MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 19
| SHA256 hash: | fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029 |
|---|---|
| SHA3-384 hash: | c7413c695fed58d4119f7d2cf950ab87edb59dcf0a291795b79882451090bdd887775076fe4ace4263933122e840fb6f |
| SHA1 hash: | f423917a0a7b3f02c4154148e253b5c9572bd2ce |
| MD5 hash: | 8c62c8aad530ed76180f122544ae980b |
| humanhash: | neptune-alanine-december-lamp |
| File name: | BOQ-23998.scr |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 854'536 bytes |
| First seen: | 2025-09-05 06:59:51 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 24576:p7YEqVxdQykM2d0w6wClR92NyaXB2BYzkYJc+:p7YEmxdQy+0w6wC/9LBykP+ |
| TLSH | T11D051249122ADA22C9AD0BBC88A1C5B51774AF9EBA12D6039EE1BCCF3D73784154D1C7 |
| TrID | 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| Magika | pebin |
| Reporter | Anonymous |
| Tags: | exe RedLineStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
91
Origin country :
PLVendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
BOQ-23998.scr
Verdict:
Malicious activity
Analysis date:
2025-09-05 07:01:02 UTC
Tags:
stealer evasion netreactor ultravnc rmm-tool auto-sch-xml exfiltration smtp agenttesla
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Verdict:
Malicious
Score:
94.9%
Tags:
injection spawn shell
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Forced shutdown of a system process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
base64 bitmap expired-cert invalid-signature masquerade obfuscated packed packed reconnaissance roboski signed stego threat
Verdict:
Malicious
Labled as:
Trojan.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T08:56:00Z UTC
Last seen:
2025-09-04T08:56:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.MSIL.Agensla.g HEUR:Trojan.MSIL.Taskun.gen Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb Trojan.Win32.Agent.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-Dropper.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.MSIL.Taskun.sb Trojan-PSW.MSIL.Agent.sb
Malware family:
Malicious Packer
Verdict:
Malicious
Score:
98%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Status:
Malicious
First seen:
2025-09-04 17:52:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
2/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
discovery execution persistence
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
MD5 hash:
8c62c8aad530ed76180f122544ae980b
SHA1 hash:
f423917a0a7b3f02c4154148e253b5c9572bd2ce
SH256 hash:
612d16cee31c33a97753ff7ca22bd3773ec4ac84cae8dd5b899d58338e8a5db1
MD5 hash:
6a1458e369050ca49b501457871dc5e1
SHA1 hash:
1799faa9af564925e0e7476a16b0ae650113e0b9
Detections:
win_samsam_auto
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
MAL_Malware_Imphash_Mar23_1
MetaStealer_NET_Reactor_packer
MALWARE_Win_RedLine
SH256 hash:
e50b0550616c4ea9dc2d18d75084f50e6e7da2ccaa2c77a439026957105aad8f
MD5 hash:
540148a4209d7e2b88d0e24b919c2834
SHA1 hash:
5a2042f9c9946e57d02d0d4e9a1ba2c5b1246a1e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Parent samples :
881aac6c0395e173fe15acd1baf9caf443e73e166176b5040ccdb7e34750ed58
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
SH256 hash:
ef94eeb52c6378ade4e263b2dadcd144e230baf189c1a4b901fe4a426f93b880
MD5 hash:
ca7e39880b5e732e675addea3f8ca77f
SHA1 hash:
bfd497dbf5178e547ba6b018954a05ced6ddf3cf
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
SUSP_OBF_NET_Reactor_Indicators_Jan24
SH256 hash:
810502c2f9abd6415b1cb6f9bc4137a109e8004ba79357727995e7fcc84cd18c
MD5 hash:
c1fa365000d76c46bced588e9e4eec34
SHA1 hash:
82135cbc1522cdecbbd05ea297e0aaeaa83992fa
Detections:
AgentTesla
SUSP_OBF_NET_Reactor_Indicators_Jan24
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
SH256 hash:
41308fed5f4d0338540e0367814965e1e5fe82d62f91b47f7fd9e6e3954f790b
MD5 hash:
c127450a0174114b0090325263cc725c
SHA1 hash:
f223eb3331856e35419afe2977cb80ec3d68107e
Detections:
AgentTesla
SUSP_OBF_NET_Reactor_Indicators_Jan24
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Malware family:
RedNet
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables signed with stolen, revoked or invalid certificates |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
| Rule name: | MAL_Malware_Imphash_Mar23_1 |
|---|---|
| Author: | Arnim Rupp |
| Description: | Detects malware by known bad imphash or rich_pe_header_hash |
| Reference: | https://yaraify.abuse.ch/statistics/ |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | win_samsam_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.