MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
SHA3-384 hash: 55495e68c9143aaf1ef55d992265ac809439f63abd8847274bb457218df1311d5c1476318894e5314e25e5d76265189e
SHA1 hash: 15ca16c266031c2c03a050d53841410dc5476e44
MD5 hash: 4ab096eb513eed62b9206fb8ab273aba
humanhash: bacon-cola-music-bravo
File name:SPECIFICATIONS SAMPLE & QUANTITY.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:573'440 bytes
First seen:2025-06-03 04:47:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:rG2T04L5eQZzk/7lzvxsw4a84z6USDFHwiP3GgUUkawWa5vpJeB70HXBRAlrFcAF:+NzlLqwNpLSJHFE/B5rTNARRBRq+ZKD
Threatray 547 similar samples on MalwareBazaar
TLSH T132C4028A3355C103E07B0B7856A1D2B557BBDDDE9852C71B6FC83E8F392734866B0298
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter GDHJDSYDH1
Tags:exe infostealer Redline RedLineStealer SectopRAT stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
602
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SPECIFICATIONSSAMPLEQUANTITY.exe
Verdict:
Malicious activity
Analysis date:
2025-06-03 04:40:41 UTC
Tags:
netreactor redline stealer
Link:
https://app.any.run/tasks/026e830c-7f3a-4cb5-a278-4a0ad2d642fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6930/
Detection(s):
Win.Packed.Boxter-10005643-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e7cc88bd5d68a12e42f7a
Tags:
infosteal redline
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/683e7e8bfd02ed5e0594d9c9/reports/506c4023-0e14-47a9-a15e-e6aad5b01372/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68c11681-2691-4209-a0a8-62a727ec82f4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704480
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d/
Threat name:
ByteCode-MSIL.Trojan.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 04:40:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tco3izlccjwnqo3bjdnbapfrpv3q5ukmlie3rgn5ejphp7y3avgq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
08f5c3a955867e25c57530a0a18e6b32d32da0426bc8693c6776e1f6bdab36e2
RedLineStealer
4b79c2fd75e2418fae364e07ceb081553cddd145b3c728c3384d1e63496fd75e
RedLineStealer
5c7dfeaaab049b0c4a2b6fe06c7d6d8d54202ab9b5ba637b73faa01bccb5debc
RedLineStealer
989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
RedLineStealer
eabae532c6ddac29c4f04aa2f90bdebc49d72f961a658e5c9459e3fcf58a8045
RedLineStealer
error
RedLineStealer
+ 537 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery infostealer rat trojan
Link:
https://tria.ge/reports/250603-fe63pszrx3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Malware Config
C2 Extraction:
45.137.22.242:55615
Verdict:
Malicious
Tags:
Win.Packed.Boxter-10005643-0 redline
YARA:
n/a
Link:
https://app.threat.zone/submission/80f180dc-7816-42a1-af1d-43c9776a9a99
Unpacked files
SH256 hash:
149d45251aa95a6bb2418cc147bbd63a9b9931a25c749e4f2c03cf9d00aeb529
MD5 hash:
640e5290152ce7621bf54ff66971602e
SHA1 hash:
0e23134d74d2cb1c1ae0b962905e13321d3a6b4e
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/073a8d4a-b7e1-4631-9e1e-cfd3e798468d/
Parent samples :
7a71c60c503064ec746f66922bdab12fe8738dfd82fcb3447650e45aba762bb1
989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
SH256 hash:
8677ea44c2789a86263549fa21e442db7f05ca9cc27f27ca1b8e23debd9bf01b
MD5 hash:
c7196202fcf528070d90be48bddccd58
SHA1 hash:
1b7c4f22ce9ef7b3e95c372f383a8c17743e2e1b
Link:
https://www.unpac.me/results/073a8d4a-b7e1-4631-9e1e-cfd3e798468d/
SH256 hash:
b3126fa7b9ce1827583b815b79c3746153bac28391ec31c470ab6e19793cc242
MD5 hash:
44d40e942c020a4e4e66bcfd0addb148
SHA1 hash:
f158a1c13e11f8a06bd74cbde3af5d4fc8806b24
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/073a8d4a-b7e1-4631-9e1e-cfd3e798468d/
SH256 hash:
989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d
MD5 hash:
4ab096eb513eed62b9206fb8ab273aba
SHA1 hash:
15ca16c266031c2c03a050d53841410dc5476e44
Link:
https://www.unpac.me/results/073a8d4a-b7e1-4631-9e1e-cfd3e798468d/
Malware family:
SectopRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/989db4656212/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Mal_InfoStealer_Win32_RedLine_Unobfuscated_2021
Create hunting rule
Author:BlackBerry Threat Research Team
Description:Detects Unobfuscated RedLine Infostealer Executables (.NET)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_15ee6903
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_4df4bcb6
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f07b3cb4
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security
Rule name:win_redline_stealer_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 989db46562126cd83b6148da103cb17d770ed14c5a09b899bd225e77ff1b054d

(this sample)

  
Link
https://tria.ge/250603-fawfeax1hv
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6930/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments