MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
SHA3-384 hash: 1263de4bdc278cd2c7ee940449d59303def82e9eb1208aa3cfbc3f9443546813184c287e92e85a5e9a0751a9744a8284
SHA1 hash: 685db01ba375df410a7064e70267dc722fc049d9
MD5 hash: 8e980c7a0a27238561d64c8eae6b2bf0
humanhash: ten-india-jig-queen
File name:nB4oy2OgTI2wdr0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:629'248 bytes
First seen:2025-03-24 19:05:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:ZjcTFYyOn6nzxvPPQ3NMdTlTTDhq90FkQbk95E/HSFfczAmJdRfLT:4Y9n6nJ4mRhfhqc295EfSZczA0
Threatray 1 similar samples on MalwareBazaar
TLSH T1BDD401ACA228C81BCA8657710A71FAB4217A0ECDB415D753CFDDBDEFB9B6C049C44192
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 14f0ccced6cce971 (11 x SnakeKeylogger, 9 x Formbook, 5 x MassLogger)
Reporter James_inthe_box
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
nB4oy2OgTI2wdr0.exe
Verdict:
Suspicious activity
Analysis date:
2025-03-25 11:08:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/890f337d-0d9f-4b0d-81e1-aa6ecd5305a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.9471.12273.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e24d93acb044ea849ea28f
Tags:
micro spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e1ad26a08e28b31da34a20/reports/49c2d3c3-4071-4477-af31-77f288e75eb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da1f9b0d-122c-4d9a-ae18-c1fb13061b77
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647407
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 17:49:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pjpa5khaaoakk62mlo3ygvme6dnoyqtsh56prypk63ytgabfnra._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250324-xr48bat1bv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/325031b1-5b02-4dfd-a6c3-28c2a8bb3485
Unpacked files
SH256 hash:
d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
MD5 hash:
8e980c7a0a27238561d64c8eae6b2bf0
SHA1 hash:
685db01ba375df410a7064e70267dc722fc049d9
Link:
https://www.unpac.me/results/3b07ca4d-7025-4cb6-b020-c458ae92b265/
SH256 hash:
863d412143042d1c2a69c19cb73d4596dd3dffd32d485603ee4d2a79f2a31494
MD5 hash:
98f78626210204256e61db640228dbb6
SHA1 hash:
27f4336e75a031288df8744854c939f5354db869
Link:
https://www.unpac.me/results/3b07ca4d-7025-4cb6-b020-c458ae92b265/
SH256 hash:
a45aa4004cbcfd2c94a440311a26d61119aa8bb39ee2e096b6a20eef4b96c288
MD5 hash:
a5201a7d9dd3818dee9c5a076e68cf5e
SHA1 hash:
61af319f18420e2ad34a34b191f41c1a60357d1e
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/3b07ca4d-7025-4cb6-b020-c458ae92b265/
Parent samples :
5065979aa97409ac09545b228fd25ba4d9c1474c7e9a4929b2e5d4508cd2638a
d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62
76365d6ffff3d33678045922a75f94409e4038ad3b7fd2abe50f0440360df376
SH256 hash:
daf5069f933ce9adc18abddde27d7da88b30da51af26665d966b09fd684f8086
MD5 hash:
b915537dabcb4c4491a6f3424e6b4cce
SHA1 hash:
c6236354c6e0c009d9d5df6b9e0cf1c3eaa7d30b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3b07ca4d-7025-4cb6-b020-c458ae92b265/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3d2f0754700/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe d3d2f07547001c052bda62ddbc1aac2786d7621391fbe7c70f57b78998012b62

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments