MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24
SHA3-384 hash: 609c81f34a9a68b80aea3b828d73894e135e847bcdcace5e7e72daa1817908b216e041f955cedefc6f97ef51c19e7a75
SHA1 hash: cb6ffcbb6cb9d44e76ec620f8a92d7ef9aac4361
MD5 hash: 47d0dc2b70e5b1aa76b78365c0bab5e5
humanhash: stream-august-cola-michigan
File name:47D0DC2B70E5B1AA76B78365C0BAB5E5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'312'576 bytes
First seen:2025-05-16 16:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:s59U7ZK+3Jcw4uOoYCMvHsy5WwlrdPsOxSSNFy/H+Y0Xyo/3Fs1ye0n7kDtteD0V:O92cwiCMUyJLsfSNFLHGHSD0sq
TLSH T1081633CBE3ED8583FA30D3F04BBA63532E727C60A9350A9F2679291D08E06756721753
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
154.91.34.165:64951

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.91.34.165:64951 https://threatfox.abuse.ch/ioc/1523829/

Intelligence

File Origin
# of uploads :
1
# of downloads :
621
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
47D0DC2B70E5B1AA76B78365C0BAB5E5.exe
Verdict:
Malicious activity
Analysis date:
2025-05-16 17:10:12 UTC
Tags:
lumma stealer amadey botnet loader rdp
Link:
https://app.any.run/tasks/f2308ac2-a240-4357-a1fd-d4436410c2f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682767eee16384d6a70506f9
Tags:
vmdetect autoit quasar emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Searching for the window
Running batch commands
Searching for analyzing tools
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer fingerprint installer installer lolbin microsoft_visual_cc packed packed packer_detected redcap rundll32 runonce sfx xpack
Link:
https://www.filescan.io/uploads/6827672e0de036ed65aa1b65/reports/6fd44e6a-a02a-48a7-90c2-c13fb993175e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cfd399f-a057-41b3-99d6-1c9623040ad4
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1692204
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692204 Sample: n8o30zpcop.exe Startdate: 16/05/2025 Architecture: WINDOWS Score: 100 78 zmedtipp.live 2->78 80 overcovtcg.top 2->80 82 4 other IPs or domains 2->82 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Antivirus detection for URL or domain 2->92 94 12 other signatures 2->94 12 n8o30zpcop.exe 1 4 2->12         started        15 ramez.exe 2->15         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 file5 64 C:\Users\user\AppData\Local\...\d7f85.exe, PE32 12->64 dropped 66 C:\Users\user\AppData\Local\...\3r56r.exe, PE32 12->66 dropped 22 d7f85.exe 1 4 12->22         started        26 3r56r.exe 12->26         started        120 Contains functionality to start a terminal service 15->120 122 Changes security center settings (notifications, updates, antivirus, firewall) 18->122 signatures6 process7 dnsIp8 60 C:\Users\user\AppData\Local\...\2y8880.exe, PE32 22->60 dropped 62 C:\Users\user\AppData\Local\...\1i65e9.exe, PE32 22->62 dropped 102 Multi AV Scanner detection for dropped file 22->102 29 2y8880.exe 15 22->29         started        33 1i65e9.exe 4 22->33         started        86 overcovtcg.top 172.67.150.184, 443, 49716, 49718 CLOUDFLARENETUS United States 26->86 104 Antivirus detection for dropped file 26->104 106 Detected unpacking (changes PE section rights) 26->106 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->108 110 7 other signatures 26->110 file9 signatures10 process11 file12 68 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 29->68 dropped 70 C:\Users\user\AppData\Local\...\cecho.exe, PE32 29->70 dropped 72 C:\Users\user\AppData\Local\...72SudoLG.exe, PE32+ 29->72 dropped 76 2 other malicious files 29->76 dropped 114 Multi AV Scanner detection for dropped file 29->114 35 cmd.exe 1 29->35         started        74 C:\Users\user\AppData\Local\...\ramez.exe, PE32 33->74 dropped 116 Contains functionality to start a terminal service 33->116 118 Contains functionality to inject code into remote processes 33->118 38 ramez.exe 12 33->38         started        signatures13 process14 dnsIp15 96 Uses cmd line tools excessively to alter registry or file data 35->96 41 cmd.exe 1 35->41         started        44 conhost.exe 35->44         started        84 185.156.72.96, 80 ITDELUXE-ASRU Russian Federation 38->84 98 Multi AV Scanner detection for dropped file 38->98 100 Contains functionality to start a terminal service 38->100 signatures16 process17 signatures18 112 Uses cmd line tools excessively to alter registry or file data 41->112 46 cmd.exe 41->46         started        48 cmd.exe 41->48         started        50 reg.exe 41->50         started        52 26 other processes 41->52 process19 process20 54 Conhost.exe 46->54         started        56 tasklist.exe 48->56         started        58 Conhost.exe 50->58         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-11 13:45:56 UTC
File Type:
PE (Exe)
Extracted files:
143
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkr64iu2aeurervpwvxfy6oszdpfeo6no3tahqn66cclwkwlhusa._file
Verdict:
malicious
Label(s):
coffeeloader
Create hunting rule
quasarrat
Create hunting rule
redlinestealer
Create hunting rule
admintool_nsudo
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:quasar family:redline family:rhadamanthys family:sectoprat family:vidar botnet:54911ccfd8045c892eac97c18f773c50 botnet:8d33eb botnet:cheat botnet:office04 credential_access defense_evasion discovery execution exploit infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250516-txlrdacl6z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Possible privilege escalation attempt
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detects Rhadamanthys payload
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
RedLine
RedLine payload
Redline family
Rhadamanthys
Rhadamanthys family
SectopRAT
SectopRAT payload
Sectoprat family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.156.72.96
https://t.me/eom25h
https://steamcommunity.com/profiles/76561199855598339
https://anesthwtcm.run/ladj
https://saxecocnak.live/manj
https://testcawepr.run/dsap
https://emphatakpn.bet/ladk
https://laminaflbx.shop/twoq
https://overcovtcg.top/juhd
https://mblackswmxc.top/bgry
https://cposseswsnc.top/akds
https://featurlyin.top/pdal
https://cornerdurv.top/adwq
https://wovercovtcg.top/juhd
https://blackswmxc.top/bgry
https://oposseswsnc.top/akds
150.241.93.127:4782
154.91.34.165:64951
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious
Tags:
stealer redline
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/87b2c36e-bf71-478a-9706-cf288696ab52
Unpacked files
SH256 hash:
1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24
MD5 hash:
47d0dc2b70e5b1aa76b78365c0bab5e5
SHA1 hash:
cb6ffcbb6cb9d44e76ec620f8a92d7ef9aac4361
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
a034d886d54a93830306786ec9ee9346bf0295eada0601c7f2cc3ce8b3f86fde
MD5 hash:
78926f8d1e698ab324b0bfac2bd128eb
SHA1 hash:
85fa3926665d025cad76a5014a963b60a8ada166
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
710c909d932c3ea15338925f618926c169c785c6d406fb3e5d00233cf8d5edc7
MD5 hash:
2b0d1d86cfde33a27a67a05e4cca8d92
SHA1 hash:
3d1ce8ef546904a9bcc4436cd71c74e7c45223c4
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
b9ad0736b831efa540edf322dafec8a19c42a3ccdff259e53d984c3827ed1e8d
MD5 hash:
d3e91dbb4562bb904fd239ecc3dab3b6
SHA1 hash:
060fe88dffc71613ebbeb5397b6ad59f34142401
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
c280073c52cc7710910047e2c5156420a58b7a82744b617a3def7a5f4fc402fa
MD5 hash:
f224dc5024f67a17b9c375e0adc2b4b9
SHA1 hash:
8ae571d9305268fb53b0655012be08915259144f
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
MD5 hash:
426ccb645e50a3143811cfa0e42e2ba6
SHA1 hash:
3c17e212a5fdf25847bc895460f55819bf48b11d
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
SH256 hash:
5153b60b002a0b82848661b6dc00df9e184ef2a3f800aac3e90f2f868b403c46
MD5 hash:
f99323ccbdf71989e975c21ef85ebe10
SHA1 hash:
bd71d9c530579b5944bfdd1a6a3b1b4f52f4eab3
Link:
https://www.unpac.me/results/db251242-028f-4ab0-9230-d4607bf6954b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1aa3ee229a01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aa3ee229a01291246afb56e5c79d2c8de523bcd76e603c1bef084bb2acb3d24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments