MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de
SHA3-384 hash:	12bbb3b0fbbd7b00e90bc65d5402a0dbef92afb3d2b6a540292adb011d835c072300f76530e6534f17e3e369819efb48
SHA1 hash:	513f62dcb8979e61407b21921b06acbefcf9fbaf
MD5 hash:	75b8ed8c2df5c59db83c158210524db7
humanhash:	cup-timing-georgia-helium
File name:	svchost.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	389'120 bytes
First seen:	2025-11-23 09:27:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	6144:yDKW1Lgbdl0TBBvjc/3CzPQY9BAQ/WHqISu4lHS3+vWbN/wOxf:Uh1Lk70TnvjcvCzYY9BAQ/OD94g3MWbP
Threatray	2'256 similar samples on MalwareBazaar
TLSH	T1CD84AF1A295080F3C4FAAC3040B6AFE555A6F0F187776ADB7B8C7265B9102D052BB3F5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 17:55:12 UTC

Tags:

ransomware loki auto-startup netreactor

Link:

https://app.any.run/tasks/ed8a9ef2-2d6a-4d3f-b5c0-455fc69767e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/40696/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

Win.Trojan.Ramnit-1849

Win.Trojan.Ramnit-1847

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Creating a window

DNS request

Running batch commands

Searching for the window

Changing a file

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Replacing files

Launching the process to change the firewall settings

Query of malicious DNS domain

Deleting volume shadow copies

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug fingerprint microsoft_visual_cc packed ramnit

Link:

https://www.filescan.io/uploads/6922dd2d5d3feebe12d81381/reports/4bc62d55-f199-4626-8008-15b47c2d83f7/overview

Verdict:

Malicious

Labled as:

Virus.Nimnul

Link:

https://www.hybrid-analysis.com/sample/a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-23T05:14:00Z UTC

Last seen:

2025-11-23T09:52:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de

Verdict:

Malware

YARA:

5 match(es)

Tags:

.Net Obfuscator .Net Reactor Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/75b8ed8c2df5c59db83c158210524db7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de/

Threat name:

Win32.Worm.Ramnit

Status:

Malicious

First seen:

2025-11-23 10:07:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ucw3wvzgj76vw4uldg4cc6xiboqhhifeicly3xuhizv2qhxwndpa._file

Verdict:

malicious

Label(s):

genericransomware

unc_loader_078

unc_loader_001

ramnit

RedLineStealer

2e6129b0aa7aed4e1161b9e09d14a2f5637cfd426e97fce1e95b0bee7ac28826

RedLineStealer

3891781c731aba59fe043f22e6d310526f30feeedaa30a6319bf5c79a0b983e2

RedLineStealer

90b230c7b8c4991a8f657bc8031157a9070c24eb3de9cd074241985dc99489c0

RedLineStealer

b14f1cf2267f8da0efbb9f5ae9a51a18e94e25e37db2f339a8bf7c9c04a2772b

RedLineStealer

b8c01872f5f8f7ea0056e521a82f5563a8dd491eb75be2450aacd301a4ee6454

RedLineStealer

ca8cf8aa0bab28b391de182e61cf7f9e8f8464717ab971384b73db628aef7267

RedLineStealer

cbc366eb88520c2f1a9c0db8a7f5318b4f8a9a0993352a31d877c63e8abc8d0c

RedLineStealer

e2140c6390f7696be2a70de9072137210c6ec238e5586fce237917a2082bbdd9

RedLineStealer

error

RedLineStealer

+ 2'246 additional samples on MalwareBazaar

Result

Malware family:

ramnit

Score:

10/10

Tags:

family:lockbit family:ramnit adware banker credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan upx worm

Link:

https://tria.ge/reports/251123-l6nnbsynhn/

Behaviour

Enumerates system info in registry

Modifies Control Panel

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

System policy modification

Uses Volume Shadow Copy service COM API

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

UPX packed file

Drops desktop.ini file(s)

Enumerates connected drives

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Modifies Windows Firewall

Deletes shadow copies

Lockbit

Lockbit family

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender Real-time Protection settings

Ramnit

Ramnit family

Verdict:

Malicious

Tags:

stealer redline trojan Win.Trojan.Ramnit-1849 Ransomware

YARA:

MALWARE_Win_RedLine MAL_Malware_Imphash_Mar23_1

Link:

https://app.threat.zone/submission/6b68a440-22d5-4dcf-a536-fcf9a5d807ec

Unpacked files

SH256 hash:

38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9

MD5 hash:

901ae11d5e7648350343469a92fad606

SHA1 hash:

29ba6d7d33c1b73033258f5c353e6f3077c45109

Link:

https://www.unpac.me/results/ff2a149f-7ff5-47dc-978d-894430ec15c7/

SH256 hash:

7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8

MD5 hash:

2da8ab1192187d1f9cf02aed04b0d0b7

SHA1 hash:

326db513af5a9f898c4870ebbc62e7cd5fd71690

Link:

https://www.unpac.me/results/ff2a149f-7ff5-47dc-978d-894430ec15c7/

SH256 hash:

5e805780f4e840580c60a8925a129e78b6b4bcf2a64cc12287c9f2f0ce25c4a4

MD5 hash:

9e57e3a559908c2445d40496210707da

SHA1 hash:

4b6db64c6e560665f13f3974457a880c53a6174e

Detections:

win_ramnit_g0

win_ramnit_auto

win_ramnit_g1

ramnit

Link:

https://www.unpac.me/results/ff2a149f-7ff5-47dc-978d-894430ec15c7/

Parent samples :

4c460b12b1f4594cb2bb7d67c117cb694614aba1c18abfa1041c76ef47eec44c
9edbdfe197acf70216e52d558ff3c076be7b71c67beaa56f0fe06ef769db144e
f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4
9303baf8bfa696731486273de443d5424dbe71c01fb856aa31cd778bbd4753b4
a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de

SH256 hash:

985f1f17203a632b8fb2093278b42e3de3f9a7df1409431b7010df765675198a

MD5 hash:

0f1114d69d2541d8a3e9f9263a0b7e54

SHA1 hash:

8e310de4cb97eaa9395829b816d8968d3a1df9f8

Detections:

win_ramnit_g0

win_ramnit_auto

win_ramnit_g1

ramnit

Link:

https://www.unpac.me/results/ff2a149f-7ff5-47dc-978d-894430ec15c7/

Parent samples :

SH256 hash:

a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de

MD5 hash:

75b8ed8c2df5c59db83c158210524db7

SHA1 hash:

513f62dcb8979e61407b21921b06acbefcf9fbaf

Detections:

win_samsam_auto

Link:

https://www.unpac.me/results/ff2a149f-7ff5-47dc-978d-894430ec15c7/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a0adbb57264f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40696/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample