MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
SHA3-384 hash: bbdb90a8bf711f30d5b4039fe07ba9e68bcab753a21b924de252668f1fd4c8e9b6c0b8f225df997469d1ca3213d2f50d
SHA1 hash: 64dddabd1a034901a26bd8a81afcaeb7275c5d00
MD5 hash: 5331ec9f70bd4c33ef9422369f214fd3
humanhash: robin-cola-summer-orange
File name:9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:54'784 bytes
First seen:2025-07-31 11:51:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8ea4d252f163450899a3a04f54b4e73 (2 x RedLineStealer)
ssdeep 768:AWJ4NNYJyChfIYXyaSw4N1pwbY/YEVNMZoNKDW2I9a0eOEGcsM0I:AWJ4NNVCh1Sw21daXI4xJLsM0I
Threatray 138 similar samples on MalwareBazaar
TLSH T1A2335B063AD1C132E86603301A79C6A356BF7C729B74C7ABBBD4068D5D716D06E393A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
Verdict:
Malicious activity
Analysis date:
2025-07-31 12:21:34 UTC
Tags:
stealer metastealer redline loader python
Link:
https://app.any.run/tasks/e144c5fc-f90d-4f01-ba3a-05d3fd17c5a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18035/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b59070b4775fb2133f0bf
Tags:
extens trojan virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a window
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Dropper.Generic.Malware.
Link:
https://www.hybrid-analysis.com/sample/9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0e4101fc-71fd-456e-ab65-c91fca2ad8e6
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5331ec9f70bd4c33ef9422369f214fd3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 17:52:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tidgjdzdjenlytqrl4iuz7ckyohfgjmsy76v7wngdxycnwbaknrq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
1967625692921a306f4d8565b67e1edf9c1da2988d67a76c93659f5a91d546f5
RedLineStealer
3bcd650cfa8589518bd0ad2ab93a04589190275de3843f8f90bcead289b0924d
RedLineStealer
7dcd76789f0855c1cbc885ddbe02671d4a5045de157be764a59aec4eff4da420
RedLineStealer
7e348ac70407e6051594dfc5cd130adb5cc8fa9a2ae9ad81877f0747bf7c2b03
RedLineStealer
8463e7562950ad08408ab5c2a84bca81c3088187c3fb448c8aeb5b0d36a89a09
RedLineStealer
87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
RedLineStealer
994d115922a3ce8324114199fb7d06d7c8276779f83523b66b8c05505b81376e
RedLineStealer
cdf5aa128d39be84e18b486d7bfa7bc11fc10fe5ee07879af92195ce31de945a
RedLineStealer
e82fc61f7f9d57734370142015cd49bd4fa9d4cb50e475f78e44645c064a1ba0
RedLineStealer
+ 128 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:jajaja discovery execution infostealer persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/250731-n1w4mahm4v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops autorun.inf file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Malware Config
C2 Extraction:
176.46.152.46:1911
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b1f44c0-49e0-4e8d-92cb-4e71a5ee4925
Unpacked files
SH256 hash:
9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363
MD5 hash:
5331ec9f70bd4c33ef9422369f214fd3
SHA1 hash:
64dddabd1a034901a26bd8a81afcaeb7275c5d00
Link:
https://www.unpac.me/results/e7dc3cfb-ddb7-4635-bbe2-51789aaa6848/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a06648f2349/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RedLineStealer

Executable exe 9a06648f23491abc4e115f114cfc4ac38e532592c7fd5fd9a61df026d8205363

(this sample)

Executable exe cdf5aa128d39be84e18b486d7bfa7bc11fc10fe5ee07879af92195ce31de945a

Cape
Cape
https://www.capesandbox.com/analysis/18035/
  
Dropping
SHA256 cdf5aa128d39be84e18b486d7bfa7bc11fc10fe5ee07879af92195ce31de945a
  
Dropping
MD5 4c22f98575b14dbe2264882dece8b4ba

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
NET_SHARE_APICan access Network ShareNETAPI32.dll::NetShareEnum
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegSetValueExW

Comments