MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 21

Intelligence 21 IOCs 1 YARA 11 File information Comments

SHA256 hash:	165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602
SHA3-384 hash:	90c3e2440ec73dcfc5c385524ba70cfbb6b2f21f6ab24ee49c70909f9e453dd3564eec4d0607cfb341e5f41cfc9c596e
SHA1 hash:	8e9525a704e00c25ea346ab2b540f0f04416e331
MD5 hash:	7cd5bb42973c5fc4af34d55e6f07bd53
humanhash:	hawaii-magazine-vegan-angel
File name:	7492000953.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'390'592 bytes
First seen:	2025-11-17 03:35:10 UTC
Last seen:	2025-12-08 15:04:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	91d07a5e22681e70764519ae943a5883 (126 x Formbook, 32 x a310Logger, 27 x AgentTesla)
ssdeep	24576:btb20pkaCqT5TBWgNQ7a6uNsDy+jbWZ4EGV6A:YVg5tQ7a6uNO/CZC5
TLSH	T1F055AE1273DD8260C6729233BA25B703AE7F7DA506E1F45F2FD4393DAA30161825E663
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
213.209.157.111:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
213.209.157.111:1912	https://threatfox.abuse.ch/ioc/1645374/

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

7492000953.exe

Verdict:

Malicious activity

Analysis date:

2025-11-17 03:37:27 UTC

Tags:

stealer redline metastealer

Link:

https://app.any.run/tasks/10b86762-9f17-460f-92d3-c4649cf93220

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/38414/

Detection(s):

Win.Dropper.LokiBot-9916750-0

Win.Trojan.Autoit-10037269-0

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691a9806434cd67b17c25581

Tags:

redline autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger lokibot microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/691a9801ffc2880c254133ae/reports/00ae4e65-fc0b-4e5f-aabe-d727ce91badc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-17T00:22:00Z UTC

Last seen:

2025-11-18T13:53:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Reline.sb Trojan-PSW.MSIL.Reline.b Trojan.Win32.Inject.sb Trojan-Spy.Stealer.TCP.ServerRequest Trojan-PSW.MSIL.Reline.aadx Trojan.Win32.Zenpak.sb Trojan.MSIL.Crypt.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.MSIL.Reline.gen Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Strab.sb Trojan.Win32.Auzenpak.sb Backdoor.MSIL.Agent.sb Trojan-Spy.Stealer.TCP.C&C

Link:

https://opentip.kaspersky.com/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b96a5db6-fd09-499c-846a-fdd9170393c8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1815055

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/7cd5bb42973c5fc4af34d55e6f07bd53

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602/

Verdict:

Malicious

Threat:

Family.REDLINE

Link:

https://tip.neiki.dev/file/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602

Threat name:

Win32.Spyware.Redline

Status:

Malicious

First seen:

2025-11-17 03:35:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=czo5vextuqeqnwbf7jabkkakb66ouvy2mjqu3p4alckr6lmo6yba._file

Verdict:

malicious

Label(s):

asyncrat

autoit

unc_loader_001

Similar samples:

error

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:logs discovery infostealer spyware

Link:

https://tria.ge/reports/251117-d5ltcacr6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

RedLine

RedLine payload

Redline family

Malware Config

C2 Extraction:

213.209.157.111:1912

Verdict:

Malicious

Tags:

Win.Dropper.LokiBot-9916750-0 c2 MetaStealer Redline Stealer

YARA:

n/a

Link:

https://app.threat.zone/submission/ee6e90be-75ae-4706-9cb8-ae5ebe63cbde

Unpacked files

SH256 hash:

165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602

MD5 hash:

7cd5bb42973c5fc4af34d55e6f07bd53

SHA1 hash:

8e9525a704e00c25ea346ab2b540f0f04416e331

Link:

https://www.unpac.me/results/d0131e81-d4ce-43e1-bcec-612d1092384d/

SH256 hash:

3f676ad3efde88a3b7d2f979cfc135fde503c73a92b787aab6f77599b374dbd5

MD5 hash:

47daa01f94c7953106ad0eeacc074404

SHA1 hash:

c7a470ebc07cfbad509e27140557339288674d31

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/d0131e81-d4ce-43e1-bcec-612d1092384d/

SH256 hash:

80349a5c03e326666567c28837ecdd4880e5822e66525e8775d1248191fea604

MD5 hash:

df6effd5c1492ddf3eaa1f534dd51166

SHA1 hash:

2a551ebfc477134b8ef942ddf316a78659baf429

Detections:

redline

SUSP_OBF_NET_Reactor_Indicators_Jan24

MALWARE_Win_MetaStealer

Link:

https://www.unpac.me/results/d0131e81-d4ce-43e1-bcec-612d1092384d/

SH256 hash:

f0736679598562e6e560c6a13d3b8f0444ef211d2f87a9222b251a18ea453de2

MD5 hash:

372d68c321e88e36865cc352fcbd64fd

SHA1 hash:

8facf78164878eb173f47dd8aaa5e66ebd30286f

Detections:

redline

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

MALWARE_Win_MetaStealer

Link:

https://www.unpac.me/results/d0131e81-d4ce-43e1-bcec-612d1092384d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/165dda92f3a4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/165dda92f3a40906d825fa4015280a0fbcea571a62614dbf8058951f2d8ef602

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38414/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample