MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
SHA3-384 hash: 99145303932afd6ce7419f6b5ea1ced2057212d996f3c3cb4fec96dfa93230c2f2d773cfb7f342449ed79695b2a845ac
SHA1 hash: 85aab0e72aeca1d40bc017741b2d7f78ebc63af5
MD5 hash: ad3d103d79709f59da2afb8c17cd5d34
humanhash: oklahoma-ten-purple-carolina
File name:170925pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'000'960 bytes
First seen:2025-09-18 06:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:srHcGKtPQ/OuWtMSQmPsVpWKBhfeZuf6HDRnHkDw591ClhEAEMP7r9r/+ppppppp:sr8jPQtW+LYUfeOgDp43EAEM1q
Threatray 91 similar samples on MalwareBazaar
TLSH T15F25DF81E689A950DD699BB06932CE7443377DEDA830C51D19EE3DBB3FBB3921012253
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
213.209.157.131:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.209.157.131:1912 https://threatfox.abuse.ch/ioc/1593820/

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
170925pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 07:00:06 UTC
Tags:
auto-sch-xml redline
Link:
https://app.any.run/tasks/4bf74596-0985-4a56-9a34-2fa1d6e362ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28090/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbad0a24320325464764fd
Tags:
joker virus zpack msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap crypt lolbin msbuild obfuscated packed packed reconnaissance redline regsvcs rezer0 roboski schtasks stealer stego vbc vbnet windows
Link:
https://www.filescan.io/uploads/68cbad67dbc6f5a29c4b4b42/reports/f8226e7c-1935-4da4-b87c-b18f2bd224cc/overview
Verdict:
Malicious
Labled as:
Ransom.CryptoJoker.Generic
Link:
https://www.hybrid-analysis.com/sample/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T02:50:00Z UTC
Last seen:
2025-09-18T02:50:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb VHO:Trojan.MSIL.Taskun.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.sb Trojan.MSIL.Inject.sb UDS:DangerousObject.Multi.Generic Trojan-Spy.Stealer.TCP.ServerRequest Trojan-Spy.Stealer.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.gen BSS:Trojan.Win32.Generic VHO:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3a2f5483-2f2e-4b52-8efc-990ca72ca4d3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779804
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1779804 Sample: 170925pdf.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 10 other signatures 2->66 7 170925pdf.exe 7 2->7         started        11 SHsSArZo.exe 5 2->11         started        13 svchost.exe 2->13         started        process3 dnsIp4 40 C:\Users\user\AppData\Roaming\SHsSArZo.exe, PE32 7->40 dropped 42 C:\Users\...\SHsSArZo.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp2E60.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\170925pdf.exe.log, ASCII 7->46 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->68 70 Found many strings related to Crypto-Wallets (likely being stolen) 7->70 72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->72 78 2 other signatures 7->78 16 170925pdf.exe 10 3 7->16         started        20 powershell.exe 23 7->20         started        22 powershell.exe 23 7->22         started        28 2 other processes 7->28 74 Multi AV Scanner detection for dropped file 11->74 76 Injects a PE file into a foreign processes 11->76 24 SHsSArZo.exe 11->24         started        26 schtasks.exe 11->26         started        50 127.0.0.1 unknown unknown 13->50 file5 signatures6 process7 dnsIp8 48 213.209.157.131, 1912, 49683, 49684 M247GB Germany 16->48 52 Found many strings related to Crypto-Wallets (likely being stolen) 16->52 54 Tries to steal Crypto Currency Wallets 16->54 56 Loading BitLocker PowerShell Module 20->56 30 conhost.exe 20->30         started        32 WmiPrvSE.exe 20->32         started        34 conhost.exe 22->34         started        58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/ad3d103d79709f59da2afb8c17cd5d34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
Threat name:
ByteCode-MSIL.Trojan.VIPKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 06:58:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifp5l2vfss3qjbhimsdjpyzyddludy34hfwuviy6ut6345t35e6a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
4107b7ac2f19c4a6d314b2ffd4410735c23ea65152fd999461d3dc5c4fb95186
RedLineStealer
415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
RedLineStealer
6aefcac9b610a002e37fa3be97de13fdb2dda4b9d1ccda8434cd8994e46d297f
RedLineStealer
bfa56bac0f412f8f07e937e06963c97d4c8527a34e948b1f4ad4b67a40ecb6cd
RedLineStealer
error
RedLineStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sharp_logs discovery execution infostealer persistence spyware stealer
Link:
https://tria.ge/reports/250918-hqrhhassh1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
213.209.157.131:1912
Verdict:
Malicious
Tags:
MetaStealer c2 Redline Stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/df1e6597-9361-4a9c-9f01-ddfc64dbd593
Unpacked files
SH256 hash:
415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
MD5 hash:
ad3d103d79709f59da2afb8c17cd5d34
SHA1 hash:
85aab0e72aeca1d40bc017741b2d7f78ebc63af5
Link:
https://www.unpac.me/results/3423811b-a23e-457d-8ebc-d1ea81398a60/
SH256 hash:
b2ac00d97c373c7efe7b9a54ce8b9f8b317ef919f29c45e3cdcfac3545674800
MD5 hash:
3d4e92fe67d6c1780f213fd51c36df1f
SHA1 hash:
8285892de43aa6bf4fd6bb52d05c937095c7b1be
Link:
https://www.unpac.me/results/3423811b-a23e-457d-8ebc-d1ea81398a60/
SH256 hash:
5afac661426af09db76900dab6e1a65e2ff089ea949f01170242f2af06c4a20a
MD5 hash:
85a69c22503b010e4377b0823ecc6ac3
SHA1 hash:
8a8f1acc5e7894d1a993ee05d70e2811c4b8acb0
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/3423811b-a23e-457d-8ebc-d1ea81398a60/
Parent samples :
415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
SH256 hash:
955e8da73fc6d0323aca0eb94ce5d66d7edf0aab72105ce14a5ca9e0c74de8ef
MD5 hash:
88a9880033dd8435f09eb2501189f4cb
SHA1 hash:
d0fe4b041a291a5faa1893c4e02376f5f5def77f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3423811b-a23e-457d-8ebc-d1ea81398a60/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/415fd5eaa594/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28090/

Comments