MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
SHA3-384 hash: b2047975f96b51cbf6d4363eb4368cd2e076512730db81c20cfe8adfb4d3c029097b44c3d5e693ce75816c20db552245
SHA1 hash: cd5cab61eee3e808309178ceb18c9c0fef5cb23a
MD5 hash: ffad13a82b76ad9ec671ce5abb483381
humanhash: low-east-four-bakerloo
File name:PO MARKLPO147012025 & 1476t4564548.gz.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:672'768 bytes
First seen:2025-11-12 14:41:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:P40f/1P1s5FV4jskmkS59mAfaUo0fDSIU1TjwObdoRb9wqYmWH2UmweHLq:PxTsnV4j1mkS59m7UoVP7yeHHnmwo
Threatray 411 similar samples on MalwareBazaar
TLSH T1BDE41299135FCE13C5912FF44A10E2F463788E9E9401CB139FE67EDBB63E294A482395
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter cocaman
Tags:exe RedLineStealer RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO MARKLPO147012025 & 1476t4564548.gz.exe
Verdict:
Malicious activity
Analysis date:
2025-11-12 14:43:21 UTC
Tags:
stealer ultravnc rmm-tool telegram exfiltration agenttesla ims-api generic
Link:
https://app.any.run/tasks/bc1770e0-a0a4-4fff-86f5-f372d811a444

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37723/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69149c9d60ebe843fe8d654a
Tags:
lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Launching a service
Changing a file
Connection attempt
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-11T23:07:00Z UTC
Last seen:
2025-11-14T12:36:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.MSIL.Agensla.g Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-PSW.TeleBot.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.a Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d HEUR:Trojan-Spy.MSIL.Agent.sb Trojan-PSW.TeleBot.HTTP.C&C Trojan-PSW.Agensla.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb
Link:
https://opentip.kaspersky.com/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec547f31-4582-4808-908a-fc318b863da5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1812696
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/ffad13a82b76ad9ec671ce5abb483381
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-11-12 02:05:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wa5cb5zlxl5eqbkuvucn6roatj5w4vmmtyw5t2vk5evwdi6jbf5q._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
RedLineStealer
5937ec8f18e55b4cf85388c886992ecf7ada1a3a0ba17688e4fa6ecb2f9f81f6
RedLineStealer
a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
RedLineStealer
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
RedLineStealer
+ 401 additional samples on MalwareBazaar
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a4200e34-8626-4f1a-8fe8-f4f801245d19
Unpacked files
SH256 hash:
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
MD5 hash:
ffad13a82b76ad9ec671ce5abb483381
SHA1 hash:
cd5cab61eee3e808309178ceb18c9c0fef5cb23a
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
SH256 hash:
12742947dd3e8e37e4ef665d4b9f8e61ee3f5c4ea76c9dbbdbb4be6b746639e8
MD5 hash:
a028c2c8838413b9e7c980f3495feec6
SHA1 hash:
254c1c8232653afae338fbc12ff55ded2dfaa603
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
23c93f2984cc7f0c5702d9f741a6c6c40a1d34fb5d8f2ca082b8700a0ecd9aae
MD5 hash:
3b6b7219acadf0f88240ce3ace4333ba
SHA1 hash:
26e1cd92e68087dca156c22410894cc54270c4a3
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
SH256 hash:
2a7509e0f3ce1015e306affdec29ecd8b0c825a07513c51550f33b1c275b97cd
MD5 hash:
514c4db3d78de8dfefe15c02e0316d6a
SHA1 hash:
81961f89b5e50a41af420db3a316790eff018fd6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
SH256 hash:
afb20ebed1c94e481f604c00da55157c999379612c5c6588b18e79288f963bc9
MD5 hash:
f730633792fc409a5c956f34d5bbac3a
SHA1 hash:
22aa15e1c527cf41d038f81062df44df8fa1ee89
Detections:
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
SH256 hash:
d2a02eb5e3ed9721d3fff3b9a335e432b478472a52b92916db86a27c247e49cd
MD5 hash:
339e790cf6f1cbb8697ba4ac8a6be442
SHA1 hash:
c3b50cc903d72a7c1ef06a26d44378a0f798ce75
Detections:
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/8d1fd10a-b52a-4548-a8c9-1ef6519a86e1/
Parent samples :
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
1458ff285f336ebbbe603f0dfd583509196ce9808b0f1a318d2ec97766bc9615
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
62e13d9a9ce92c9dddd05a616acb12d06cfe831804eab2537f77aaad11927882
b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b
0571d6e01dadf196d8ee4f5969a6c7849543176071e49c59808db83883a4bf37
486ea58428834b55490c2461263c3837c49fa6babe1ccfcefe8c4f52d6c7a93e
4af5db610edacc7a028990bf0c84a075d186b0f780d512601b353aebb0cafabd
d74461873f8d893100c0e403c7c6a226f599ea460ec8728e1710abaec1340753
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b03a20f72bba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

gz 4e297e01b110326b32c30168475b1a26ec864cb96631df0c1e99aa8f237cca12

RedLineStealer

Executable exe b03a20f72bbafa480554ad04df45c09a7b6e558c9e2dd9eaaae92b61a3c9097b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4e297e01b110326b32c30168475b1a26ec864cb96631df0c1e99aa8f237cca12
  
Dropped by
MD5 679907d3f7dd55c2487fe991f50424a7
Cape
Cape
https://www.capesandbox.com/analysis/37723/

Comments