MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
SHA3-384 hash: 6b805a98fc0cdba3cda4ac3d545412fda4831a6be3ba4f9cf271dfd2d1a95126100bdc4f657c7f44c1a1958e82576dcd
SHA1 hash: 1b8d2edf3dd2f6eff76d1434908f2a5b8550ad33
MD5 hash: fe8e48cbf835286fc543b824e10d9fe2
humanhash: magnesium-maryland-one-pip
File name:6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:954'368 bytes
First seen:2025-10-09 14:52:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:XbCcF8bvEWimxnb4l0cSSfRqQ2KjaZrBoaRSjxMMpzlbzQJxwttC:Ns8sE0TNjfoZWMnbzsxw/
Threatray 174 similar samples on MalwareBazaar
TLSH T177159DC3B045344DF8DE86B77995CF3AE2D10D9A1803590182F53F97BFAEA8267C065A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
Verdict:
Malicious activity
Analysis date:
2025-10-09 21:43:30 UTC
Tags:
stealer redline metastealer auto-sch-xml
Link:
https://app.any.run/tasks/60884828-753f-47ab-962e-c33df58c571c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31729/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7ce9e8b7b147cc4b62d30
Tags:
redline virus spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e7e5b45a3bccf09ebf850d/reports/e5ba9d51-96bb-41e0-9695-fd259c4c9393/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T04:21:00Z UTC
Last seen:
2025-10-02T09:55:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a/results?tab=lookup
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0421b943-080c-4d3d-81e0-78687b42f8aa
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.51 Win 32 Exe x86
Link:
https://app.malva.re/file/fe8e48cbf835286fc543b824e10d9fe2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-28 05:21:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzdwq3ivamszptorz26cy3wlmj5raa7opebrktnj7p727qtwamna._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
redlinestealer
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
4107b7ac2f19c4a6d314b2ffd4410735c23ea65152fd999461d3dc5c4fb95186
RedLineStealer
415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
RedLineStealer
6aefcac9b610a002e37fa3be97de13fdb2dda4b9d1ccda8434cd8994e46d297f
RedLineStealer
bfa56bac0f412f8f07e937e06963c97d4c8527a34e948b1f4ad4b67a40ecb6cd
RedLineStealer
+ 164 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sharp_logs discovery execution infostealer persistence spyware stealer
Link:
https://tria.ge/reports/251009-t4pfvagp8w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
213.209.157.131:1912
Verdict:
Malicious
Tags:
Redline Stealer c2 MetaStealer
YARA:
n/a
Link:
https://app.threat.zone/submission/a5c4e78a-0526-4f2b-a6c8-3c2beddf84ae
Unpacked files
SH256 hash:
6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
MD5 hash:
fe8e48cbf835286fc543b824e10d9fe2
SHA1 hash:
1b8d2edf3dd2f6eff76d1434908f2a5b8550ad33
Link:
https://www.unpac.me/results/a287007a-0488-4a62-93c9-9805ed45e878/
SH256 hash:
5afac661426af09db76900dab6e1a65e2ff089ea949f01170242f2af06c4a20a
MD5 hash:
85a69c22503b010e4377b0823ecc6ac3
SHA1 hash:
8a8f1acc5e7894d1a993ee05d70e2811c4b8acb0
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/a287007a-0488-4a62-93c9-9805ed45e878/
Parent samples :
415fd5eaa594b70484e8648697e33818d741e37c396d4aa31ea4fdbe767be93c
6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a
SH256 hash:
3a8235adcf5c014204b3c7f9bc74cdc5628617fbca4edfd0a89e61bd368598d3
MD5 hash:
805ed8b902bad1be7788a1f25a33f7c1
SHA1 hash:
d7c02f99910d58990504e561694d74e90fd872c5
Link:
https://www.unpac.me/results/a287007a-0488-4a62-93c9-9805ed45e878/
SH256 hash:
c3a1704a805d32f02d964d1acc99fbb90c11ededfacb39c3b31f9474de11ffe2
MD5 hash:
e9c9429e55ce6ed43ea316f7aa76a8b2
SHA1 hash:
f18094d263cfd3107e74529bd88b60f1c7b5faf1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a287007a-0488-4a62-93c9-9805ed45e878/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6647686d1503/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6647686d15032597cdd1cebc2c6ecb627b1003ee7903154da9fbffafc276031a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31729/

Comments