MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 9 File information Comments

SHA256 hash:	990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4
SHA3-384 hash:	1de9317339e182684f24d46f66c69c6af7d4cdac11603d60e15a6fc285a6243ca0dc81b7fb37877e108182474c95a84f
SHA1 hash:	9f87e2b704ad400836da7993efefd8ee5bd42922
MD5 hash:	5127953ac913b6b8dc4c7833ba6a675b
humanhash:	lake-lemon-butter-monkey
File name:	Payment Advice for July SOA____PDF.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	919'552 bytes
First seen:	2025-07-30 13:06:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:5LcQdxuoqf8DaJ5ijibUFgrdqojOPbQse632IAu:5LddhqOaJs5grjjOPUk3c
Threatray	10 similar samples on MalwareBazaar
TLSH	T12E15018417A9C508D5BA1B7864B0E27407787F8AB820E34E5EC8ADEF3D727948D57363
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QuarantineMessage (12).zip

Verdict:

No threats detected

Analysis date:

2025-07-30 11:37:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f231e181-2a0a-4f89-9582-bfae3f5dcca6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/17790/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.5122.5480.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688a190faf3050dc8d32735d

Tags:

agenttesla lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed reconnaissance

Link:

https://www.filescan.io/uploads/688a191217928df6494446b9/reports/330974a9-8c46-40fe-8ca9-07073a3d1730/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89761258-4cb3-4caa-b6a8-eb2f7e749ae1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2025-07-30 07:26:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tehex565ykzpgsarcc2rxxm52dxiqmeadaah3lqw7hobmkhstl2a._file

Verdict:

malicious

Label(s):

unc_loader_037

unc_loader_001

RedLineStealer

48feedffa17ca579fd3ddfaae4cec3c5c15f72b7b635d34d10d3e91af5e6d488

RedLineStealer

bd866e2c233c16d404a72d97a09e8b486fc9d479404dfa5ad407d1a856584b58

RedLineStealer

bdf7cf1aa8fdce1c25059bf2794c1f517da4405f8637d9413bab565b9c2b9a85

RedLineStealer

c135ff17529e49649818039a136ab8c597f1f77589cf8568dac950c657ba5a66

RedLineStealer

error

RedLineStealer

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/250730-qcva8s1sfx/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/10b212f9-5ac3-4c73-b2aa-b7d5ab8c05e3

Unpacked files

SH256 hash:

990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4

MD5 hash:

5127953ac913b6b8dc4c7833ba6a675b

SHA1 hash:

9f87e2b704ad400836da7993efefd8ee5bd42922

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

SH256 hash:

858c05ad4751dff049a4bbe296ab6fc9cdec1e6b2444e9f4c199522daca9397e

MD5 hash:

f410dd2db4a5a26e6ac04feef0048c12

SHA1 hash:

31555eec184203cacc438bbdf5bc9e850b260e3b

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

SH256 hash:

9d9328086eed35870686d3b2b487d7dba2c6e097c3fbf64e0a9fa83cb126048b

MD5 hash:

dc4c8c85757a7aacce2c9ed03e85c8d3

SHA1 hash:

6aab98acd81bf4e549ae202f1958e8973828e3fd

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

Parent samples :

990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4
16e430beb3a6af638bdbe4105bcdbd381b0638d949b55fc36cb4829e858e26d4
e58b616f1a21a9a1cbcdaddfa17d5532786572d423a6678f0bb31639d0327764

SH256 hash:

6005f0e4563fef5e8abfdb88cacd5b3d8fd4cff04b1af93e8e01a9990f46d5c0

MD5 hash:

3f17ed370489371093c2a3d768cb6b07

SHA1 hash:

fb4f0ddcaf872e4c7850e4cefad59a2c62f54424

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

SH256 hash:

937f326a3bfd912c504bfe0e1a4f3528170e5f3ce4af7559ef7abc7b92be6f52

MD5 hash:

465d214d61c14e8765f4243814faa005

SHA1 hash:

3f6d7237c12d9e2ac3ab176fea595a95f0c6cdf3

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

Parent samples :

990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4
16e430beb3a6af638bdbe4105bcdbd381b0638d949b55fc36cb4829e858e26d4
e58b616f1a21a9a1cbcdaddfa17d5532786572d423a6678f0bb31639d0327764

SH256 hash:

f3f9ef6ad137d8f2e76cff36ea3f2da569a678098c735dc35b6050ceab0fb71f

MD5 hash:

47c604093be99c8ac81e18c7f9393ff4

SHA1 hash:

adfacff431a247bd2ee770a78851148243d1c807

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/ed1c7183-5802-487f-86fb-549346eaf849/

Parent samples :

990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4
16e430beb3a6af638bdbe4105bcdbd381b0638d949b55fc36cb4829e858e26d4
e58b616f1a21a9a1cbcdaddfa17d5532786572d423a6678f0bb31639d0327764

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/990e4bf7ddc2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/990e4bf7ddc2b2f3481110b51bdd9dd0ee88308018007dae16f9dc1628f29af4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/17790/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample