MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99
SHA3-384 hash: ccaa3d7e6b3107709c031539325bc6a95fc2685203fdec6cd2384288f28f370284b7881b58cd6ae4cf1883656ea0612c
SHA1 hash: 86981016d47050cd6c6a1fd7b8b484da9ef5f36d
MD5 hash: 189a281ce19c6e8c8131d2f3a5eb8d04
humanhash: sixteen-orange-hotel-jig
File name:NaLock_v1.216.rar
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:28'604'897 bytes
First seen:2025-11-29 10:42:27 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 786432:k7ridHHPBn2WVSWKQxi9iYE94WYtGXnelJeg:1pnxVLKgkEWxtYqJf
TLSH T1F9573392531D79D0C486AFCBB34ECDFA2FA3AD1639968890DE79C5925BC214038477CB
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter juroots
Tags:rar RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
CH CH
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:NalockUpdater.exe
File size:970'240 bytes
SHA256 hash: c128ce50b40bf6771789eb5b01c39bdfb457686abddbe692ba81f2f4ada4877c
MD5 hash: 49e202f3c3ccfb9f6b20ed9b67f689f4
MIME type:application/x-dosexec
Signature RedLineStealer
File name:TTNormsPro-Black.ttf
File size:212'352 bytes
SHA256 hash: eb1c0899dbb38d12efa224b24666d690bd77f706bcb8d22b7773345f9c619377
MD5 hash: cb44c93a9ad0e48b7fb86a752f62a0da
MIME type:font/sfnt
Signature RedLineStealer
File name:NaLockNew.exe
File size:28'092'416 bytes
SHA256 hash: 6d74da5cca3800265aadd42320906e16ae4951309614c3463999dd54f6bff878
MD5 hash: 04ecfca04e08c021122a547d361f881b
MIME type:application/x-dosexec
Signature RedLineStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690e961730bacec888c99934
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer-heuristic packed reconnaissance
Link:
https://www.filescan.io/uploads/692ace6d1b65ca0bb9274e11/reports/eff46f02-aea4-4b13-a1f7-d760b49eb87b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99
Result
Gathering data
Verdict:
Clean
File Type:
rar
First seen:
2025-11-21T05:20:00Z UTC
Last seen:
2025-11-28T07:05:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99/results?tab=lookup
Verdict:
Malware
YARA:
2 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout Rar Archive SOS: 0.33
Link:
https://app.malva.re/file/189a281ce19c6e8c8131d2f3a5eb8d04
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 01:53:07 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3k2x477jd4qxawsucxrxutafnz2caizkezqk52xzsup4z3kp52mq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251129-q1ycsshn5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
.NET Reactor proctector
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar dab57e7fe91f21705a5415e37a4c056e7420232a2660aeeaf9951fcced4fee99

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3720422/
  
Delivery method
Distributed via web download

Comments