MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83
SHA3-384 hash: 2c2acfa5a69baeff4b3d40d40d944d38415b3a5ee2abfe43a855ec8526956ea906f128c931b3f3305df2d6cff742b908
SHA1 hash: 386b255d96dbe4c17fbef08163701eb731c8df1c
MD5 hash: abf4a1bac5f0740f36e9d204e8d96b99
humanhash: uncle-romeo-jupiter-jig
File name:DHL KULI500796821_PO2208129_SCAN.gz
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:803'148 bytes
First seen:2025-11-10 08:53:43 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 24576:vXIwxfX+hMzciF9a4KAhNCUwbWsFHXZU1CD:vXpFX+KzDF9a4KWCvWsBXZX
TLSH T18F053348DAD95E53913BD6200E36337EE538189AF1EB4DC714E7C699EBC3DEAE040A05
Magika gzip
Reporter cocaman
Tags:DHL gz RedLineStealer


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Express <export@protochip.it.com>" (likely spoofed)
Received: "from mail.protochip.it.com (mail.protochip.it.com [104.223.108.119]) "
Date: "Mon, 10 Nov 2025 04:45:18 +0100"
Subject: "DHL KULI500796821_PO2208229_SCAN"
Attachment: "DHL KULI500796821_PO2208129_SCAN.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:DHL KULI500796821_PO2208129_SCAN.exe
File size:910'848 bytes
SHA256 hash: 1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
MD5 hash: 08055a493ebebc6d40141f34884deb85
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6911a837ac1ae236e179014b
Tags:
micro
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6911a833935d9f0d73c94f0c/reports/9c0bcd18-fdff-4b42-b02a-a29a5efa8bda/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83
Verdict:
Malicious
File Type:
gz
First seen:
2025-11-09T23:10:00Z UTC
Last seen:
2025-11-12T05:23:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
.Net Executable GZip Archive Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.31
Link:
https://app.malva.re/file/abf4a1bac5f0740f36e9d204e8d96b99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83
Threat name:
ByteCode-MSIL.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 03:02:32 UTC
File Type:
Binary (Archive)
Extracted files:
36
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otjqldklow7uxuglei5i2h3ulg4gycfeztpgazcrp3fmyq3z7kbq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

gz 74d3058d4b75bf4bd0cb223a8d1f7459b86c08a4ccde6064517ecacc4379fa83

(this sample)

RedLineStealer

Executable exe 1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
  
Dropping
RedLineStealer
  
Dropping
MD5 08055a493ebebc6d40141f34884deb85

Comments