MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 19

Intelligence 19 IOCs YARA 11 File information Comments

SHA256 hash:	f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669
SHA3-384 hash:	cb17d83d16c2409ae424689c46178ec3352df63ba0110f0aa9c39e56a1ebe80ad2a3b891d2758d7d25038434a421e3b5
SHA1 hash:	fc668e8481ecc2fd96e3231cd7dc191430efa24f
MD5 hash:	a2ab3820c442b772eef79b68f92c4f7f
humanhash:	magazine-speaker-fish-indigo
File name:	doc0030602506.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'162'240 bytes
First seen:	2025-06-03 14:21:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:etb20pkaCqT5TBWgNQ7aG9K8OlM7Lv83v26A:LVg5tQ7aGxXQ+5
Threatray	1'871 similar samples on MalwareBazaar
TLSH	T1EC35CF2363DE8361C7B25273BA657741AEBF782506B1F46B2FD4093DE820122525EB73
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer Spam-ITA tenderi--dzpn-rs

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

doc0030602506.exe

Verdict:

Malicious activity

Analysis date:

2025-06-03 14:20:34 UTC

Tags:

stealer agenttesla netreactor ultravnc rmm-tool

Link:

https://app.any.run/tasks/e14687c9-545e-4c53-9357-d58fbc4ae26f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/7075/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683f067d07b5e8c1cfe44e3f

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Restart of the analyzed sample

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script evasive fingerprint fingerprint keylogger lolbin microsoft_visual_cc mmc mpcmdrun packed packed packer_detected

Link:

https://www.filescan.io/uploads/683f0517e336a33801e26abd/reports/d1378d0e-2134-4837-a7ed-32cfc46e6fb9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5df0ad38-d871-46e8-98d4-bb509bbb1f37

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1705039

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses threadpools to delay analysis

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-06-03 10:13:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7eckwrcet7rfjwe37xs3aprqgtdwsu42cyo2dcyr6nfh7nnz2zuq._file

Verdict:

malicious

Label(s):

unc_loader_001

agenttesla

unc_loader_036

autoit

RedLineStealer

6584f13ecd514b59ef380f0fa106ef5f6ef53e2bb39e0da02947e83de62f6444

RedLineStealer

c6a0531ed5ae1c524f171fa33fd54fa427414e1ad7039d507c151093b8439329

RedLineStealer

cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd

RedLineStealer

error

RedLineStealer

f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

RedLineStealer

+ 1'861 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250603-rpj7gattfw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4c58a7a0-f6ed-4d27-a52a-e5afe202c7ae

Unpacked files

SH256 hash:

f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

MD5 hash:

a2ab3820c442b772eef79b68f92c4f7f

SHA1 hash:

fc668e8481ecc2fd96e3231cd7dc191430efa24f

Link:

https://www.unpac.me/results/f5062df3-e656-47a2-ac49-6b7c33a40916/

SH256 hash:

c8ebe26a2dfdf23ff8f0a34b0c27c4aa19be2990d1519d3fb19d46a930d39eaa

MD5 hash:

800a7bcbf6a7dd9425699a44fca1364e

SHA1 hash:

08befd37f8ecd5a39ba54b54a8942067e50e66e7

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/f5062df3-e656-47a2-ac49-6b7c33a40916/

SH256 hash:

056bb651c1677dca310366c419a5ed125033768ca99b2ad2acd9912545e01392

MD5 hash:

906bea7cccee5bd65f9a7bbf9dfbf5d7

SHA1 hash:

350350573a2a40b9ee558053f8d8cabd8e87fb82

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/f5062df3-e656-47a2-ac49-6b7c33a40916/

SH256 hash:

ec9e597028d77dbf7952a9121ef9849423f8d286da220269ae71337d6809ccc3

MD5 hash:

64748941b4fa09f9de20906ee61afc98

SHA1 hash:

9d98167b092a48663056966245117e97a4585e9a

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/f5062df3-e656-47a2-ac49-6b7c33a40916/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f904ab44449f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f904ab44449fe254d89bfde5b03e3034c769539a161da18b11f34a7fb5b9d669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	elysium Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked elysium stealer malware samples.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7075/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample