MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLocker


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
SHA3-384 hash: e69b8e4d7ae3089109dfe3e9cd8e982186c969a72e4440082e3f5c0a8d1aecc4816ab93fbd7a52ceab2c15c09d8f9316
SHA1 hash: 8c34e94a3a677f292e727757f5844cbe438f64ba
MD5 hash: bd1224ee138e9003fe43f6cfbd3e86ca
humanhash: alabama-enemy-timing-september
File name:SecuriteInfo.com.Trojan.MulDropNET.65.30662.31454
Download: download sample
Signature RedLocker
Create hunting rule
File size:7'814'144 bytes
First seen:2025-10-03 20:23:18 UTC
Last seen:2025-10-03 21:37:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:ZLnF/J1lPJP5quK3yJ+B5UiMp3vPkyoHc18Ma0uLgZdVXL9Fs:ZpxTKCiKB3kRHct+KLc
TLSH T1C976337259BE5894CC8E93B7853D2D19BA19D439A1C31F4CF289EF8A9D94184403FFAC
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe RedLocker

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf.exe
Verdict:
Malicious activity
Analysis date:
2025-10-03 20:19:26 UTC
Tags:
auto-reg delphi
Link:
https://app.any.run/tasks/0abffd17-e63a-4613-aecd-2e8052bd0704

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30065/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e02fcd482d8e84a7ebf51e
Tags:
dropper sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Modifying a system executable file
Your mouse was active while VM was running
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a single autorun event
Launching a tool to kill processes
Enabling autorun
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e0311d5a3bccf09eb713f2/reports/d4aaabf9-ac07-4126-a0a2-684282c641fd/overview
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T13:28:00Z UTC
Last seen:
2025-10-05T17:56:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e20939e-b8fa-4c47-9d6d-f4ad574f9f3d
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/bd1224ee138e9003fe43f6cfbd3e86ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf/
Verdict:
Malicious
Threat:
Trojan.Win32.Stealer
Link:
https://tip.neiki.dev/file/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
Threat name:
ByteCode-MSIL.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 21:03:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fa4ojra4iflbumxi54l763woqox73jcuqnh5doq2jin3fxx4dhq._file
Verdict:
malicious
Label(s):
unc_loader_048
Create hunting rule
unc_loader_051
Create hunting rule
Similar samples:
error
RedLocker
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence upx
Link:
https://tria.ge/reports/251003-y666wsfl9s/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Hidden Files and Directories
UPX packed file
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Modifies WinLogon for persistence
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd660112-d339-46ba-92f7-40c466aa8c0a
Unpacked files
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
24d3083288ad77a3555c58297dbc58dea3448c3dc59e1c90a38983ea8225d2d7
MD5 hash:
626bddf2a9f220663c9d1ea13213b080
SHA1 hash:
c480ce8ac49fb3a607031601b87469b832085e57
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
a90479ad076f62861115fd5df46a7bff719c36722da84fc5beb57d86bdbdf8b8
MD5 hash:
5ac6781eaed944049d0adb1559875818
SHA1 hash:
b8771ecb41fab10d60759974202f3fd3214a304b
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
96d7806584af99fb2889fc50aacf1e2b627320239b38987dea74c07927a141fd
MD5 hash:
1d15d9c4ed204614645298feabe141e6
SHA1 hash:
fdfce95b639bbdc46d7b962b153aa7355862e9ba
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
2cd2e74b3d534e9ae672539bce959bf14378b34c42521f0e6cb54e20c969f649
MD5 hash:
24342b6e63834355621093e87a9c8462
SHA1 hash:
612da10f481322403173ec40f44441ade8be3fd9
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
9ff8345f463afa1da1e49d154d452cfefc511b44f01cec39889242cef0087575
MD5 hash:
40e43a1619f3550f299d578cb200ab8e
SHA1 hash:
4c093e4ccc4ea1147cf9d75c1a4988286c0e1c57
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
88067f605653bf03d058213fb40e708d325cc14f62609c7ba7404e6cbd94f9c9
MD5 hash:
177e2fad68f7e0fae44338c5664377a0
SHA1 hash:
bc8a4862fbe1466ae24af0b6a8e18d47de07dda8
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
522690525ad617c5995ee43c1efcf7c4e43750e9118825f054cc2136e19d93a9
MD5 hash:
1a4bab8710264cbee18fccd998dd4dd3
SHA1 hash:
41e6d14da0a559a3764bd57cd8017e4c5b41a97b
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
SH256 hash:
bbe4e68cfff291ce05a349edda102344a39b46aebf2024e55b80f31ed915871d
MD5 hash:
e7218d61b6fdea13343c773bb05665d8
SHA1 hash:
206b6745bf0c5020c9aa9df1a8ce5c98d87a3ce5
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
Parent samples :
0a6d5b2b997b79970a7823ef06d4777bbff6713479322d191328c37299c10ebf
d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
SH256 hash:
d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf
MD5 hash:
bd1224ee138e9003fe43f6cfbd3e86ca
SHA1 hash:
8c34e94a3a677f292e727757f5844cbe438f64ba
Link:
https://www.unpac.me/results/a5f8c4fb-8ddf-4e31-9280-f379007bf82f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLocker

Executable exe d941c72620e20ab0d1974778bffb76741d7fed22a41a7e8dd0d250dd96f7e0cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3651141/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30065/

Comments