MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
SHA3-384 hash: 75ff85500647e5c84030f3c714a6997dd43d585b89f0274a5bdf8bb639a40f60d4bb07453de5998194e24a138c2eca46
SHA1 hash: e9bfe4a2b3ba48df24e170c6c28252ce692213d9
MD5 hash: 9db3237cfc7fb7b17d7f44d063566bef
humanhash: cold-wisconsin-river-diet
File name:e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'291'392 bytes
First seen:2025-08-01 06:42:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:yenZgvsWgzZqOBPMkFBf1bkm9KzFeGM3lQt:VavX2UOBPM294M3a
Threatray 49 similar samples on MalwareBazaar
TLSH T18376335C6284D00FD9BE93F32897D13883B83E2BF976E32D16C96C9B395079644153AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:exe RedLineStealer server-samc0ndubai-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New PO#082025.vbs
Verdict:
Malicious activity
Analysis date:
2025-08-01 06:39:01 UTC
Tags:
arch-exec auto-sch-xml crypto-regex stealer ims-api generic phantom netreactor
Link:
https://app.any.run/tasks/d936efc6-9c45-4985-83d6-97e269269c7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18233/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c62150b4775fb213478aa
Tags:
stration spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/688c621073b8ef6f4af90ff0/reports/a91bd3ef-ded9-41d2-9e56-f4b94473f317/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/244ddea4-1843-4ee9-adf1-293fd2bb0d79
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/9db3237cfc7fb7b17d7f44d063566bef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841/
Verdict:
Malicious
Threat:
HEUR:Trojan.MSIL.Taskun
Link:
https://tip.neiki.dev/file/e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 06:42:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4f3wuj5ebpxlh4zgqlrtldbh2lybyephcnxqrvzsnxl3oinu3baq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
034de66fa09061895f96da260b2eeb73774d916830540d59a310ea3c5f64197a
RedLineStealer
561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
RedLineStealer
673139dbfbd997edcebfe6d25b8cc2d006c59c752d89a84ef4136f1a5e876db0
RedLineStealer
c18fd74484de9681ac1dc7ecf9786964ac4e7dba20983cd249ee4ce544809834
RedLineStealer
caac6296da90bd564851a40bf1df66a2abb7309252d9f37a61536049b05e058d
RedLineStealer
error
RedLineStealer
+ 39 additional samples on MalwareBazaar
Result
Malware family:
phantomstealer
Create hunting rule
Score:
  10/10
Tags:
family:phantomstealer discovery execution persistence
Link:
https://tria.ge/reports/250801-hg428sdn7t/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Phantomstealer family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0dd95ee8-80b5-4a78-b730-90603a9557a5
Unpacked files
SH256 hash:
e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841
MD5 hash:
9db3237cfc7fb7b17d7f44d063566bef
SHA1 hash:
e9bfe4a2b3ba48df24e170c6c28252ce692213d9
Link:
https://www.unpac.me/results/a879303f-350c-4567-a630-1a9b27a8bfd4/
SH256 hash:
f9bb21c8761653d1b32a00a6c154bf1236e3114111ac75002db1fbb7598da2e2
MD5 hash:
5d4203503676949873007fe74f087d88
SHA1 hash:
bcfeac4a932041bce5ab8342d315929fc1d24b24
Link:
https://www.unpac.me/results/a879303f-350c-4567-a630-1a9b27a8bfd4/
SH256 hash:
bd839190d266e1cd3047a3395b8beb8d6555a8d636b09d3f4e14d68ba414ba43
MD5 hash:
626b64aa69d0458f079278d13ff24603
SHA1 hash:
f963c53f3be9486b5f18d300d00232d5b43c4a6f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a879303f-350c-4567-a630-1a9b27a8bfd4/
SH256 hash:
3ab6bdb3d9d4ca4862572fc732d54d13089edde7d47db97b577480ce85fcec82
MD5 hash:
84a16e8d5325613dda1478323f74fc0c
SHA1 hash:
51ada3848c1a280012df68b82e8bdddc1aa473e0
Detections:
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/a879303f-350c-4567-a630-1a9b27a8bfd4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1776a27a40b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1776a27a40beeb3f32682e3358c27d2f01c11e7136f08d7326dd7b721b4d841

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18233/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments