MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
SHA3-384 hash: 4e2c9d814e0e3248de339908dff327f0b6e0b1134a5f810f33a54f02441fd5c483b9a9e6a5e1aeb50a6a6101d991bed8
SHA1 hash: ff64a79ce19e7ec0950672a921520d5ac32002c9
MD5 hash: f574d919544ee2d976c929299c8c6002
humanhash: six-monkey-golf-solar
File name:New Inquiry QXZ082512.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:59'904 bytes
First seen:2025-08-14 11:06:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:YVpuGbNMUCa2vgcKwQD32d2d8bXbg6SmfYOy43H2Gpq7hqwLSN:+LCa2vgd87zfYCq7cwL6
Threatray 25 similar samples on MalwareBazaar
TLSH T12143F802379AC331C56C65B585EB052113F5E7826A33DB9B3E4C629D9F227A39F81BC4
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
New Inquiry QXZ082512.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 11:25:34 UTC
Tags:
evasion stealer ultravnc rmm-tool exfiltration smtp agenttesla netreactor
Link:
https://app.any.run/tasks/fa24f267-89c6-4d0b-a970-9d7a1e0596f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21320/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.77077950.21188.7855.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689dc36748c64d68735c5b64
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Launching a service
Changing a file
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
confuser confuserex net_reactor obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/689dc35a9ef4d2ff7cfcca72/reports/c201242c-4573-4833-ae3e-4766610a04b0/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/00c9c1c8-7b27-45b6-9838-2b2ee57b9d8f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
Verdict:
Malware
YARA:
14 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable PDB Path PE (Portable Executable) SOS: 0.18 SOS: 0.87 Win 32 Exe x86
Link:
https://app.malva.re/file/f574d919544ee2d976c929299c8c6002
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 03:13:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
29 of 36 (80.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s3gnrqb3d5btvs53djhkghospngiukt2fcnflw66qjmi2ant7ea._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
Similar samples:
0b98de4fbe9e42aa1b79f642c2415a777b4d8cd6ac19b3fc5400705cfba61968
RedLineStealer
821f9b019ac21f81b607e39ef4bd07993ac46e2a604b2a969928f32ff76094dc
RedLineStealer
b87a9cfde8da07e2c8d391911ba9350ecf8c8b020e934aa8d63ecc5d732021e9
RedLineStealer
c19343011218a82e30fcd0682ec99f0f1dd4c8a1b5fa1bc11d5e673e7a7ab2ae
RedLineStealer
d29c97a63a09d5ec9f58d89ae8f815c32b84846bf1d76687d8ea768a8e0499c4
RedLineStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250814-m7xhasfk3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/6f344d0f-5701-41b1-86df-7b02bf80f9fe
Unpacked files
SH256 hash:
e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
MD5 hash:
f574d919544ee2d976c929299c8c6002
SHA1 hash:
ff64a79ce19e7ec0950672a921520d5ac32002c9
Link:
https://www.unpac.me/results/5c4e8f03-7c39-4c28-b8f4-3aaa80d9a9cb/
SH256 hash:
dc89ddbdef184c73aae943c46738d48e5586106954f2bf5e70135213bb310af2
MD5 hash:
af594addddade0f12432138589f495a2
SHA1 hash:
c7436c95b6402846bf195fbecc920a7e31b55fa2
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5c4e8f03-7c39-4c28-b8f4-3aaa80d9a9cb/
Parent samples :
b87a9cfde8da07e2c8d391911ba9350ecf8c8b020e934aa8d63ecc5d732021e9
e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe e4b666c601d8fa19d65dd8d27518ee93da645153d144d2aedef412c4680d9fc8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21320/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments