MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 19

Intelligence 19 IOCs YARA 12 File information Comments

SHA256 hash:	b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
SHA3-384 hash:	9fbf22395ad6ad39cc57fd40222fbc3e71a7e08a705371c7f87dd4dc29f8b9e99f5642650bf007613a6d3216c02ff8e3
SHA1 hash:	839faf11e3a4e9b2aa8ba693b1e08a7a193735ac
MD5 hash:	9fd96b295c182c936d74dbb92a96a4d4
humanhash:	coffee-alanine-xray-pluto
File name:	Purchase Order 4500564358.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'267'200 bytes
First seen:	2025-07-30 10:55:12 UTC
Last seen:	2025-07-31 06:47:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:VuJd10DId1kq4y9cPkg9wSzEBRaVFy7534VVVe:VuJdKmeDP7TzEBgVoD
Threatray	1 similar samples on MalwareBazaar
TLSH	T180455AE291A508A5D4B71D708822E8333256AC9AD82385589ED7FF5BF5F3ED30C23947
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	8e8f0f0f964d4d2c (4 x Formbook, 3 x AgentTesla, 3 x SnakeKeylogger)
Reporter	lowmal3
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Purchase Order 4500564358.exe

Verdict:

Malicious activity

Analysis date:

2025-07-30 10:58:18 UTC

Tags:

auto-sch-xml evasion stealer ultravnc rmm-tool exfiltration smtp agenttesla netreactor

Link:

https://app.any.run/tasks/4c42450e-9828-4008-a0c9-5b59efaa63d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/17749/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6889fa1caf3050dc8d326b29

Tags:

lien spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance redline redline regsvcs rezer0 roboski schtasks stego vbc

Link:

https://www.filescan.io/uploads/6889fa1c13488cfd44e06f3a/reports/f3d5a784-69a4-44d7-9723-2a66ec5e313f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c3829fc-c55a-44c2-9ea8-1b0b2cd8521a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1747005

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.23 Win 32 Exe x86

Link:

https://app.malva.re/file/9fd96b295c182c936d74dbb92a96a4d4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2025-07-30 10:55:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wkfqsnhtnvfppqmifiwzvojbjzsyegyapnfytpwopwxxflb7ajha._file

Verdict:

malicious

Label(s):

unc_loader_037

unc_loader_001

RedLineStealer

error

RedLineStealer

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/250730-m1a1qazqy6/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/047f112e-ee48-4347-96ab-bbbbd40fc9ff

Unpacked files

SH256 hash:

b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

MD5 hash:

9fd96b295c182c936d74dbb92a96a4d4

SHA1 hash:

839faf11e3a4e9b2aa8ba693b1e08a7a193735ac

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

SH256 hash:

fe2a9e403fe5369240c18ab75a3d6fb8086283d5f68b7ad52f32ab48e82385da

MD5 hash:

b9a80b7b15afb40c5950b53d19278745

SHA1 hash:

42b5f0c945cb185781eb7bf34e55079a5c4b3f13

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

SH256 hash:

321c0ecba7d8bfa67b3e3a47fb3978bc9c0d86babad2fd196becbcc5ce6ca5a4

MD5 hash:

4e37a6d4a1d072f448a41929a4fff0f2

SHA1 hash:

54ec55b1f8151fa5cbd66fcd704fe167871e4d7b

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
0568496f5fe35ca41b4a979106cac8a6ef15f5a0a6725fd4786795c1d2de152c
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

SH256 hash:

6005f0e4563fef5e8abfdb88cacd5b3d8fd4cff04b1af93e8e01a9990f46d5c0

MD5 hash:

3f17ed370489371093c2a3d768cb6b07

SHA1 hash:

fb4f0ddcaf872e4c7850e4cefad59a2c62f54424

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

SH256 hash:

7802240a7de0426b64f0bce2b382c75653962d39941295fc148ccb705a15a520

MD5 hash:

d5fd3313654d981f19ad78eacf68dbdb

SHA1 hash:

8c32322d26485bb69b5a07b423ebd7deb983551c

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

SH256 hash:

c2a49ce4c45a706411c07535e2ea1d067bea53648f52e53364963bdf70f1f4e3

MD5 hash:

0ebd6bb2a257adee41c18e057b98f874

SHA1 hash:

c5be07becf5e6a9ab35df15d22af1d316ab29b2b

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/5b09efd7-546b-471e-ae3c-5cdea96053a5/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b28b0934f36d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackGuard_Rule Create hunting rule
Author:	Jiho Kim
Description:	Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:	https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

exe b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/17749/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample