MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a
SHA3-384 hash:	0e4826cc098ea80837e382a855c7f3cc332bad6ace0eea313231a74cd65c500eda8dce11b056861f1c10e72d48980f05
SHA1 hash:	2fd81b48701d461d9e6dfbef1e2813ce47c43c86
MD5 hash:	c1bd61dffcd716c2de2088d89a359abb
humanhash:	earth-idaho-enemy-utah
File name:	rPayment-405192.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'177'600 bytes
First seen:	2025-08-06 02:00:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:ytb20pkaCqT5TBWgNQ7aGHGf0ZmuakaA42xfVKe6A:/Vg5tQ7aG608T2xfVR5
Threatray	2'586 similar samples on MalwareBazaar
TLSH	T14245C02273DEC360C7B25273BA267701AEBF782506A5F56B2FD4093DE920162521E773
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	FXOLabs
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

rPayment-405192.exe

Verdict:

Malicious activity

Analysis date:

2025-08-06 02:02:26 UTC

Tags:

stealer ultravnc rmm-tool agenttesla netreactor

Link:

https://app.any.run/tasks/3f7dea64-6794-499e-a833-de286e7abd9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/19097/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6892b7511e8a59ee04e61541

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint keylogger masquerade microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6892b746397fd3ce6f9e78f0/reports/449c252c-cf4d-46d2-97ce-bfe7aec5ca98/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dec57534-151b-42de-bb8c-1a712dc5da57

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/c1bd61dffcd716c2de2088d89a359abb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5vaj4mffnubtb4zmch27bjft6vaxmurmr3zko4lfjwlvrilhjva._file

Verdict:

malicious

Label(s):

agenttesla

autoit

unc_loader_036

unc_loader_001

RedLineStealer

45ddd3d094952ac4afc6940a70f0f18e2797d8d315147c784245d39678c82c2f

RedLineStealer

5844ed48c715807758c598cec87812b65bf5c08d3f66c2bd74af768cfb1dc9b5

RedLineStealer

6584f13ecd514b59ef380f0fa106ef5f6ef53e2bb39e0da02947e83de62f6444

RedLineStealer

7cd4a13ee2c96269b007c40b1e9ecb41484001dc576773ec60cffa4072693e85

RedLineStealer

error

RedLineStealer

f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

RedLineStealer

+ 2'576 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250806-cfa5watmt9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6844c67c-b3bb-440e-bc09-0b5637fdd088

Unpacked files

SH256 hash:

776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

MD5 hash:

c1bd61dffcd716c2de2088d89a359abb

SHA1 hash:

2fd81b48701d461d9e6dfbef1e2813ce47c43c86

Link:

https://www.unpac.me/results/b51ffb4a-0150-4e28-996d-5f78ecc0d3ca/

SH256 hash:

93c0fc1d52ec6995762432eec61917255191237eb0823beb1a0c8914e811783f

MD5 hash:

8abf824490d7a7a05b4944e25b050997

SHA1 hash:

d8aceba3e71a3bb7d0e42e4b63805d318f298d55

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/b51ffb4a-0150-4e28-996d-5f78ecc0d3ca/

SH256 hash:

cfd6091d4be0ce5552f1bc1f6cacfd5f6e16ad4a789ffb7f9d8bc485f4cee6de

MD5 hash:

97657e090dd39c35f70c89f8e5a3553a

SHA1 hash:

5f66a74e82ea6d0a56ae0bf5e0923a788ce22b09

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/b51ffb4a-0150-4e28-996d-5f78ecc0d3ca/

SH256 hash:

4b632732011bf9cf7bb246d478c9dda7d2214fb9582146d1e9d8bd5a698c3d7d

MD5 hash:

5227bf3177d0adfab02e962d60acf58a

SHA1 hash:

9f533495754003076bcc069d179e66ee5454fcdd

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/b51ffb4a-0150-4e28-996d-5f78ecc0d3ca/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/776a04f1852b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe 776a04f1852b68198799608faf85259faa0bb2916477953b8b2a6cbac50b3a6a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/19097/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample