MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
SHA3-384 hash: 3c10cf3eeafa1dc1e355a2bab32678663bb87936bc4132f6fb69bd8dcfd38983fb2c3ed7d0041370cfa7c5c71810bbb5
SHA1 hash: cacd25a6198e8108ccd01bfe9f2dceba0e09f6de
MD5 hash: a954a07f15bcb8c6c1608e76f7a01827
humanhash: orange-mississippi-seven-alpha
File name:0riOtCHd1QEUcH5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:769'024 bytes
First seen:2025-11-10 05:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:KWcqf3YlzTnVBPTnVBSapLL2ZqWyQxTvPea2LbnEZN23Wtp5U9b3p:h3YlfP2gLL2ZDxTgHni5U9b
Threatray 360 similar samples on MalwareBazaar
TLSH T11DF4F0817B6AE893C43542F40A32E1351FF96E5D6622F2C94ED16DEFF8E1F049A84247
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
196.251.116.101:55615

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.116.101:55615 https://threatfox.abuse.ch/ioc/1637755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0riOtCHd1QEUcH5.exe
Verdict:
Malicious activity
Analysis date:
2025-11-10 05:02:09 UTC
Tags:
auto-sch-xml stealer redline lefthook metastealer
Link:
https://app.any.run/tasks/392a0445-d665-4620-80af-6fd834175f10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36632/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6911718be2c9ded75d78e6a5
Tags:
infosteal redline
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/69117183935d9f0d73c8d7e3/reports/834c11f4-5d1a-4d2e-89cf-17f31811c868/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-10T02:33:00Z UTC
Last seen:
2025-11-12T03:33:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.MSIL.Stealer.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Stealer.HTTP.C&C Trojan.MSIL.Taskun.sb Backdoor.Agent.HTTP.C&C Trojan-Spy.Stealer.TCP.C&C Backdoor.Agent.TCP.C&C Trojan-PSW.MSIL.Reline.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.PureLogs.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Reline.c Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.Taskun.sb Exploit.CVE-2017-11882.TCP.C&C
Link:
https://opentip.kaspersky.com/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5/results?tab=lookup
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67fa361b-4bc0-4e8f-a8db-cfe4d9bc6a16
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1811096
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1811096 Sample: 0riOtCHd1QEUcH5.exe Startdate: 10/11/2025 Architecture: WINDOWS Score: 100 53 api.ip.sb.cdn.cloudflare.net 2->53 55 api.ip.sb 2->55 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 10 other signatures 2->75 9 0riOtCHd1QEUcH5.exe 7 2->9         started        13 AimyZWxqmEw.exe 2->13         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\AimyZWxqmEw.exe, PE32 9->45 dropped 47 C:\Users\...\AimyZWxqmEw.exe:Zone.Identifier, ASCII 9->47 dropped 49 C:\Users\user\AppData\Local\...\tmpE017.tmp, XML 9->49 dropped 51 C:\Users\user\...\0riOtCHd1QEUcH5.exe.log, ASCII 9->51 dropped 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 9->79 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->81 87 2 other signatures 9->87 15 0riOtCHd1QEUcH5.exe 15 93 9->15         started        19 powershell.exe 23 9->19         started        21 powershell.exe 22 9->21         started        23 schtasks.exe 1 9->23         started        83 Multi AV Scanner detection for dropped file 13->83 85 Injects a PE file into a foreign processes 13->85 25 AimyZWxqmEw.exe 13->25         started        27 schtasks.exe 13->27         started        signatures6 process7 dnsIp8 57 196.251.116.101, 49694, 49702, 49704 xneeloZA Seychelles 15->57 59 api.ip.sb.cdn.cloudflare.net 104.26.12.31, 443, 49696, 49703 CLOUDFLARENETUS United States 15->59 29 conhost.exe 15->29         started        61 Loading BitLocker PowerShell Module 19->61 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 WmiPrvSE.exe 21->35         started        37 conhost.exe 23->37         started        63 Found many strings related to Crypto-Wallets (likely being stolen) 25->63 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 67 Tries to steal Crypto Currency Wallets 25->67 39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        signatures9 process10 process11 43 conhost.exe 31->43         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/a954a07f15bcb8c6c1608e76f7a01827
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 05:00:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=com2gqdihoiq5evwp6yfwnfgv77xqmkd4hzduht6tyfspsevec2q._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
RedLineStealer
593ce4cdc76392a894b3cb77beec4352b0be6dc06b4f86b9a7352d57041c1b4e
RedLineStealer
7bed0eed3f423b22cecbfdd23aad0ca8c3b0e8fb5ff0c0402e19e0273f7c27d3
RedLineStealer
9d3f9a29fa2c2a648c653effbc1988600435f6482ef8ffbf7cd15c1f33f2bd2e
RedLineStealer
d2145175ec56d72f977d672a3201631d5091d44ef841883c9714e50bd315fcae
RedLineStealer
error
RedLineStealer
+ 350 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251110-fnfl4szrel/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
196.251.116.101:55615
Verdict:
Malicious
Tags:
Redline
YARA:
n/a
Link:
https://app.threat.zone/submission/d4f759af-5f40-41a1-b78a-095a0b19162c
Unpacked files
SH256 hash:
1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5
MD5 hash:
a954a07f15bcb8c6c1608e76f7a01827
SHA1 hash:
cacd25a6198e8108ccd01bfe9f2dceba0e09f6de
Link:
https://www.unpac.me/results/f69c97ef-a8bb-48e7-a4b7-cb930b969faf/
SH256 hash:
a65ba528543449365bc6a7eb45fc64e7a967fb2b23d7d8938d83c26f6caf41e1
MD5 hash:
ade6e156b60024c4d93ac23b129ff80b
SHA1 hash:
cb327fdf6580b4733fd6edbbc92c4a54ce8dab20
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f69c97ef-a8bb-48e7-a4b7-cb930b969faf/
SH256 hash:
96de8ad025d75b1d542339e24eb8bb8ce134fb7173573edde9b999b0fe6851d3
MD5 hash:
b0a7b151b691cb571c6a90d283c47b12
SHA1 hash:
f8b8daa392b266a9e600f485e1922615c16ed9f6
Link:
https://www.unpac.me/results/f69c97ef-a8bb-48e7-a4b7-cb930b969faf/
SH256 hash:
c2a1886cab0b57f16f1f54a952fcee631709566bc85d62a0a99965de11ae2735
MD5 hash:
b0f82c4eeb346b3fc31682d6c3229420
SHA1 hash:
f8bf3c9c2b76785f9b62c375a3156df846df2a7b
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/f69c97ef-a8bb-48e7-a4b7-cb930b969faf/
Malware family:
ArechClient2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1399a340683b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1399a340683b910e92b67fb05b34a6afff783143e1f23a1e7e9e0b27c89520b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36632/

Comments