0c46bed63e400297cb520b0084d1a2cccd76fcc4201caae734
b43a26bba9392c41659ef71c0ba10b4c00d641646c002a64cbe11d09fc4f5cd9
a415fd213d9fff8a0f41b0c5adcc41b7eb8db6b30f394c6e0b51fc8a2ad429bb
f1f024ecf670402056cb215338dfbb8de5c25671f9e5e127b9df197dc972bac3
a1aac69e61fbf0ab4f4d04092f73857d04743117f74b0b78dddc0c382659390a
19d827229db9c2e05384b3422e238c54206f976c279967eb6a2097cc19ba4324
d1e777383b749d7f1adcac696732cd4d6fe7ac78a1e3573558a2978190f014aa
5487558b2691eda44b1e4476a8597588f290f6686d200ac9a8e8692d186432a4
a621aed5d7ce456a046646e757826f0c96b0f90bec9f2bcf5e73398af427bd6c
8c9fd9ea38c16b4b38039c60d03c499aff67451f6fcd00d56abd4c81a6f2c3c2
85ec11517de659f7a359f0fac6b06e53229e67bc3ee46bb942c2d4d692cd0982
10f246e9a23f84a9e80787e654d3f5612eaded3b992ccaa7a92a94ce8676e40f
3acb2148708b5413c1dadf7a624e917a0448f90ac1c5c7b76236bf2d0d4947ba
f7fe3016d93d6ccf5f6bde386675afa006b920e015ad70a8698f8524380635b2
99dcd9cd3a6d39ef105c199f464fb5d166f1c3cf0a699cb008aa9b4b75182b39
9d6279109af5c9b69c2c09e5b27fb1d850508496dfbb9d0da623b3b4dc757468
579101645425dfc71e51c4200cbb69b6ffb0429254a86c913d48f0cebbfcc85a
ad188854da20c440975e7bf1bfc218c1917da6d7155c77b8c03fefc148ac1759
adf911021f13749e7a024c1ed4e5d0c4183697ea55530fc1f57c3441df74f5fc
4ed89812437a80fce23d4c00bafc70da61f00f23f8c0132863385686c2e8a06d
1a6c68b2f9c1c0634d001c2a320d14fb73308f380202c7aa4e2ae9d7e03f35e0
ae129ff90d7634798454e7df6ea731577ce9cc456fb6f2497f3af1c77abbb815
8cd56ddaedb0cc45a957765ea3e590005a6fd09715308bf007aa24a2e0c15799
2c3647e18b349259666a5b80a49cb486d5d312947a87673d39a26234852ae002
8b91d1572631d84c5f844303768824f864830722a6f67afec38d9f3f1ed25123
1936d1b8295caabcbd48e3ea53f312bd49c0dab3e41870d807667eda64a29c14
af1dac32cb850795edce8871424e105668dd55e7cab6d1087a1d484e95f5ce83
1185b5e91551a71f839ed9a8893a4c8b9ab98d079a74fc0967a980e90c8d35c7
9b372aa138671e6ea5c0be48db655a7f62172d9affe4d28c0559b28bf5181a67
ad70d6c6d21f2f81955549cf07ef09b01fb18ef8e888b4c44d6933d0676cfce4
62016848b8c42b05e7e94628f567892628da294cf4b2bb35c7ff9ca4e7369715
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
b9fb69368a5ecddcddc93b9df31c1b313302e768b53f650eb0892a8e6395daaa
60ff822d32c1522b9f7a8496938186f10760df68498775c7a401fe6e23260a9b
9454ed7dab210e18bef21b1c59a2736a65ced61892df6299fdcf743cce638bcf
d712a6037cf6a4d9302adc8298d3be1708ff4f23a99b0de1b56ca9149a4f96e2
b27f625907b905e6f97ce169cabafc6933362c28a75b0430584e44ea95b53682
701fe6d56b805a9cca0dc77d76bb7a2d44aea16fed3632e6a78909bb8f2cc119
734bb8b05e5a6728e15a199bd216842ad5650e4401166d4debcde4819ec3d044
f980f36e53756a9a63992d61749e45842f2e2a2a23b297c886dadf41a3b01e9c
be9e44076ce939fe3455823b2d0293264f2e712f71d850ae16a5b7bf35a29292
fe60a7df5bc022b0e471bf083116a1657e8181a87f26727bee92ec7e8eb2fae8
b741780191794a119c0d9323f1699cbdab8a52cce3850d12ac529393a03a7ff3
8bf440a88117231580f2f636c3597991c7c8f355e0b95aefaa7cd99b0b1066ff
b225beef2338636503b1d0e3f9d43ec35ff0e2d3b271904b4fcafe2c3bc48c01
a09d6699c8aad5ef8e6cc60745ffa8764da18b41e92e3f02da1f45b70c74d695
90439986776b345d31480126e9f24f0c79df25c3f9f1f8ab3bb2981830950150
287b8d3a5d0326958711e0802dbc5dc3ad7df0ee4c22ffafa7a95d3fd416f9fd
e0debd3d856bc96dc136c9477707ad7da3288c6e57e7040ad7e904fb589f4ef5
6930fae092d170045ef16fe16ff486e4232e95ce5092a10c8d42f07bffa0f3e4
620a8006f4abc321fb1683303da342cf0db8dd0b598f29b1124de04df918ef58
e36d13a1a406cdb3b6f4d90653cb212d4c4f2e59ee7435fa43aa053ecb066b05
4107b7ac2f19c4a6d314b2ffd4410735c23ea65152fd999461d3dc5c4fb95186
ef621eb27cf38820b597be924cc1e9198b39a460150f862e4df651e6d3f09bc0
342a701d57b0051e20b4b282c9cc3a6869008ac4a157240df5973180622bbc40
4fd183ba00f63128021f0bb45b0b0b92425222efe10c85225ae813bffe598314
9e408a2b2f751998eb82a75f38924040e88159298634f4d38de814f5750ca824
339d2c7c00043ef1ffa01080771fc2392d4b693dd822370511201f5bf0f45f28
1a1e4f5e5b668ea14d3cfc4f3e65d8638cefe7acc82378245d6b28db9a070d31
390684b6b7f8d3599995c168813e51787cdcdfe686ac5ad637b3a0a085bc09a4
9ea3132e269bb19d4424f64b55907e533a39e4e4587932f37be3cbe2e0984d89
95c305c5d89970d7d4fbbe0649543d2286d21c678af50ef80ceebb360b0a3cbf
fc039ad25b39ddf44318da5677c76c4273df5b74c5f9988985d7458c816c4dbc
fb950059d4dbf088a3f81339ba49bb503db94d915f1dc5707eaed1bffe7ba263
7bd43a4dc0291302cddd4adcd10f9fb8236240f3e78b0da85b59cf45799aaf11
9d769a5f8b3c1495caafa6b9018fe9a6fdcfb4d9c84f056d9c2d4208d88018aa
1ef8f48f8464e37887de6e318960e8814dfe2ddb6576b1a2348d838c6b687c40
b1298b37ed1013fa522241867cdb94d31eaab112d3923040efd29648abf9b238
011c95e1c3e4c516deda11b4039dc8ad135860dd944a12a630aec20583fac677
SH256 hash:
445563ee44e9a64aa6c971803fc745c2915ca26bda9199386b9bdae942df7b6d
MD5 hash:
ea5d7cd7e569534ea11febcf6201d16a
SHA1 hash:
551111e5655f1c748a334273447f3986000c1d1e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
SH256 hash:
26e9d6c6f19384f3650265c9cec2a4e3252da8a43740d33038a4c03ed42a0947
MD5 hash:
ae7c664ecb3f3e681e83725f79278673
SHA1 hash:
6f69f3f122d4c623f95caa1112aebfdc967f9916
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
Parent samples :
e52c8a7aea791e6935c21da222a01172f05216e551bdd46bacfc87a7338934a0
05312d53d7f0968141efdd6ac8af8d39e4b52b724d372eff324cf93f549d536c
e91e804d32576f97f54cda9dd4134e8cf630fb527a14213e1974ddb15fa1473d
3309a024a0201382d31e4e0f37159a30b717f06f3641b9fe51a5a5d61eee0808
6f9e7f2f753573b0f2686c72dfb4bd2c174cb5ae9e435f36bb9f4b87145df44a
cbf1ad5e6e1957e0015cec2ed9689a271df61b00e00e44684add564482531e73
373e2de5a86643443e0a31987c68a69a9c0c816b08becedc61d8a1a3aa6902c2
5885dbee75437bb8e608840aa4cebc3c81652b4998babf704ac5890718186d1e
4c9768aebe51831c5f0403e5b4757dede1c53b6395cea328920267b23eaa6280
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
e5858931d0359e9ca3d4c877c84229dece01066ebfabc238093df4ce539dc873
d1e54c22764dbc9a243d2c71d2ba5984d2930a4f5964605dc62245c147263b3a
28208e1b641b60fee3605621354ac86e3fb129a03e391a72c657cc3282287794
SH256 hash:
5628adabdcd292ffb0a7eaa847dfd503617ecff73eaab157bbab63ddaf64ff5e
MD5 hash:
59884c648a34437640e913b37ffed333
SHA1 hash:
6489fa074513a3d4f6129bfc0170c03bade841c7
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
Parent samples :
e52c8a7aea791e6935c21da222a01172f05216e551bdd46bacfc87a7338934a0
3309a024a0201382d31e4e0f37159a30b717f06f3641b9fe51a5a5d61eee0808
6f9e7f2f753573b0f2686c72dfb4bd2c174cb5ae9e435f36bb9f4b87145df44a
cbf1ad5e6e1957e0015cec2ed9689a271df61b00e00e44684add564482531e73
373e2de5a86643443e0a31987c68a69a9c0c816b08becedc61d8a1a3aa6902c2
5885dbee75437bb8e608840aa4cebc3c81652b4998babf704ac5890718186d1e
4c9768aebe51831c5f0403e5b4757dede1c53b6395cea328920267b23eaa6280
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
e5858931d0359e9ca3d4c877c84229dece01066ebfabc238093df4ce539dc873
d1e54c22764dbc9a243d2c71d2ba5984d2930a4f5964605dc62245c147263b3a
28208e1b641b60fee3605621354ac86e3fb129a03e391a72c657cc3282287794
SH256 hash:
3d937a4c177df48b16f6875471ea5dd6c6eb61f9d2506eae912023f9e869b29d
MD5 hash:
33e66acaa21ceaf20a251419452683c3
SHA1 hash:
abb8740eac36b823ccdf81137d041774080eaa02
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/4d8b60ba-031a-4da0-9c80-f17fb44c768d/
Parent samples :
e52c8a7aea791e6935c21da222a01172f05216e551bdd46bacfc87a7338934a0
3309a024a0201382d31e4e0f37159a30b717f06f3641b9fe51a5a5d61eee0808
6f9e7f2f753573b0f2686c72dfb4bd2c174cb5ae9e435f36bb9f4b87145df44a
cbf1ad5e6e1957e0015cec2ed9689a271df61b00e00e44684add564482531e73
373e2de5a86643443e0a31987c68a69a9c0c816b08becedc61d8a1a3aa6902c2
5885dbee75437bb8e608840aa4cebc3c81652b4998babf704ac5890718186d1e
4c9768aebe51831c5f0403e5b4757dede1c53b6395cea328920267b23eaa6280
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
e5858931d0359e9ca3d4c877c84229dece01066ebfabc238093df4ce539dc873
d1e54c22764dbc9a243d2c71d2ba5984d2930a4f5964605dc62245c147263b3a
28208e1b641b60fee3605621354ac86e3fb129a03e391a72c657cc3282287794
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c790bab5210/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24008/

Comments