MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 23 File information Comments

SHA256 hash:	60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a
SHA3-384 hash:	a7d025c8bbd54118c31384e8e378891ff984cbc0ff31ae52be6352b99d4e056bbd072b52f01a1b49ab8966d93cb2ba91
SHA1 hash:	600ec4d6b6795ee356811c0d83a2f61b18501e44
MD5 hash:	a7351f736070a83ca40a1cc445a8f70d
humanhash:	juliet-oranges-july-steak
File name:	a7351f736070a83ca40a1cc445a8f70d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'000'000 bytes
First seen:	2025-05-08 23:35:21 UTC
Last seen:	2025-05-09 14:40:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	223f8057932cb61043b0989210626737 (6 x Amadey, 4 x SVCStealer, 4 x RedLineStealer)
ssdeep	49152:kCwc2Pq/j9viTdvy0hkeYTlpl8bzdAqVVII5MYPVzR7x6bpu2sey:oR2j+t2lp+/xXpObY
TLSH	T11F366B066EAC0CA8F567C27D85464506DAB1BC150360DBCFD290AE6A1F3FED15B3B722
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	f0ccf0f0f0b2d4e8 (2 x RedLineStealer, 2 x SVCStealer, 1 x XTinyLoader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
213.226.113.235:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
213.226.113.235:1912	https://threatfox.abuse.ch/ioc/1518505/

Intelligence

File Origin

# of uploads :

# of downloads :

629

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

a7351f736070a83ca40a1cc445a8f70d.exe

Verdict:

Malicious activity

Analysis date:

2025-05-08 23:40:48 UTC

Tags:

auto-reg svcstealer stealer crypto-regex redline metastealer

Link:

https://app.any.run/tasks/eb859815-e622-470d-bcc6-5c8777aa78d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Tinukebot-10037263-0

Win.Trojan.Ulise-10037990-0

Win.Downloader.Marte-10040026-0

Win.Malware.Tinukebot-10040717-0

Win.Malware.Ulise-10040718-0

MiscreantPunch.SingleXOR.EXE.170.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681d407791991ead82b653db

Tags:

infosteal emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Сreating synchronization primitives

Creating a process from a recently created file

Reading critical registry keys

Creating a file

Enabling the 'hidden' option for recently created files

Creating a file in the %AppData% subdirectories

Searching for synchronization primitives

Creating a window

Launching a process

Connecting to a non-recommended domain

Connection attempt

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling a "Do not show hidden files" option

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm clipbanker explorer fingerprint fingerprint hacktool lolbin microsoft_visual_cc msiexec obfuscated overlay overlay packed packed stealer xor-pe

Link:

https://www.filescan.io/uploads/681d3feb0b64e174c41eaa64/reports/01eba35f-0ee3-45f6-8b7d-3c21dcb6f98a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a

Malware family:

Gapz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4b35362-3bf7-4e00-a7e1-ad36f7822f63

Result

Threat name:

MicroClip, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1684989

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Benign windows process drops PE files

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Detected generic credential text file

Found API chain indicative of debugger detection

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Opens the same file many times (likely Sandbox evasion)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected MicroClip

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a/

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-05-06 06:26:00 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mdsrwkv42nun6moiz5meyk5kawnry33hlud7gs5bs7czriq2hu5a._file

Result

Malware family:

svcstealer

Score:

10/10

Tags:

family:svcstealer discovery downloader persistence pyinstaller spyware stealer

Link:

https://tria.ge/reports/250508-3lmc7sxvfv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Detects SvcStealer Payload

SvcStealer, Diamotrix

Svcstealer family

Malware Config

C2 Extraction:

176.113.115.149
185.81.68.156

Verdict:

Malicious

Tags:

Win.Malware.Tinukebot-10037263-0

YARA:

n/a

Link:

https://app.threat.zone/submission/520732ee-02c9-4c6a-aa4e-8710b01115c5

Unpacked files

SH256 hash:

60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a

MD5 hash:

a7351f736070a83ca40a1cc445a8f70d

SHA1 hash:

600ec4d6b6795ee356811c0d83a2f61b18501e44

Detections:

win_tinynuke_g0

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

81763f0cba84e2002b64dcc07669fe331d26cd74afc4a09adadb93fc27ad9659

MD5 hash:

b0cfd1a0c61b34bcb6cca3dc81484093

SHA1 hash:

673709268af85be08ec9fb77fd3926ab540745eb

Detections:

win_tinynuke_g0

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

INDICATOR_SUSPICIOUS_References_SecTools

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

dca3daad10bd0537d0fbae871566c901e7c8cf811355b12f1be4254789d26ad7

MD5 hash:

b0ba4e937bf96218d62e4bd92ee8fea9

SHA1 hash:

c427a81045205484d892ab4c5aee7da4711ab83b

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

088458f9e9e48dcf8a839cc7be6270519a761abf39c53ba99d2274c5be80d547

MD5 hash:

ed8d51bb0e96c5a7c45fedcb5e55da2d

SHA1 hash:

1a893200e3b3824ddb5aa6d7cbdc72b14c40de7f

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

8f2a8fff0f305a65b13bb4fb25577f7185887bb022e6bec7e74935893214a9d7

MD5 hash:

457d94bcf08a6f3ed948ec248c9170e8

SHA1 hash:

5a6cfdd2f0f3a7193603f99468ee222347cecb7c

Detections:

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

969940fd3aa44e547ef04be793911c00f1976c7ef7d4f7ccbeab4556e0ac16d7

MD5 hash:

6869d79b526e231856a4a83d179d0c65

SHA1 hash:

cfe24f00c12e4c5b479c2788437f35cd2941b5ef

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

SH256 hash:

1c271317ee5296cd87c8063ee8cc3bd1be02dc52542e651abc34b3fdfb4d9b39

MD5 hash:

225964f82c20a902ad7d3cf7e7188c6c

SHA1 hash:

80059695826fb2930705db004c5c16f99dee7af8

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

Parent samples :

60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a
ae83f5c0c261dbd56bf00da9da8de6581788b3c26b70615742e5733a8c304bc9

SH256 hash:

cd2a4604206dfd9db0483a362c2fc64bcfeadc6296c91219902fb712d4e23811

MD5 hash:

8a14df3c35af454659bfeec8ccbcf788

SHA1 hash:

ebd3a95ec644ef0377992f1ed216b3b45a0c05cc

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/efb183a0-eabc-4ac5-b18b-fc757020494f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	svc_stealer Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	SVC Stealer Payload

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample