MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 19

Intelligence 19 IOCs YARA 58 File information Comments

SHA256 hash:	5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0
SHA3-384 hash:	69a45439f204fb654d535e8b0f908695d7d10079f604514960130c5e15367b682728f2fa8d901f812d75f67bf95ba5fe
SHA1 hash:	798bb6e26a1bf35e4433a0e87d012d6042d1d51a
MD5 hash:	4f6b7a02878bd469545de026c8077902
humanhash:	mississippi-lithium-football-mango
File name:	faster431.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	6'249'064 bytes
First seen:	2025-05-02 07:07:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep	98304:B8ijG+Tlncn94/FejljJdRBQZyYGtx0W1q5+lPAQwhbG8a+bZ3p+aaIKynb4:mijGotFeubcq5+llS+aSR
Threatray	1'758 similar samples on MalwareBazaar
TLSH	T1AB561241FCD794B1E502167209ABD2EF373579191F32DAC3DA00BB6AAD776E01D32226
gimphash	a8bdbaf33dfb458f8a49f598285cae751f0fe24744367187390f15392a8cd51d
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adm1n_usa32
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

469

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

faster431.exe

Verdict:

Malicious activity

Analysis date:

2025-05-02 07:06:13 UTC

Tags:

evasion golang redline crypto-regex telegram arkei

Link:

https://app.any.run/tasks/9d11d64d-e7c0-48aa-972e-0f996c9a1a80

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/5733/

Detection(s):

Win.Malware.Wingo-9956993-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681470b74355f44aee683e6e

Tags:

redline emotet reline

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Creating a window

Сreating synchronization primitives

Behavior that indicates a threat

Connection attempt to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm crypto golang overlay packed packed packer_detected redcap

Link:

https://www.filescan.io/uploads/68146f580b64e174c41463ce/reports/cfe34db1-79b0-45c5-9d89-7bb70a45afb8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca696281-7f68-45ac-ba9e-f068fa25662b

Result

Threat name:

Clipboard Hijacker, RedLine, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1679677

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Silenttrinity Stager Msbuild Activity

Writes to foreign memory regions

Yara detected Clipboard Hijacker

Yara detected RedLine Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0/

Threat name:

Win32.Adware.RedCap

Status:

Malicious

First seen:

2025-05-01 18:45:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lj66cd5g2cj2dgw5w2volsdbnqgoesp7ys7qqybbqxorf5pubdqa._file

Verdict:

malicious

Label(s):

vidar

redlinestealer

RedLineStealer

0f5884c0c2d53649643b343219d81521fa72ec1cc72ffc8f9707e58e500bb850

RedLineStealer

36c7a20f8a91ba85394b4d6733f9afbc6d40b9406733c6362d08424e5b526c3d

RedLineStealer

3afc41bbbf923e4edefa836845da58765faf2ccc3195ded7549e8a5b283338f0

RedLineStealer

7eca655f69b3b43c4f228dbd149b73247166872ba92691f7fb00f7f35bb89e41

RedLineStealer

8558a49ee89ad82ffac46831a5b2261438fd9b1713e50c94782d75e755b7a1f2

RedLineStealer

a425c390a5d6f10ed5ed3a0db80d88fc89353b54a9ff0a0b58166fe2b901521e

RedLineStealer

error

RedLineStealer

fc43e409ca887fe8f98079100e54a442b7ab01a2743d7e195ba2c8358a1152df

RedLineStealer

+ 1'748 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:donutloader family:redline family:vidar botnet:1 botnet:f2a0fa19d8959a4621bac92c4a6959ed discovery infostealer loader stealer

Link:

https://tria.ge/reports/250502-hx9bws1qw3/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Detects DonutLoader

DonutLoader

Donutloader family

RedLine

RedLine payload

Redline family

Vidar

Vidar family

Malware Config

C2 Extraction:

176.113.115.220:80
https://t.me/nemesisgrow
https://steamcommunity.com/profiles/76561199471222742
http://65.109.12.165:80

Verdict:

Malicious

Tags:

Win.Malware.Wingo-9956993-0 ip_address_lookup_website

YARA:

n/a

Link:

https://app.threat.zone/submission/80e06b14-012b-4c40-9df2-36ef376ecf97

Unpacked files

SH256 hash:

5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0

MD5 hash:

4f6b7a02878bd469545de026c8077902

SHA1 hash:

798bb6e26a1bf35e4433a0e87d012d6042d1d51a

Link:

https://www.unpac.me/results/830e3880-6bb9-4795-b4e4-e8b40530ff3e/

SH256 hash:

aaa7692e4c2bb0cd819f730b111f02d8138e363ab60309cc5edb1ac63035e8aa

MD5 hash:

06b196587722b319f6f3d5706b9c2bee

SHA1 hash:

33d326d7ebaa1e012a2a7eab397cb2d5777d0560

Detections:

INDICATOR_SUSPICOUS_EXE_UNC_Regex

INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex

Link:

https://www.unpac.me/results/830e3880-6bb9-4795-b4e4-e8b40530ff3e/

SH256 hash:

17c6303e2bb6e28075abe4e69bbd0286d9dad636e2649007a92fd08a9d40c720

MD5 hash:

86a511cb3f8688d71fe61fcf2cb0f208

SHA1 hash:

8cd58c749aef06a3420b1c887e5b428f8c430f66

Detections:

VidarStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/830e3880-6bb9-4795-b4e4-e8b40530ff3e/

SH256 hash:

6a324f8b809cba90a6830f7ee00038c9ac7b2d6d7c471adccb92a66cb12a42f4

MD5 hash:

bd26604ca6a13ba3c13c69dad8f23c5e

SHA1 hash:

ec96c41b832c6b9a7bee5f620a82a19d138d64bf

Detections:

redline

MALWARE_Win_MetaStealer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/830e3880-6bb9-4795-b4e4-e8b40530ff3e/

Parent samples :

35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
b43b91f6495c2d4c9c48f707f17cf7d09e3dc46b9ca0759372945bd40d77a6b7
5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a7de10fa6d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a7de10fa6d093a19addb6aae5c8616c0ce249ffc4bf08602185dd12f5f408e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	GenericRedLineLike Create hunting rule
Author:	Still
Description:	Matches RedLine-like stealer; may match its variants.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_KB_CERT_0139dde119bb320dfb9f5defe3f71245 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates
Reference:	https://bazaar.abuse.ch/faq/#cscb

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing cryptocurrency wallet regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICOUS_EXE_UNC_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables with considerable number of regexes often observed in infostealers

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	RedLine_Stealer_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Detecting unpacked Redline

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Win32_Trojan_RedLineStealer Create hunting rule
Author:	Netskope Threat Labs
Description:	Identifies RedLine Stealer samples
Reference:	deb95cae4ba26dfba536402318154405

Rule name:	Windows_Trojan_Donutloader_f40e3759 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_4df4bcb6 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_f07b3cb4 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Vidar_32fea8da Create hunting rule
Author:	Elastic Security

Rule name:	win_redline_stealer_generic Create hunting rule
Author:	dubfib

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

Rule name:	win_vidar_strings_jun_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/5733/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WriteConsoleW kernel32.dll::SetConsoleCtrlHandler kernel32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::GetSystemDirectoryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample